State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US:...
Transcript of State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US:...
![Page 1: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/1.jpg)
State Governments at Risk: The Data Breach Reality
NCSL Legislative Summit August 5, 2015
Doug Robinson, Executive DirectorNational Association of State Chief Information Officers (NASCIO)
![Page 2: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/2.jpg)
National association representing state chief information officers and information technology executives from the states, territories and D.C.
Founded in 1969
NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy.
About NASCIO
![Page 3: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/3.jpg)
1. Security
2. Cloud Services
3. Consolidation/Optimization
4. Broadband/Wireless Connectivity
5. Budget and Cost Control
6. Human Resources/Talent Management
7. Strategic IT Planning
8. Mobile Services/Mobility/Enterprise Mobility
9. Disaster Recovery/Business Continuity
10. Customer Relationship Management
Top Ten: State CIO Priorities for 2015
Source: NASCIO State CIO Ballot, November 2014
![Page 4: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/4.jpg)
State Governments at Risk!
States are attractive targets – data!
More aggressive threats – organized crime, ransomware, hacktivism
Nation state attacks
Critical infrastructure protection
Insider threats – employees, contractors
Emerging IT and data on the move
Need for continuous training, awareness
![Page 5: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/5.jpg)
IT Security Risks in the States
Protecting legacy systems
Malicious software
Foreign state-sponsored espionage
Mobile devices and services
Use of social media platforms
Use of personally-owned devices (BYOD) for state
business
Adoption of cloud services; rogue
cloud users
Inadequate policy compliance
Third-party contractors and
managed services
IT Security Risks in the States
![Page 6: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/6.jpg)
October 2014
State Governments
at Risk: Time to
move forward
#StatesAtRisk
![Page 7: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/7.jpg)
7
Key Themes from the 2014 Study
Maturing role of the CISO
Budget-strategy disconnect
Cyber complexity challenge
Talent crisis
2014 Deloitte-NASCIO Cybersecurity Study
![Page 8: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/8.jpg)
8
Cyber complexity challenge
2014 Deloitte-NASCIO Cybersecurity Study
Sophistication and
sheer range of cyber
threats continue to
evolve
Regulatory complexity
is growing
Complex and mostly
federated state
government
environment poses
governing challenges
CISOs and business
leaders are not on the
same page regarding
the states’ abilities to
protect against an
attack
![Page 9: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/9.jpg)
Government agencies have lost more than 94 million records of citizens since 2009
Average number of days between discovery and disclosure: 58
Average cost per breached record in US: $201
Average cost per breach: $5.8 million
By the Numbers: Consequences For States
Sources: "Rapid7 Report: Data Breaches in the Government Sector." Rapid7. September 6, 2012.2014 Cost of Data Breach Study, Ponemon Institute, Navigant Breach report, March 2014
![Page 10: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/10.jpg)
U.S. Benchmark Data: Root Causes of a Data Breach
Source: 2014 Cost of Data Breach Study, Ponemon Institute
44%
25%
31%
Malicious or criminal attacks System Glitch Human Error
![Page 11: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/11.jpg)
Who’s Responsible for Protecting State Data?
Chief Information Officers
Information Security Officers
Agency Leaders
Data Owners
Employees
Human Resources
Legal Departments
Third Party Contractors
Elected officials
![Page 12: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/12.jpg)
Unfortunately state officials are often looking at their data breach in a rear
view mirror. After the incident…
![Page 13: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/13.jpg)
Does your state government support a “culture of information security” with a governance structure of state leadership and all key stakeholders?
Has your state conducted a risk assessment? Is data classified by risk? Are security metrics available?
Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards, and compliance? Is the NIST Cybersecurity Framework a foundation?
Has your state invested in enterprise solutions that provide continuous cyber threat detection, mitigation and vulnerability management? Has the state deployed advanced cyber threat analytics?
Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s assets?
Does your state have a cyber disruption response plan? A crisis communication plan focused on cybersecurity incident?
NASCIO’s Cybersecurity Call to ActionKey Questions for State Leaders
![Page 14: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/14.jpg)
1. Inventory data and conduct risk assessments. Deploy tiered security measures as appropriate.
2. Review contractor and vendor agreements.
3. Review privacy policies and disclosure requirements. Legal counsel must be engaged.
4. Develop a actionable incident response plan with a crisis communications annex. Test the plan.
5. Train employees on their roles and responsibilities. Ensure policies align with incident response.
Before the Breach
![Page 15: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/15.jpg)
Data Breach Guidance in Seven Steps
1. Is contact information current on your data breach response team list?
2. Is your data breach response plan comprehensive?
3. Are your vendor contracts in order?
4. Are notification guidelines clear?
5. Are third parties with access to your data as secure as possible?
6. Is your IT security effectively protecting data?
7. Is your staff security-aware?
Source: Experian Data Breach Response Guide 2014-15
![Page 16: State Governments at Risk: The Data Breach Reality€¦ · Average cost per breached record in US: $201 Average cost per breach: $5.8 million By the Numbers: Consequences For States](https://reader035.fdocuments.us/reader035/viewer/2022071014/5fccc7df88ef9e3bed2cc389/html5/thumbnails/16.jpg)
Data Breaches: Not If But When…