A PM’s Guide to Surviving A Data Breach

• Compliance: • PCI QSA and PCI Gap Analysis• FISMA• HIPAA• SSAE 16• GLBA, Red Flags

• Response• Incident Response and Disaster Recovery• Electronic Litigation Support and Forensic

Recovery• Penetration Testing • Business Continuity Planning• Network Architecture Design• Crisis Communications

• Insurance and Liability Planning

We Are Cyber Risk Managers

The first rule of survival: The first rule of survival:

Don’t Cross the Street Don’t Cross the Street

BlindfoldedBlindfolded

In cyberspace, you have to be right 100% of the time. A

hacker only has to be right ONCE.

How does it happen?

• User Credentials• Phishing• User Errors• Malware• Misuse• Unpatched Systems• Web App Attacks

Companies spend money on Companies spend money on the wrong things.the wrong things.

2% of Revenue

$112 Billion

How much businesses* spend on physical security

Global losses to physical theft**:

$300 Billion

How much businesses spend on cybersecurity

Global losses to cyber attacks**:

.4% of Revenue

* $10M - $100M in revenue (Bloomberg)** 2013 (Ponemon Institute)

Consider…• US credit card fraud in 2013 equaled $7.1B• The entire rest of the world totaled $6.8B

• 71% of cyber attacks happen to businesses with less than 100 employees

• The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000

• 60% of SMB that experience a data breach are out of business within 6 months

• Extremely effective hacking tools are cheap or free and are easy to obtain and use

• Social engineering and employee error are common causes of a breach, followed by application vulnerability

Technology does not equal security...

Defense-In-Depth: Technology• 99% of exploited

vulnerabilities had an available patch

• More than half of vulnerabilities have an exploit available within 30 days

• 70-90% of malware is unique to an organization

…neither does compliance.

We trade convenience for security every day.

Commonly Stolen:•Personal Information•Credit Information•Medical Records•Intellectual Property•Customer/Partner Data•Network Credentials•Email Addresses/Passwords

Convenient:•Online Banking•E-Commerce•Medical Portals•Cloud Storage/Access Anywhere•Vendor Access•Remote Management•Single Sign-On Across Platforms

The second rule of survival: The second rule of survival:

Diamonds vs. ToothbrushDiamonds vs. Toothbrush

Risk Mitigation: Pre-PlanningRisk Mitigation: Pre-Planning

• Identify critical information and map it• Determine data retention requirements• Know compliance and legal

requirements• Identify vendors• Conduct a risk analysis• Determine your threshold• Identify gaps

What’s Most Important?• Banking CredentialsBanking Credentials

• Cloud StorageCloud Storage

• Vendor AccessVendor Access

• Remote ManagementRemote Management

• Employee PIIEmployee PII

• Credit InformationCredit Information

• Medical RecordsMedical Records

• Social Media PresenceSocial Media Presence

• Intellectual PropertyIntellectual Property

• Customer DataCustomer Data

• Supply Chain DataSupply Chain Data

• Network CredentialsNetwork Credentials

• Email AddressesEmail Addresses

• Legal DataLegal Data

• Financial RecordsFinancial Records

• Payroll and Accounting DataPayroll and Accounting Data

The third rule of survival: The third rule of survival:

Don’t Go to Costco the Day of Don’t Go to Costco the Day of

the Stormthe Storm

Risk Mitigation: ResponseRisk Mitigation: Response

• Breach response begins before a breach• IR planning is critical• Know your networks and devices• Train employees to recognize and

respond• Success is measured in hours

Risk Mitigation: ResponseRisk Mitigation: Response

• Your team:• Legal Counsel• Network and Security Administrators• Insurance Agents• PR/Crisis Communications• Forensics and Recovery• Decision Makers (CIO, COO, CEO)• HR• Breach Resolution Service

Risk Mitigation: ComplianceRisk Mitigation: Compliance

• Guidelines and standards for protecting critical information

• Most standards allow flexibility based on risk

• Prioritizes spending and drives response criteria

• May require technology solutions• Best defense against fines, fees,

litigation• Compliance does NOT make a company

bulletproof

Risk Mitigation: InsuranceRisk Mitigation: Insurance

• The policy must meet the needs of the business

• Forensics, legal, PR, notification and lost revenue are all insurable events with the right policy

• More information is better when calculating need

• Watch for exclusions• Catastrophic protection vs. Cyber HMO

The fourth rule of survival: Exercise is good for you.

Risk Mitigation: ExerciseRisk Mitigation: Exercise

• Training, training, training• Tabletop or Simulation• Walk-through responsibility• Evaluate for currency• Allow enough time• Debrief• Repeat at least annually

The fifth rule of survival:The fifth rule of survival:

It’s best to solve the problem It’s best to solve the problem

with the simplest method.with the simplest method.

Data Breach: When it’s not a drillData Breach: When it’s not a drill• Remove affected devices from the network, don’t turn

it off!• Call your lawyer• Activate the IRP• Interview and document• Determine the extent of the breach• Engage your forensic team• Identify legal obligations• Manage communications• Remediate and recover

Final Thoughts:Final Thoughts:•By 2020, the global Cyber Security market is expected to skyrocket to more than $140 billion•It isn’t possible to manage risk through technology and hardware alone•Cyber is a component of risk management•Vendors are an important part of cyber risk•People make mistakes•Companies must re-think insurance, compliance, liability, and training to include cyber

www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

““There are two kinds of companies in There are two kinds of companies in America: those who’ve been breached America: those who’ve been breached and those who don’t know they’ve and those who don’t know they’ve been breached.”been breached.”

FBI Director James ComeyFBI Director James Comey

Helping Your Company or Client:Ask them simple questions about compliance and risk management…• Have you thought about what you would do in a data

breach situation?• What critical information do you have?• Is your legal team ready to handle your data breach?• Do you know if you are compliant?• Does your cyber insurance product meet your needs?

www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

Protect Yourself:• Take Personal Responsibility• Consider a credit freeze if you’ve been breached• Secure your home network, use separate networks for

sensitive information• Backup your data• Avoid coffee shop Wi-Fi• Evaluate the convenience vs. privacy tradeoff• Vary your passwords

www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

Heather Engelheather.engel@sera-brynn.com

Questions?