PROTECTING BRANDS IN CYBERSPACE - IAPP · PDF filePROTECTING BRANDS IN CYBERSPACE ......
Transcript of PROTECTING BRANDS IN CYBERSPACE - IAPP · PDF filePROTECTING BRANDS IN CYBERSPACE ......
PROTECTING BRANDS IN CYBERSPACE
Abhishek Agarwal, CIPP/US:
• Security & Privacy Leader at Kraft Foods
• Manage compliance programs to safeguard consumer, customers and employee information.
• Responsible for protecting brand image and reputational risk
Past Experience:
• Financial Institutions: JPMorgan Chase & HSBC
• Consulting: The Limited Brands, Metlife, Roche, Amex, William Communications, Hospira, Komatsu, Wellpoint, Microsoft, SAP, Cigna, Westward Pharma, Conair, Express Scripts, Coface
Speaker Profile
PROTECTING BRANDS IN CYBERSPACE
• History of breaches and incidents
• Impact of revenue due to breach
• Key drivers for protecting brands in cyberspace
• Key elements of brand protection program
• Case Study
• Take Away: Do’s and Don’ts
Agenda
PROTECTING BRANDS IN CYBERSPACE
History of breaches & incidents - Reported
Source: http://www.privacyrights.org/data-breach
• 562,943,732 records
containing PII have been
stolen since 2005.
• Over 3,241 reported data
breaches have taken place.
• The average cost of record
per breach is $212.
• Through 2016, the financial
impact of cybercrime will
grow 10 percent per year
due to the continuing
discovery of new
vulnerabilities.
PROTECTING BRANDS IN CYBERSPACE
History of breaches & incidents - Unreported
Source: http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
Company Hacking Incident Potential Impact
Coca Cola • Lost acquisition of China Huiyuan Juice Group (1886) after intruders stole confidential about the deal.
• The company wouldn’t discuss “security matters” and said to make disclosures in public filings.
• Reputational Risk • Financial Risk • Legal Risk • Technology Risk
BG Group Plc • Lost geological maps, drilling records and sensitive deals.
• Released a one-sentence risk factor in its regulatory filings: “Information security breaches may also result in the loss of BG Group’s commercially sensitive data.”
• Reputational Risk • Financial Risk • Loss of Business
ArcelorMittal • Executive lost confidential PowerPoint's and emails about business in China were stolen.
• Referenced the possibility of such a threat in its regulatory filings.
• Loss of Reputation • Loss of revenue due to loss
of business
Chesapeake Energy
• Investment banking details about natural gas leases that were up for sale.
• Loss of Reputation • Loss of revenue due to loss
of business
PROTECTING BRANDS IN CYBERSPACE
Impact on Revenue
Source: http://www.networkworld.com/news/2012/072712-global-payments-data-breach-cost-261204.html
Source: http://online.wsj.com/article/SB10001424052748703859304576307664174667924.html
Source: http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-to-Cost-Billions-in-WorstCase-Scenario-459480/
Source: http://www.informationweek.com/security/attacks/rsa-securid-breach-cost-66-million/231002833
Source: http://online.wsj.com/article/SB10001424052702304778304576375911873193624.html
Source: http://online.wsj.com/article/SB10001424127887323374504578220052106443158.html
Company Year Revenue Impact Number of Records Stolen
Global Payments
2012 $84.4 million USD 1.4 million payment cards
Sony 2011 $1.25 billion USD 10 million credit cards
Epsilon 2011 $465 million USD 60 million emails addresses
RSA 2010 $66 million USD 65 thousand customers
Heartland Payments
2008 $140 million USD 100 million credit cards
TJ Max 2006 $200 million USD 45 million customers records
PROTECTING BRANDS IN CYBERSPACE
Fine Imposed
Company Compliance Fines Imposed
Global Payments PCI $35.9 M USD
Sony U.K. ICO $250,000 USD
Epsilon -- Not Available
RSA -- Not Available
Heartland Payments PCI $12.5 M USD
TJ Max PCI $40.9 M USD
• EU DPA fines of up to one million Euros or two per cent of annual revenue for a data breach.
• SEC guidance ask publically traded companies to reporting cyber security risks in their annual report.
PROTECTING BRANDS IN CYBERSPACE
Impact on Revenue : Case Study – Sony
Source: Limiting the Impact of Data Breaches The Case of the Sony PlayStation Network. Author: Alessandro Gazzini and Matthew W. Holt
• The cost of 2010 earthquake to Sony was $2.3 B.
• Cost of breach to Sony varies from $5.6 to 24.5 B.
• The immediate impact of the earthquake on Sony’s share price (-19 percent) about the same as the impact to the general economy (-18 percent), but both recovered about 50 percent of the loss by March.
• The data breach, on the other hand, caused a sustained 12 percent loss in Sony’s share price—the equivalent of $3.6 billion in market capitalization.
• To put in perspective, Cost of Toyota Motor Corporation’s unintended acceleration crisis in 2010 for 8 million Camry was $2 billion and impact on its share price fell only 8.5 percent.
• So either the markets were irrational in their evaluation of the impact of the PSN data breach or the operational impact was more severe than the impact of Toyota’s crisis on a revenue percentage basis.
