The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Transcription

1 The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v

2 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the hacker out. 3. Cyber threats are a technical issue managed locally. 4. You are not in a regulated industry so you don t have to worry. 5. Your contract and/or your insurance protects you from a breach at your third party provider. 6. You don t need to think about data breaches and privacy incidents until they happen. 7. You are [insert regulation here] compliant, and you have privacy notices, so you are all set. 8. There s an App for that! 2

3 Myth #1 You have not been hacked. 3

4 Technology Reliance/Complexity Reality: Don t bet on it. Advanced threats usually maintain remote access to target environments for 6-18 months before being detected. Security Market Paradigm Shift: Assumed state of compromise Resilient Cyber Security Significant and evolving cyber threats unlike ever before Highly skilled/motivated, and yet patient adversaries, including nation states Increasing speed of business, digital transformation, and hyper connectivity across supply chain and to customers Massive consumerization of IT and reliance on mobile technologies Increasing regulatory compliance requirements (e.g., State and Global Breach notification laws, HIPAA) Inclusion & Exclusion Security Layered Security Heavy focus on identity management right people, right place, right access Perimeter Security Focus on enhanced layers of security, adoption of incremental security solutions Focus on security technology for the perimeter 1980s 1990s Time 2000s

5 Myth #2 Cyber security is about keeping the hacker out. 5

6 Reality: Not anymore. Evolution of IT as well as sophistication of the threat drive a need for anticipation and resilience, not just prevention. Traditional Security & Privacy Lifecycle Prevent Correct/Enhance Security & Privacy Management Detect Cyber Evolution: A new holistic approach Respond/ Remediate Cyber Incident & Crisis Management Detect/Discover Increased volume, complexity, and detection difficulty of attacks and the associated impact are driving enterprises to adopt a new approach to security and privacy. Triage/Contain State of Compromise 6

7 Myth #3 Cyber threats are a technical issue managed locally. 7

8 Reality: Security and privacy are more than a local IT challenge They are a global business challenge. g Historical IT security perspectives Today s leading cybersecurity and privacy insights Scope of the challenge Limited to your four walls and the extended enterprise Ownership and accountability Adversaries characteristics Information asset protection Spans your interconnected global business ecosystem Borderless data collection, transfer and storage Regulations and cross-border data flow frameworks vary by country, region and state. IT led and operated Business-aligned and owned; CEO and board accountable One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Organized, funded and targeted; motivated by economic, monetary and political gain One-size-fits-all approach Data flow analysis and risk based mitigation approach Prioritize and protect your crown jewels Defense posture Protect the perimeter; respond if attacked Proactive, continuous risk assessment & monitoring Plan, monitor, and rapidly respond for when attacked or when an incident occurs Security and privacy intelligence and information sharing Keep to yourself Public/private partnerships; collaboration with industry working groups Enforcement Rare Increasing fines and public disclosures for data breaches and privacy incidents 8

9 Myth #4 You are not in a regulated industry so you don t have to worry. 9

10 Reality: Threats and regulatory enforcement are industry agnostic. Breaches are costly. The number of incidents detected in the past 12 months increased by 25% 1 Financial losses due 1 to security incidents in Europe increased 28% Over last year. Average number of security incidents in post 12 months 1 Industries reporting $10million+ losses 1 Oil & Gas: 24% Pharmaceuticals: 20% Financial Services: 9% Technology: 9% Industrial Products: 8% In North America, 1 detected incidents increased 117% Over last year. 2,562 2,989 3,741 September 2013 FTC sanctions a large technology company for security flaws in their web-enabled video camera Do not allow 9% 1,037 1,612 Do not allow 14% Average cost of a compromised record: $188 2 May 31, Do not allow 18% August 2012 FTC issues a large fine for a privacy violation. August 2013 The OCR fines a company for not removing sensitive data from returned leased equipment: 1 Source: : Global Information Security Survey Source: Ponemon Institute 2013 Cost of a Data Breach Study: U.S. 10

11 Myth #5 Your contract and/or your insurance protects you from a breach at your third party provider. 11

12 Reality More than 40% of companies sustained a data breach caused by a third party 1. Breaches caused by third party errors cost more 1. 57% of companies do not evaluate security at third parties or are not sure if they do 2 Key foundational areas for establishing an effective third-party risk management program Vendor management office Operational risk governance body Governance Methodology Standard operational risk methodologies and defined risk levels Standard controls effectiveness assessment methodology Escalation, exception, and exemption process Data & Information 78% of companies do not or are unsure if they conduct incident response planning with third parties 2 Well defined general ledger Comprehensive contracts management system and contract data Well defined and maintained third-party repositories (vendor master, etc.) Third-party/vendor usage data Strong organizational and employee data for identifying third-party linkages across the organization Issue an and incidents repositories to track third-party issues 1 Source: Ponemon Institute 2013 Cost of Data Breach Study: U.S. 2 Source: Global State of Information Security Survey

