Post on 18-Jan-2016
Protecting Your Company From A Cyber Breach
Proactive Steps to Minimize Breach Risks & ImpactOctober 30, 2015
Presented By
© 2015 Fredrikson & Byron, P.A.
Rebecca Perry, CIPP US/GJordan Lawrence636.821.2251rperry@jordanlawrence.com
Ann LaddFredrikson & Byron 612.492.7124aladd@fredlaw.com
Sten-Erik HoidalFredrikson & Byron 612.492.7334shoidal@fredlaw.com
Overview- Elements of a Cyber Security Program
© 2015 Fredrikson & Byron, P.A.
– Identify– Protect (policies, vendors, training,
practices, insurance) – Detect– Respond– Recover
Identify
© 2015 Fredrikson & Byron, P.A.
• Assets• Business Environment• Laws/Regulations/Contractual Obligations• Use Good Information Governance
Locate your data.Delete what you don’t need.Improve policies and training.
© 2015 Fredrikson & Byron, P.A.
What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee Negligence
# 2 Hacking
Third party outsourcing of data 34 %
Migration to new mobile platforms 56 %
Temporary worker or contractor errors 59 %
Not knowing where sensitive or confidential data is 64 %
What Keeps CIOs Up at Night?
N=1587, Source: Ponemon Research, May 2014
BUSINESSPROCESSE
SBUSINESS
PROCESSES
RECORDSINVENTORY
WHAT
WHERE
BUSINESSPROCESSES
RETENTION
SENSITIVITY
The Cornerstone
https://www.ftc.gov/system/files/documents/plain-language/bus69-protecting-personal-information-guide-business_0.pdf
Accident/Incident RecordsAdvertising Records Benefit RecordsBudget RecordsContracts & AgreementsCredit ApprovalsCustomer OrdersCustomer Payment RecordsEmployee Medical FilesEngineering RecordsMarketing RecordsResearch & DevelopmentSales Receipts
Engage The Business
101010001110010100110 1 1 0 1 0 0 1 0 0 1 0 1 10 1 0 0 1 1 01 0 0 1 1 0 11 0 00 1 0 0 1
Understand Business Practices
BUSINESS NEEDS
DOL
OSHA
SEC
GLBA
HIPAA
PCI
State Privacy
Laws
REQUIREMEN
TSCorporate
Sensitive
Customer Data
Intellectual
Property
PII
Bio Metric
Patient Health
Info.
Personal Financial
Sensitive EU
SENSITIVIT
Y
Identify Requirements
Benefit Enrollment & Participation
Distribution Centers HR - Benefits
HR – Canada HR – Compensation Store Operations HR - Regional
Health Information
Beneficiary #FMLADates of ServicePatient NamePatient Address
National ID Card #Partial Social Security #Social Security #
GovernmentID’s
Employment IDEmployment StatusHandicapped StatusMedical Conditions
Employee Information
AgeNameEmail AddressMarriage StatusPhysical AddressTelephone #
Personal Information
Insurance InformationRetirement Account
Financial Information
Corp - Legal ActionsEU - Health Status
Other
Applications3rd Party, Cognos , Microsoft Outlook, Microsoft SharePoint, PDF
Box Warehouse, Department File Cabinet, Secure File Cabinet
CDDVD, Laptops, Shared Drives
Paper
Unstructured
Archive, Desktop Hard Drive, Email Inbox, Laptops, Printed Hard Copies, Shared Drives
Best Practice Retention: 6 Years after superseded 29 USC 1027
Reporting Findings & Risks to Senior Management
60,995Data Points
122Area
Representatives
17Subject Matter Experts
110Departments
5Countries
Case Study
45 Days
Lack of Critical Policy Awareness
59%Awar
e
41%Not
Aware
Information Se-curity Policy
Only 44% Trained
69%Aware
31%Not
Aware
Records Retention Policy37%
Never Dispose of Records
3,128VERSIONS ACROSS MEDIA[Paper, Email, File Shares, Applications]
Redundancy Creates Risk
1,302DEPARTMENT
VERSIONS
274UNIQUE
RECORD TYPES
47% TAGGED WITH PERSONAL INFORMATION
6% Forward to Personal Email
20% Save to Flash Drives or DVDs84% Save to Laptops or Tablets
18% Save to Cloud Storage
Over Retention Is a Substantial Cause of Risk to Sensitive
Information
71% Re-tained Longer
Shorter
InLine
NoBP
Current RetentionCompared to Best Practice
48% Tagged with Sensitive Information
20% ANNUAL GROWTH RATE
CENTRAL ARCHIVE RETAINED INDEFINITELY
USERS CREATING PERSONAL ARCHIVES
Forward to Personal E...
