Protecting Your Company From A Cyber Breach Proactive Steps to Minimize Breach Risks & Impact...

Protecting Your Company From A Cyber Breach

Proactive Steps to Minimize Breach Risks & ImpactOctober 30, 2015

Presented By

© 2015 Fredrikson & Byron, P.A.

Rebecca Perry, CIPP US/GJordan [email protected]

Ann LaddFredrikson & Byron [email protected]

Sten-Erik HoidalFredrikson & Byron [email protected]

Overview- Elements of a Cyber Security Program


– Identify– Protect (policies, vendors, training,

practices, insurance) – Detect– Respond– Recover

Identify


• Assets• Business Environment• Laws/Regulations/Contractual Obligations• Use Good Information Governance

Locate your data.Delete what you don’t need.Improve policies and training.


What’s Your Biggest Exposure?

# 3 Paper

# 1 Employee Negligence

# 2 Hacking

Third party outsourcing of data 34 %

Migration to new mobile platforms 56 %

Temporary worker or contractor errors 59 %

Not knowing where sensitive or confidential data is 64 %

What Keeps CIOs Up at Night?

N=1587, Source: Ponemon Research, May 2014

BUSINESSPROCESSE

SBUSINESS

PROCESSES

RECORDSINVENTORY

WHAT

WHERE

BUSINESSPROCESSES

RETENTION

SENSITIVITY

The Cornerstone

https://www.ftc.gov/system/files/documents/plain-language/bus69-protecting-personal-information-guide-business_0.pdf

Accident/Incident RecordsAdvertising Records Benefit RecordsBudget RecordsContracts & AgreementsCredit ApprovalsCustomer OrdersCustomer Payment RecordsEmployee Medical FilesEngineering RecordsMarketing RecordsResearch & DevelopmentSales Receipts

Engage The Business

101010001110010100110 1 1 0 1 0 0 1 0 0 1 0 1 10 1 0 0 1 1 01 0 0 1 1 0 11 0 00 1 0 0 1

Understand Business Practices

BUSINESS NEEDS

DOL

OSHA

SEC

GLBA

HIPAA

PCI

State Privacy

Laws

REQUIREMEN

TSCorporate

Sensitive

Customer Data

Intellectual

Property

PII

Bio Metric

Patient Health

Info.

Personal Financial

Sensitive EU

SENSITIVIT

Y

Identify Requirements

Benefit Enrollment & Participation

Distribution Centers HR - Benefits

HR – Canada HR – Compensation Store Operations HR - Regional

Health Information

Beneficiary #FMLADates of ServicePatient NamePatient Address

National ID Card #Partial Social Security #Social Security #

GovernmentID’s

Employment IDEmployment StatusHandicapped StatusMedical Conditions

Employee Information

AgeNameEmail AddressMarriage StatusPhysical AddressTelephone #

Personal Information

Insurance InformationRetirement Account

Financial Information

Corp - Legal ActionsEU - Health Status

Other

Applications3rd Party, Cognos , Microsoft Outlook, Microsoft SharePoint, PDF

Box Warehouse, Department File Cabinet, Secure File Cabinet

CDDVD, Laptops, Shared Drives

Email

Paper

Unstructured

Archive, Desktop Hard Drive, Email Inbox, Laptops, Printed Hard Copies, Shared Drives

Best Practice Retention: 6 Years after superseded 29 USC 1027

Reporting Findings & Risks to Senior Management

60,995Data Points

122Area

Representatives

17Subject Matter Experts

110Departments

5Countries

Case Study

45 Days

Lack of Critical Policy Awareness

59%Awar

e

41%Not

Aware

Information Se-curity Policy

Only 44% Trained

69%Aware

31%Not

Aware

Records Retention Policy37%

Never Dispose of Records

3,128VERSIONS ACROSS MEDIA[Paper, Email, File Shares, Applications]

Redundancy Creates Risk

1,302DEPARTMENT

VERSIONS

274UNIQUE

RECORD TYPES

47% TAGGED WITH PERSONAL INFORMATION

6% Forward to Personal Email

20% Save to Flash Drives or DVDs84% Save to Laptops or Tablets

18% Save to Cloud Storage

Over Retention Is a Substantial Cause of Risk to Sensitive

Information

71% Re-tained Longer

Shorter

InLine

NoBP

Current RetentionCompared to Best Practice

48% Tagged with Sensitive Information

Email

20% ANNUAL GROWTH RATE

CENTRAL ARCHIVE RETAINED INDEFINITELY

USERS CREATING PERSONAL ARCHIVES

Forward to Personal E...