• Evaluating events based on share price is admittedly imperfect, but the key message is clear: The PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan.
PROTECTING BRANDS IN CYBERSPACE
Key drivers for protecting brands
SEC Guidance • SEC has provided guidance to publicly traded corporations
to report cyber incidents; and the adequacy of preventative actions taken to reduce cyber security risks.
Reputational Risk • DJSI Sustainability index and Corporate Governance
requires adequate data security and privacy controls over consumer information.
Compliance with Audit • Commitment to audit to improve the privacy and security
posture over the PII and thus reduce regulatory, brand, and/or reputational risks.
PROTECTING BRANDS IN CYBERSPACE
Media channels connecting to Cyberspace
Content Management
Digital Asset Management
Social / Community
Digital Analytics Marketing &
Campaign Management
Consumer Data Management
Leveraged Digital Marketing Solutions
Syndicated Content Brand Properties Promotions Brand Communities Mobile
eCommerce Security &
Compliance Web Hosting Search
Components & Web Services
Collaboration & Workflow
• Multiple technology media channels available to manage and deliver consistent, seamless, and contextual brand experiences.
PROTECTING BRANDS IN CYBERSPACE
Problem statement
• Breaches are impacting the bottom line of organizations.
• Increasing fines imposed by regulatory bodies. However, lack of self regulations. Companies are not reporting breach activities.
• Technology landscape is evolving quickly with mobility, cloud computing, social media and data analytics.
• How do companies protect their brands in cyberspace while reaching out to consumers with technology media channels?
PROTECTING BRANDS IN CYBERSPACE
Key elements of brand protection program
• Ensure cyber media presence have reasonable information security controls to minimize the risk and impact of hacking that negatively impacts business results that includes revenue, reputation risk, regulatory compliance risk.
Inventory Management
E-Discovery
Domains & IPs
Classification
Brand Assessment
Centralized, Standardized
Website Assessment
Continuous Monitoring
Reporting & Remediation
Management Dashboards
Reporting
Remediation Approach
Governance
Findings & Remediation's
Inventory Management
Third Party Service Provider
PROTECTING BRANDS IN CYBERSPACE
Risk based approach
• Risk rank the digital media inventory based privacy regulations, technology standards and business purpose.
PROTECTING BRANDS IN CYBERSPACE
Brand Assessment
• Targets the assessment for top 10 security threats and
vulnerabilities.
• Standardize set of checks based on the technology platform.
• Ensure key privacy components are covered through the
assessments, including, data collection, use limitation, notice and
choice, security safeguards and access to data.
• Ensure the gaps identified in security assessment are remediated
or accepted in a timely fashion.
PROTECTING BRANDS IN CYBERSPACE
Dashboard and Reporting
• Report brands security and privacy health index. • Brands by revenue per region with brand protection cost
savings.
PROTECTING BRANDS IN CYBERSPACE
16
Governance model
• 3rd party service providers supporting infrastructure. • Agencies and marketing services follow policies. • Maintain global digital inventory – centrally. • Establish a framework based on global privacy regulations. • Establish a centralize program to achieve standardization.
PROTECTING BRANDS IN CYBERSPACE
Program maturity
Authentication
Authorization
Encryption
Firewall
Anti Virus
Data Protection
Access Controls
Threat & Vulnerabilities
Year 1
Encryption
Data Protection
Access Controls
Threat & Vulnerabilities
Year 2
Governance Governance
Year 3
Governance
Governance
Threat & Vulnerabilities
Threat & Vulnerabilities
Year 5 Year 4
Access Controls
Threat & Vulnerabilities
Security & Privacy Controls Maturity
• Establish the maturity model to effectively manage budget and compliance.
• Reflect the cost savings and opportunity to stakeholders.
PROTECTING BRANDS IN CYBERSPACE
Case Study
• Company Profile:
• Industry: CPG organization with focus on Marketing
and Supply Chain
• Revenue: 20 billion USD
• Information profile:
• 10+ brands with over 500 millions in revenue
• 90+ brands with over 100 millions in revenue
• 10+ million consumer records
• 5000+ third party service providers, business
partners & agencies
• High Risks Areas:
• 3rd Party Risk, Privacy, Merger, Acquisitions &
Divestitures
PROTECTING BRANDS IN CYBERSPACE
Case Study
• Privacy & Security Posture:
• More than 7000 domains
• Over 750 websites, mobile sites and social media
• Privacy & Security Risks:
• Domain registrations & inventory management
• Risk ranked inventory based on privacy regulations
and technology platforms
• Consistent privacy policy, statement, notices
• Governance model over third party service
providers
• Corporate policy on website development
• Establish security baseline
PROTECTING BRANDS IN CYBERSPACE
Case Study
Source: https://www.trustwave.com/global-security-report
PROTECTING BRANDS IN CYBERSPACE
Take Away
• Identify the revenue generating brands: Read Organization's
Annual Report.
• Identify Stakeholders: CMO, CFO, CCO, CIO.
• Understand the technology strategy: Align with CIO, CTO.
• Develop a risk based strategy: Protect High Risk first.
• Set up the expectations: Say “when” breach will happen, not
“if” breach happens.
• Finally, Keep it Simple.