Recent Breaches: California Dept. Newman Marcus Of Child Support Services Target Michael’s Federal Reserve University of Nebraska Living Social Evernote Facebook Global Payments Company Citi of Texas Adobe IRS JP Morgan Chase in NY Schnucks Horizon Blue Cross Dept. Of Energy Blue Shield of NJ
The Problem: Skilled & Protected Perpetrators
The Problem: Antivirus Software isn’t enough Antivirus Software products are “doomed to failure” Brian Dye Senior VP of Information Security at Symantec. • AV is reactionary in nature • Requires constant management • Isn’t making them money • Cyber criminals are focusing on cyber attacks, DOS, Spearphishing & network intrusion
The Problem: Lost Devices Right here in Springfield: Stolen laptops lead to important HIPAA settlements. Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Top 10 Security Risks 1. Threat from inside (ignored or from providers) 2. Botnets 3. Mobile Device/BYOD Security 4. Hactivism (Hacking by large hacking organizations) 5. Inadequate Security Policies 6. Un-Patch Software 7. Gen Y Factor 8. Security Backlash 9. Cloud Computing 10. Compliance
Preventative Steps: People • Develop a Culture of Security • Train, Train, Train • Local Area Network Usage • Remote Work • Social Networking • Gen Y (not to be click happy) • Implement Real Security Policies • Explain the Policies & Enforce them • Audit Active User Accounts & Disable former employee accounts
Preventative Steps: Technology • Updates - Always • Next Generation Firewalls • Content Management Systems (Inside the network and while remote) • Protect the innocent user • Manage the Wireless Infrastructure • Mobile Device Management • Encrypt Laptops and Mobile Devices • Spam Management
Preventative Steps: Technology • Dedicate computers to online banking & accounting functions which cannot be used for email or general Web browsing • Utilize Anti-Virus / Anti-Malware Software on every system • White Listing Applications • Ensure every upgrade focuses on security FIRST • Implement Monitoring • Business Associate Agreements • Network Assessment
Protect: Insurance Crime & Cyber Liability Insurance Coverage A decade ago most businesses were concerned about protecting physical assets (building, equipment, stock), today protecting data (computer records) has become the top priority. Cyber Liability and Data Breach Claims are one of the fastest growing areas of risk in the world. • Sophisticated attackers break through traditional safeguards every day • Cloud, mobile, social and big data drive unpredictable change • Yesterday’s security practices are unsustainable • 61% of organizations say that data theft and cyber crime are the greatest threats to their organization • 83% of enterprises have difficulty finding the security skills they need
Protect: Cyber Liabilities & Data Breaches Type of Data Exposed • Personal Information • Financial Information • Health Information Causes of Loss • Hackers • Rogue Employees • Loss/Theft of Equipment – Laptops, Phones, Thumb Drives • Paper Files
Protect: Cyber Liabilities & Data Breaches Top Industries • Financial Services • Healthcare • Retail Top Costs Per Breach • Business Disruption • Information Loss • Notification Expenses & Credit Monitoring • Loss of Revenue • Regulatory Fines • Crisis Management
Protect: Cyber Insurance Coverage Cyber Liability Insurance – Secures a company’s liability and losses in the event of a data breach, typically has two different components • Third Party Liability – Party suffering loss due to the breach comes back on the company for damages • First Party Coverage o Business Interruption o Notification Expenses and Credit Monitoring o Regulatory Fines o Damage to Reputation Obtain an indication (Travelers information in your packet)
Protect: Crime Insurance Coverage Computer Fraud – The theft of money/securities using a business’s computers or network • Typically accessed either by physically using the business’s computer workstations or by hacking into the network and using/accessing logins and passwords. • Normally insured through a computer fraud policy. • Firewalls and login/password management are critical. • Review bank agreements and establish protocols for bank transactions.
Protect: Crime Insurance Coverage Funds Transfer Fraud – A Fraudulently initiated transfer of Funds from an account: • Normally insured through a Funds Transfer policy. • Proper internal policies and procedures are key. • Again, review your bank agreement and establish protocols.
Boards & CEOs Demand Strategy CEO CFO/COO CIO HR CMO Loss of market Audit failure Loss of data Violation of Loss of share & confidentiality, employee customer reputation Fines & integrity and/or privacy trust criminal availability Legal Exposure charges Loss of brand Financial loss reputation
Develop a Crisis Management Plan • Reputation protection is critical! • Target didn’t break the news, a security blogger did. • Customers were confused by Target’s public response – emails were from an unfamiliar domain. • Target’s CEO resigned due to the recent breach and resulting damage. DESIGN, IMPLEMENT, MONITOR • Be prepared to communicate a clear, concise, effective message. • Determine how you will communicate (letters, email, etc.) • Determine how you will handle incoming questions. • Map out a resolution plan.
Wrap Up & Questions • Cyber and computer risks are increasing exponentially. • No single preventative control or procedure can ever be 100% effective. What works today, may not work tomorrow. • As presented in the federal guidance, use a “layered approach” to reduce risk incorporating multiple, overlapping protective measures. • Develop clear strategies on: o Training your staff o Establish a culture of security first o Establish effective network security updates o Next Generation Firewalls o Encrypt sensitive data, emails, and mobile devices o Obtain options on insurance coverage o Establish a crisis management plan o We will send you a plan sample if requested JMARK and Ollis & Company are available to help!
Recommend
More recommend
