DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Transcription

1 DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET 2014 NSGA Management Conference John Webb Jr., CIC Emery & Webb, Inc. Inga Goddijn, CIPP/US Risk Based Security, Inc.

2 Not just a big business problem Cyber Liability comes from various sources Sources that almost every business has Employees Websites Laptops

3 Sources of Liability Employees making data handling errors such as sending s to wrong person or s with defamatory statements Websites and Social Media platforms where ideas and comments can be posted Websites using unauthorized images, music or documents

4 More Sources of Liability Your business computer system can be used to transmit a virus or attack to other computer systems Your computer system can be made inoperable due to bad programming or malicious activity. This equals costly downtime and data restoration costs

5 Yes, even more sources of Liability The data in your computer system is valuable, very valuable Credit and debit card information flowing between your Point of Sale system and the processor Customer information such as name, address, bank account numbers, etc And it can be threatened as easy as a lost or stolen laptop or thumb drive

6 How valuable is my data? Your data is valuable enough that laws have been written to protect it Data breach notification laws have real costs associated with them even if there is no harm proven or damage to the other party The simple fact that a data breach happened will cause real costs to your business

7 What kind of costs? Notification Expense Credit Monitoring or Identity Repair Forensic Investigations Public Relations Assistance Data Restoration Business Interruption Lawsuits and governmental investigations

8 Examples of Real Cost Notification: $1 - $2 per person Credit monitoring subscriptions: $15 - $25 per person Consulting for forensic research & recovery: $250 - $350 per hour Credit card reissuance fee: $20 - $30 per card Legal fees: $350 - $600 per hour (specialist required) Information hotlines: $5+ per call Downtime, damages, settlements, fines, penalties???

9 Manage your data risk, don t ignore it! Reduce the cost to your business with: Risk Management Insurance Ultimately, security is about people not technology It s not a matter of if, but when Foundations of Information Privacy and Data Protection. P. Swire & K. Ahmed, 2012 Said, thought or written by nearly every data security professional working today

10

11 First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring Controls Know your data! Was it really a beach? Is credit monitoring necessary?

12 WAIT We didn t lose the data

13 First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR Controls Get your team ready to play

14 First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion Controls Regular back-ups and testing

15 First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion 4. Business Interruption, Extra Expense & Data Asset Restoration Controls Prepare a business continuity plan

16 First Party Coverages & Controls Breach Costs 1. Notification and Credit Monitoring 2. Crisis Management & PR 3. Cyber Extortion 4. Business Interruption, Extra Expense & Data Asset Restoration 5. Regulatory Fines / Penalties Controls Be forthcoming Be proactive

17 Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus Controls Keep systems up to date and monitor as much as possible

18 Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information Controls Transparent data collection and use policies

19 Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information 3. Electronic Content Libel, defamation, infringement Controls Review process for all content and certs from developers

20 Third Party Liability & Controls Responsibility 1. Security failure to prevent transmission of a virus 2. Privacy Failure to protect personal information 3. Electronic Content Libel, defamation, infringement 4. Regulatory Actions Controls Communication, communication, and more communication

21

22 Target Breach Why Security is Hard 3 rd party access HVAC vendor phished, giving hackers a foothold in Target s system Network separation Like old fortresses, the perimeter is protected much more than the rooms inside the gates IDS malware warnings missed Hundreds of alerts are generated every day, often across multiple programs requiring manual verification IDS data exfiltration warnings lots of manual work to find and unless correlated to the infiltration, easy to see as a false positive

23 Target Breach Why Response is Hard 12/12/2013 Target is notified by DoJ they have been breached Statistics vary, but research shows most breaches are discovered by 3 rd parties 12/19/2013 Target publicly discloses breach December 18, 2013 Target breach is revealed in a news story published by krebsonsecurity.com. 12/20/2013 Target offers 10% off in-store sales for all U.S. customers Attack was planned to coincide with busy holiday shopping. Target takes a hit with sales down 3%-4%. Mid-January 2014 Credit monitoring for ALL In an effort to repair customer confidence, credit monitoring is offered to, well, everyone in the US

24 Target Breach destroying the company s brand and alienating customers. Yahoo Finance Target s lost opportunity to say it s sorry 3/26/2014 future lives could well be rocked by identity theft for no reason other than they chose to patronize your business. ABC News The Data Breach Factor So Many Companies Forget: Emotion 3/29/2014 Probably 5% to 10% of customers will never shop there again. Brian Yarbrough, Research Analyst Edward Jones, quoted in USA Today Target sees drop in customer visits after breach 3/11/2014

25 Target Breach Shopping isn t objective. It s emotional. Yahoo Finance Target s lost opportunity to say it s sorry 3/26/2014

26 What to do? Don t ignore it! Data protection is worth your time and attention Expensive software won t fix the problem To be effective, solutions need to realistically fit into your operations Audit systems & processes Regular scanning for vulnerabilities can find issues early Educate employees Training and awareness can go a long way in reducing risk Prepare for the worst With an incident response plan & insurance

27 The Golden Rule of Data If you don t need it, don t keep it!

28