Recent Breaches: California Dept. Newman Marcus Of Child Support - - PowerPoint PPT Presentation

Recent Breaches:

Target California Dept. Of Child Support Services Evernote

Federal Reserve

Global Payments Company Newman Marcus Living Social Michael’s University of Nebraska Schnucks Adobe

Facebook

Horizon Blue Cross Blue Shield of NJ Citi of Texas JP Morgan Chase in NY

IRS

• Dept. Of Energy

The Problem: Skilled & Protected Perpetrators

Antivirus Software products are “doomed to failure” Brian Dye Senior VP of Information Security at Symantec.

• AV is reactionary in nature
• Requires constant management
• Isn’t making them money
• Cyber criminals are focusing on cyber attacks,

DOS, Spearphishing & network intrusion

The Problem: Antivirus Software isn’t enough

Right here in Springfield: Stolen laptops lead to important HIPAA settlements. Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

The Problem: Lost Devices

1. Threat from inside (ignored or from providers) 2. Botnets 3. Mobile Device/BYOD Security 4. Hactivism (Hacking by large hacking organizations) 5. Inadequate Security Policies 6. Un-Patch Software 7. Gen Y Factor 8. Security Backlash 9. Cloud Computing

• 10. Compliance

Top 10 Security Risks

• Develop a Culture of Security
• Train, Train, Train
• Local Area Network Usage
• Remote Work
• Social Networking
• Gen Y (not to be click happy)
• Implement Real Security Policies
• Explain the Policies & Enforce them
• Audit Active User Accounts & Disable former

employee accounts

Preventative Steps: People

• Updates - Always
• Next Generation Firewalls
• Content Management Systems (Inside the

network and while remote)

• Protect the innocent user
• Manage the Wireless Infrastructure
• Mobile Device Management
• Encrypt Laptops and Mobile Devices
• Spam Management

Preventative Steps: Technology

• Dedicate computers to online banking & accounting

functions which cannot be used for email or general Web browsing

• Utilize Anti-Virus / Anti-Malware Software on every

system

• White Listing Applications
• Ensure every upgrade focuses on security FIRST
• Implement Monitoring
• Business Associate Agreements
• Network Assessment

Preventative Steps: Technology

A decade ago most businesses were concerned about protecting physical assets (building, equipment, stock), today protecting data (computer records) has become the top priority. Cyber Liability and Data Breach Claims are one of the fastest growing areas of risk in the world.

• Sophisticated attackers break through traditional safeguards every

day

• Cloud, mobile, social and big data drive unpredictable change
• Yesterday’s security practices are unsustainable
• 61% of organizations say that data theft and cyber crime are the

greatest threats to their organization

• 83% of enterprises have difficulty finding the security skills they need

Crime & Cyber Liability Insurance Coverage

Protect: Insurance

Type of Data Exposed

• Personal Information
• Financial Information
• Health Information

Causes of Loss

• Hackers
• Rogue Employees
• Loss/Theft of Equipment – Laptops, Phones,

Thumb Drives

• Paper Files

Protect: Cyber Liabilities & Data Breaches

Top Industries

• Financial Services
• Healthcare
• Retail

Top Costs Per Breach

• Business Disruption
• Information Loss
• Notification Expenses & Credit Monitoring
• Loss of Revenue
• Regulatory Fines
• Crisis Management

Protect: Cyber Liabilities & Data Breaches

Cyber Liability Insurance – Secures a company’s liability and losses in the event of a data breach, typically has two different components

• Third Party Liability – Party suffering loss due to the breach

comes back on the company for damages

• First Party Coverage
• Business Interruption
• Notification Expenses and Credit Monitoring
• Regulatory Fines
• Damage to Reputation

Obtain an indication (Travelers information in your packet)

Protect: Cyber Insurance Coverage

Computer Fraud –The theft of money/securities using a business’s computers or network

• Typically accessed either by physically using the

business’s computer workstations or by hacking into the network and using/accessing logins and passwords.

• Normally insured through a computer fraud policy.
• Firewalls and login/password management are

critical.

• Review bank agreements and establish protocols for

bank transactions.

Protect: Crime Insurance Coverage

Funds Transfer Fraud – A Fraudulently initiated transfer of Funds from an account:

• Normally insured through a Funds Transfer

policy.

• Proper internal policies and procedures are

key.

• Again, review your bank agreement and

establish protocols.

Protect: Crime Insurance Coverage

CEO CFO/COO CIO HR CMO

Loss of market share & reputation Legal Exposure Audit failure Fines & criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation

Boards & CEOs Demand Strategy

• Reputation protection is critical!
• Target didn’t break the news, a security blogger did.
• Customers were confused by Target’s public response –

emails were from an unfamiliar domain.

• Target’s CEO resigned due to the recent breach and

resulting damage. DESIGN, IMPLEMENT, MONITOR

• Be prepared to communicate a clear, concise, effective

message.

• Determine how you will communicate (letters, email,

etc.)

• Determine how you will handle incoming questions.
• Map out a resolution plan.

Develop a Crisis Management Plan

• Cyber and computer risks are increasing exponentially.
• No single preventative control or procedure can ever be 100%
• effective. What works today, may not work tomorrow.
• As presented in the federal guidance, use a “layered approach” to

reduce risk incorporating multiple, overlapping protective measures.

• Develop clear strategies on:
• Training your staff
• Establish a culture of security first
• Establish effective network security updates
• Next Generation Firewalls
• Encrypt sensitive data, emails, and mobile devices
• Obtain options on insurance coverage
• Establish a crisis management plan
• We will send you a plan sample if requested

JMARK and Ollis & Company are available to help!

Wrap Up & Questions