Is your Organization SAFE?

Transcription

1 Is your Organization SAFE?

2 About Enterprise Risk Management (ERM)

3 About The Presenter Mike Sanchez, Senior Vice President at ERM Captain, USMC (Ret.) COBIT 5 Certified Possesses over 20 years of experience in IT Security, Payment Card Industry, and Business Development. CYBER SECURITY REGULATORY COMPLIANCE DIGITAL FORENSICS Helped senior management, business owners, and key stakeholders decipher the 10,000 foot view of information security. Former Executive Vice President at Transworld Payment Solutions, Inc.; global payment processing provider Former Vice President of Emerging Technologies for Visa International Part of the team which developed and launched Visa (LAC) emerging technology platforms related to electronic payment processing.

4 2014 Enterprise Risk Management, Inc. Objectives

5 the numbers don t lie 2014 Enterprise Risk Management, Inc.

6 2014 Enterprise Risk Management, Inc. Source:

7 2014 Enterprise Risk Management, Inc. Source:

8 2014 Enterprise Risk Management, Inc. Source:

9 2014 Enterprise Risk Management, Inc. Source:

10 Have you asked Yourself? 1 How safe is my Organization from cyber attacks? 2 What s the potential impact to my organization? 3 What can I do about it? 2014 Enterprise Risk Management, Inc.

11 Have you asked Yourself? 1 How safe is my Organization from cyber attacks? 2 What s the potential impact to my organization? 3 What can I do about it? 2014 Enterprise Risk Management, Inc.

12 No business is immune from a data breach. It s a global problem! 2014 Enterprise Risk Management, Inc.

13 Security is a boardroom issue Enterprise Risk Management, Inc. A large number of CEOs, Board Members and other executives don t understand how breaches happen or how to respond.

14 2014 Enterprise Risk Management, Inc. Many executives don t understand their organization s information data flow or if and/or how its being protected.

15 2014 Enterprise Risk Management, Inc. threats can come in all sorts of shapes and sizes

16 Insider misuse lead to inadvertent data leakage and breaches. Accounts for about 10% of all breaches 2014 Enterprise Risk Management, Inc. 70% of the security incidents that cost enterprises money involve insiders

17 The threat is not only technical. Your own employees might be leaving the keys in the door Enterprise Risk Management, Inc.

18 BYOD Bring Your Own Device trends opens new security risks for enterprise Nearly ¾ of employees upload work files to personal Enterprise Risk Management, Inc.

19 Senior Managers are worst information security offenders Accidently send information to wrong person Take files with them after leaving a job Upload work files to personal or cloud account

20 IT takes about 33 days for a company to detect or know its been breach Enterprise Risk Management, Inc.

21 2014 Enterprise Risk Management, Inc. Some can take as long as a year to be discovered.

22 Being Compliant doesn t mean your data is secure 2014 Enterprise Risk Management, Inc.

23 Not investing in security up front will cost you dearly later Cost Records Values in Millions $1.48 $2.40 $4.62 $6.64 $5.50 Sony (2011)A CardSystems 2005 Sony (2011)B TJX (2007) Target (2013) Leaked Records and Cost in Millions

24 With cyber crimes, size really doesn t matter Enterprise Risk Management, Inc. Smaller companies are more vulnerable and attractive to attacks

25 Determined and successful attack efforts continue on the rise with different motivational factors: Steal intellectual property Disruption of services Exploitation of information security through partners, and subsidiaries Ransom 2014 Enterprise Risk Management, Inc.

26 1 How safe is my Organization from cyber attacks? 2 What s the potential impact to my organization? 3 What can I do about it?

27 One single and successful breach can have a qualitative and quantitative impact to your organization Qualitative impact includes: destroy a company s reputation (Remember ValuJet?) lead to material loss of productivity loss of market share bankruptcy lawsuits from customers or business partners potential loss of life (safety critical systems) can cost you your job! 2014 Enterprise Risk Management, Inc.

28 The average annualized cost of cyber crimes in the US is $5.85 million per company, per year. 15% increase from 2013 Globally, the average cost paid for each stolen record is $145. Significantly higher for US companies ($201 per record) 10,000 Customer Records Cost paid per record Total possible cost 10,000 X $ = $2,010,000 Quantitative impact: 2014 Enterprise Risk Management, Inc.

29 Quantitative impact: Data breach costs vary between industries $400 $350 $300 $250 $200 $150 $100 $50 $0 $359 $294 $227 $206 $155 $141 $100 Healthcare Education Pharma Financial Consumer Energy Public Includes direct costs: engaging forensic experts, outsourcing hotline support, free credit monitoring subscriptions and discounts for products and services. Indirect Costs: in-house investigations, customer loss from turnover or diminished customer acquisition rates.

30 Quantitative impact: and by type of data breach Human Error Careless Users $117 29% $159 40% Malicious Attack Website hacking Social Engineering Criminal Insiders Malware infections $126 31% System Glitches Includes direct costs: engaging forensic experts, outsourcing hotline support, free credit monitoring subscriptions and discounts for products and services. Indirect Costs: in-house investigations, customer loss from turnover or diminished customer acquisition rates.

31 1 How safe is my Organization from cyber attacks? 2 What s the potential impact to my organization? 3 What can I do about it?

32 Safeguarding your organization s data is entirely your responsibility.

33 Governance is critical Its your responsibility to make sure its correctly deployed, implemented and enforced Enterprise Risk Management, Inc.

34 X X X Governance is critical If not. Might as well plan on FAILING X X X 2014 Enterprise Risk Management, Inc.

35 so what's next? Review your current information risk governance polices. Make sure you have it, its followed and not used as a coaster Enterprise Risk Management, Inc.

36 X When was our information reviewed and updated? X Does the board have a copy? X Who is responsible for delivering it and validating its implementation? ask questions!!! 2014 Enterprise Risk Management, Inc.

37 Risk Management Framework IDENTIFY Asset Management Governance Risk Assessment Risk Management PROTECT Access Control Strong Awareness Training Understand Data Flow Information Protection Protective Technology DETECT Anomalies and Events Continuous Monitoring Detection Processes RESPOND Response Planning Communications Plan Analysis Improvements RECOVER Recovery Planning Improvements Communications

38 IDENTIFY Asset Management Governance Risk Assessment Risk Management To do TODAY! Ensure your company I.T. Governance policies exist and are current. Verify all key stakeholders members know about it Enterprise Risk Management, Inc.

39 PROTECT Access Control Strong Awareness Training Understand Data Flow Information Protection Protective Technology Know how your data flows. Understand where it flows from and to and how it s protected. Check for vulnerabilities and data leakage. Polices exist current and follow governance. Seek insurance policies to help the risk.

40 DETECT Anomalies and Events Continuous Monitoring Detection Processes Detection for anomalies are in place. Real word testing is performed periodically.

41 RESPOND Response Planning Communications Plan Analysis Improvements Review action plans associated with the event of a breach. Are skilled personnel on hand in the event of a breach?

42 RECOVER Recovery Planning Improvements Communications Establish a recovery plan to implement after a breach Prepare communication of recovery to internal and external parties affected.

43 Sound like too much? How much is your reputation worth?

44 put the pieces together let ERM help you

45 Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL Phone: info@emrisk.com Mike Sanchez msanchez@emrisk.com