Robert W. Carruth, CSP, ARM-P Risk Control Manager NCACC Risk Management Services.

PowerPoint Presentation

Cyber Theft The Hidden CrimeRobert W. Carruth, CSP, ARM-PRisk Control ManagerNCACC Risk Management Services1What This is All About:Understanding Data Security in the Cyber-WorldReduce the Likelihood of a Data BreachPrepare to Respond for WHEN it HappensInsure Adequate Resources are Available

2Memory Lane.

Now the World Has AccessDigital AgeTime & Space are EliminatedHow are Digital Networks and Data SecuredSame Basic Principals as Paper DataNow The World Has Access4The Modern Computing Environment5But Its Still the Same Data

6SoIts About Protecting the DataSecurity Principles Remain the SameTheft is EasierLots of Data = Lots of Value

7In Other Words.Anywhere personal information is collected and managed. 8Types of Cyber EventsInadvertent DisclosureLoss of DeviceVirus/Malware InfectionDisaster or Hardware MalfunctionMalicious Attack

9Results of Cyber AttackCompromise/Loss of DataDestruction of SoftwareDenial of ServiceSnowball EventCredibility of Government is DamagedSlowing of Automation of Processes10Target BreachOver 70 Million AffectedCredit/Debit Card Data CompromisedUsed a Ram Scraper to Collect DataMalware was installed in transaction processOrigin was traced to HVAC Contractor using a Smart-Phone

11OPM BreachJune 4, 2014Over 4 Million Records CompromisedOne of Several Cyber Events over 2 Year PeriodAgency was Fully Compliant with Federal Guidelines

12Lessons Learned OPM BreachCritical Infrastructure will be Attacked.Used to compromise government personnel.Conduct of reconnaissance and enumeration.Compliance-based security strategies dont work. In-depth audits wont help, either. Given todays operational realities, governments must rethink security standards.

Source: 12 Lessons For Security & Risk Pros From TheUS OPM Breach, Forrester Research. 1398% of All Data BreachesHuman ErrorInsider MisuseMalware & VirusesPhysical Theft & Loss14Sensitive DataSocial Security NumbersBanking/Credit Card DataHealth RecordsPersonnel RecordsOther Personal Identifying InformationHarm ThresholdConfidential Operations Documents

15Vulnerable AreasBoard ClerkRegister of DeedsTax AdministratorUtilitiesHuman Services/TransportationHealth/EMSHuman ResourcesOutside Groups16Recommended ActionsAppoint a Chief Data Officer or ChampionProtect Data as Social ResponsibilityMonitor for Data Access and ExfiltrationUse Encryption as Much as PossibleDevelop Plans for How Data is Secured

17Recommended ActionsProvide Employee-Centric Data ProtectionUse Software to Monitor BehaviorDevelop & Enforce Password ProtocolsRoutinely Purge Authorized User ListsMonitor the Global Cyber Environment

Source: 12 Lessons For Security & Risk Pros From TheUS OPM Breach, Forrester Research. 18Tax AdministratorMaintains Countys Tax RecordsAssesses New & Existing PropertyDistributes Tax NoticesReceives Payments from Public19What Do I Need to Do?Screen Records for Private DataSegregate & Secure Consolidated Lists or DatabasesMaintain Physical Security over Field EquipmentProtect & Secure Received Property DataReview Release of Delinquent Tax ListingsEnsure Secure Credit/Debit Card Transactions

Tax Administrator20The Cyber Pyramid21System Security22Data Storage23User Interface24New ConceptsThe Data ChampionID Protection as an Employee BenefitExternal Response ContractorIncident Preparedness and Response

26Incident Key Elements Response TeamFinancial PlanningResponse Plan

27Response TeamThink Commandos Not BattalionsAbility to move quicklyIntegral positionsAdministrationEntity AttorneyITDepartment Heads where Data is storedAbility to reach out to Board and additional staff as needed28Response TeamData Breach ExpertiseInternal?External?Multi-jurisdictional Regulatory ExperienceType of Data InfluencePIIPCIPHI

29Financial PlanningWhat is my potential exposure?Investigation expensesNotification and assistance expensesRegulatory expensesLiability claims and defense costPotential exposure dependent on type of information compromised Various information (PII, PCI, PHI) - fund to greatest exposureFund for single or multiple events?30Financial PlanningInternal FundingGeneral fundsSeparate claims fundIncorporate in Risk Management fundExternal Funding InsuranceConfirm coverage for main loss exposuresExpert assistance?Risk Control?Deductibles and potential exclusions

31Financial PlanningCost Example 1000 records compromisedPII:$735,745$736 per recordPCI:$682,575$683 per recordPHI:$1,017,615$1,018 per record

Includes forensics, notifications, regulatory, liability claims and defense

32Response PlanFlexibility: Remember Commandos!Dont Assume! Investigate to uncover the cause of the breach. Did an actual legal breach occur?Expert takes pointCommunicationsInternalExternal: Designate a spokesperson(s)AcknowledgementAction PlanEmpathy33Response PlanMonitor action plan and make adjustments as neededWrap-up ReviewLessons learnedSystem or operational changesTie back to proactive risk control 34Actual Cyber EventTrue story illustration

35Questions? Comments?Bob Carruth: [email protected]

36