13 Myth #6 You don t need to think about data breaches and privacy incidents until they happen. 13

14 Reality: Threat Actors are thinking about you. Effective cybersecurity includes understanding the threat, prioritizing critical data assets, and creating a crisis response plan. Adversary Motives Targets Impact Nation State Economic, political, and/or military advantage Trade secrets Sensitive business information Emerging technologies Critical infrastructure Loss of competitive advantage Disruption to critical infrastructure Organized Crime Immediate financial gain Collect information for future financial gains Financial/Payment Systems Personally Identifiable Information Payment Card Information Protected Health Information Costly regulatory inquiries and penalties Consumer and shareholder lawsuits Loss of consumer confidence Hacktivists Influence political and/or social change Pressure business to change their practices Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Disruption of business activities Brand and reputation Loss of consumer confidence Insiders Personal advantage, monetary gain Professional revenge Patriotism Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information Loss of market share Erosion of corporate confidence National security impact 14

15 Reality. It takes a village. Breach response is more than a technical problem with a technical solution. Cyber crisis management team External counsel Cyber incident management team External service providers Law enforcement & government regulators External counsel Stakeholders Privacy, Legal, IT, Finance, Sr. Executives Public relations Breach notification Law enforcement Government regulators Core Team Team Leader, Support Team Credit monitoring Fraud mitigation Investigative team Technical Lead, Info. Security, BU SME Monitor criminal underground 15

16 Support Area Involvement Threats actors are organized, funded and targeted; you should be too. Data Breach and Privacy Incident Life Cycle Risk Assessment Develop Program Detection Incident Response Notification/ Media Remediation Post Mortem/ Strategy Privacy Legal Incident Response Internal Audit Internal Audit BU SME/Leadership Information Security Compliance Compliance IT 16

17 Learning from each other is critical in building and maintaining an effective program. Incident lifecycle Leading practice Common pitfalls Risk Assessment Ongoing assessment of internal and external privacy and security threats Policies and procedures that are current, communicated, and followed Develop Program Cross-stakeholder, multi-disciplinary effort Process for program training and awareness, communication, and maintenance Controls aligned with threats from risk assessment and a selected framework Design privacy and security into products and systems Detection Automation, risk based tuning/correlation Process for managing privacy and security concerns raised by employees and consumers Incident Response Testing that includes all stakeholders and external providers Inventory of breach notification laws/regulations Notification/Media Template media notice/pre-defined pubic relations process Remediation/Post Mortem/Strategy Non existent. incomplete, or outdated data inventory, including third parties No process for consistent threat analysis Minimum senior leadership involvement and lack of governance structure and processes Focus solely on regulatory compliance Not understanding data flow Lack of clarity around roles and responsibilities Limited forensic capabilities or trusted partner Notification prior to completion of full analysis Strategic versus tactical focus and approach. Limited involvement from internal audit/compliance 17

18 Myth #7 You are [insert regulation here] compliant, and you have privacy notices, so you are all set. 18

19 Reality. There is much more at stake than compliance. Key drivers for data protection & privacy. Legal Requirements Reputation/Brand Competitive Advantage National Security Contractual Requirements Shareholder Value/Financial Proprietary Business Information: intellectual property, pricing & sales/marketing strategy, sourcing strategy Personally Identifiable Information: name, age, identification numbers, home or address, income or physical characteristics; opinions Sensitive Personal Information: Information on medical or health conditions, financial information (including credit cards), racial or ethnic origin Business Customer Information: Franchisee information, Customer sensitive information (financial, IP, etc.) 19

20 Myth #8 There s an App for that! 20

21 Reality. There is no silver bullet. A comprehensive data protection & privacy program is required. Incident Management and Response Data and Vendor Inventory Accountability and Governance Monitoring and Auditing Data Risk and Compliance Assessment Vendor Management Process and Controls Training and Awareness 21

22 Thank you! Carolyn Holcomb Partner, National Data Protection & Privacy Leader (678) Emily Stapf Director, Forensic Technology (703)

23 The information contained in this document is shared as a matter of courtesy and for information or interest only. has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and has not independently verified, validated, or audited such data. does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by and is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of. Before making any decision or taking any action, you should consult a competent professional adviser PricewaterhouseCoopers LLP. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see for further details.