Flash Drives

Content Management ...

Printed Hard Copies

Archive (PST, NSF)

Shared Drives

7%

17%

26%

62%

62%

68%

EMAIL STORAGE LOCATIONS

Electronic Information on File Shares

20,000 GIGABYTES

50% ANNUAL GROWTH RATE

ACTIVE ENVIRONMENT

PII ON SHARED DRIVES (2+ ELEMENTS IDENTIFIED) 59 AREAS

206 RECORD TYPE PROFILES

[Word Documents, Power Points, PDFs, Excel Spreadsheets, Images, etc.]

0.5 Less Than

3 Years Old

0.33 to

5 Years Old

0.2Older Than

5 Years

50% of Information on File Shareswas Created in Last 3 Years

Protect


• Technical • Physical• Administrative -Training, Vendor

Management, Policies, Insurance

Technical and Physical Security “Quick Hits”

• Secure shredding• Wiping equipment

• Encryption• Patching• Good passwords

© 20__ Fredrikson & Byron, P.A.

http://www.sans.org/critical-security-controlshttp://www.sifma.org/issues/operations-and-technology/cybersecurity/guidance-for-small-firms/

Awareness and Training


Example topics• Reasons, Risks, What is protected, and Why• Overview of internal policies• Highlight important areas of concern depending on your

needs:– Physical security (space, documents, devices)– Passwords and good log-in practices– Internet tips/avoiding phishing and other scams– Sending protected information (email practices, etc.)– Storing protected information-special security– Incident response – what to do if you suspect a problem

Some examples- training doesn’t have to be boring.


Can you guess this guys’ password?

Vendor Management—


• Diligence- see example questions• Contractual protections

– Require safeguards- consider third party certifications– Control downstream transfers (sub contractors, hosts)– Timely reports of /defined controls on response to incidents– Termination rights– Indemnification/Insurance – Disaster recovery/contingencies

• Audit Rights

Protect – Ensure The Right Policies Are In Place


• Overall Security and Privacy Policy – High Level

• Acceptable Use

• BYOD / Mobile Device / Lost Device

• Security Practices

Detect – Review Data Breach Detection Capabilities


• Data loss prevention technologies

• IT Security Consultant/intrusion testing

• Understand baseline IT security operations

• Monitoring of information systems, device usage, and personnel

Respond


Respond – Prepare in Advance!


Respond – Develop, Practice, and Follow A Data Breach Response Plan


• Written document(s) outlining the company’s strategy for evaluating and responding to potential data breaches.

• Customized to the company’s processes, structure, and goals.

• Tailored to the types of PII or sensitive information the company has access to.

Respond – Key Components For A Data Breach Response Plan


1. Identify response team and outline roles and responsibilities.

2. List strategic partners and explain process for determining whether they need to be involved.

3. Diagram system, data flow, and infrastructure.

Respond – Key Components (cont.)


4. Outline strategy for identifying a breach, ascertaining its scope, and containing the breach.

5. Explain process for analyzing legal implications of breach.

6. Outline how notice will be provided to potentially injured parties (if necessary).

Respond – Response Plan (cont.)


7. Develop and outline an internal communications strategy.

8. Develop and outline and external communications strategy.

9. Describe process for deciding whether to provide assistance (e.g., credit or fraud monitoring) to injured parties.

Respond – Other Considerations


• Provide to insurer for feedback.

• Train, train, train….

• Follow it!

Recover


• Self Assessment – Review and analyze the company’s response to determine areas for improvement. Revise incident response plan accordingly.

• Recovery Planning – Develop a strategy to get the company’s systems back on line in the event of a breach.

Questions?


Protecting Your Company From A Cyber Breach Proactive Steps to Minimize Breach Risks & Impact...

Documents

Transcript of Protecting Your Company From A Cyber Breach Proactive Steps to Minimize Breach Risks & Impact...