Flash Drives
Content Management ...
Printed Hard Copies
Archive (PST, NSF)
Shared Drives
7%
17%
26%
62%
62%
68%
EMAIL STORAGE LOCATIONS
Electronic Information on File Shares
20,000 GIGABYTES
50% ANNUAL GROWTH RATE
ACTIVE ENVIRONMENT
PII ON SHARED DRIVES (2+ ELEMENTS IDENTIFIED) 59 AREAS
206 RECORD TYPE PROFILES
[Word Documents, Power Points, PDFs, Excel Spreadsheets, Images, etc.]
0.5 Less Than
3 Years Old
0.33 to
5 Years Old
0.2Older Than
5 Years
50% of Information on File Shareswas Created in Last 3 Years
Protect
© 2015 Fredrikson & Byron, P.A.
• Technical • Physical• Administrative -Training, Vendor
Management, Policies, Insurance
Technical and Physical Security “Quick Hits”
• Secure shredding• Wiping equipment
• Encryption• Patching• Good passwords
© 20__ Fredrikson & Byron, P.A.
http://www.sans.org/critical-security-controlshttp://www.sifma.org/issues/operations-and-technology/cybersecurity/guidance-for-small-firms/
Awareness and Training
© 2015 Fredrikson & Byron, P.A.
Example topics• Reasons, Risks, What is protected, and Why• Overview of internal policies• Highlight important areas of concern depending on your
needs:– Physical security (space, documents, devices)– Passwords and good log-in practices– Internet tips/avoiding phishing and other scams– Sending protected information (email practices, etc.)– Storing protected information-special security– Incident response – what to do if you suspect a problem
Some examples- training doesn’t have to be boring.
© 2015 Fredrikson & Byron, P.A.
Can you guess this guys’ password?
Vendor Management—
© 2015 Fredrikson & Byron, P.A.
• Diligence- see example questions• Contractual protections
– Require safeguards- consider third party certifications– Control downstream transfers (sub contractors, hosts)– Timely reports of /defined controls on response to incidents– Termination rights– Indemnification/Insurance – Disaster recovery/contingencies
• Audit Rights
Protect – Ensure The Right Policies Are In Place
© 2015 Fredrikson & Byron, P.A.
• Overall Security and Privacy Policy – High Level
• Acceptable Use
• BYOD / Mobile Device / Lost Device
• Security Practices
Detect – Review Data Breach Detection Capabilities
© 2015 Fredrikson & Byron, P.A.
• Data loss prevention technologies
• IT Security Consultant/intrusion testing
• Understand baseline IT security operations
• Monitoring of information systems, device usage, and personnel
Respond
© 2015 Fredrikson & Byron, P.A.
Respond – Prepare in Advance!
© 2015 Fredrikson & Byron, P.A.
Respond – Develop, Practice, and Follow A Data Breach Response Plan
© 2015 Fredrikson & Byron, P.A.
• Written document(s) outlining the company’s strategy for evaluating and responding to potential data breaches.
• Customized to the company’s processes, structure, and goals.
• Tailored to the types of PII or sensitive information the company has access to.
Respond – Key Components For A Data Breach Response Plan
© 2015 Fredrikson & Byron, P.A.
1. Identify response team and outline roles and responsibilities.
2. List strategic partners and explain process for determining whether they need to be involved.
3. Diagram system, data flow, and infrastructure.
Respond – Key Components (cont.)
© 2015 Fredrikson & Byron, P.A.
4. Outline strategy for identifying a breach, ascertaining its scope, and containing the breach.
5. Explain process for analyzing legal implications of breach.
6. Outline how notice will be provided to potentially injured parties (if necessary).
Respond – Response Plan (cont.)
© 2015 Fredrikson & Byron, P.A.
7. Develop and outline an internal communications strategy.
8. Develop and outline and external communications strategy.
9. Describe process for deciding whether to provide assistance (e.g., credit or fraud monitoring) to injured parties.
Respond – Other Considerations
© 2015 Fredrikson & Byron, P.A.
• Provide to insurer for feedback.
• Train, train, train….
• Follow it!
Recover
© 2015 Fredrikson & Byron, P.A.
• Self Assessment – Review and analyze the company’s response to determine areas for improvement. Revise incident response plan accordingly.
• Recovery Planning – Develop a strategy to get the company’s systems back on line in the event of a breach.
Questions?
© 2015 Fredrikson & Byron, P.A.