smb data breach risk management best practices - · pdf filesmb data breach risk management...
TRANSCRIPT
SMB Data Breach Risk
Management Best Practices
By Mark Pribish
February 19, 2015
Presentation Agenda
About Mark Pribish
Information Governance
The Threat Landscape
Data Breach Trends
Legislative and Regulatory Updates
Creating Your Data Breach Response Plan
Questions and Answers
About Mark Pribish
Vice President & ID Theft Practice Leader
Certified Identity Theft Risk Management Specialist (CITRMS)
and Arizona P&C License
25 years’ experience in helping consumers and enterprise organizations
manage the risks associated with ID Theft and data breach events
Served in senior sales positions for Aon and AIG
Gannett / Arizona Republic guest columnist for cyber security, data
breach, identity theft, and personal privacy
Member of FBI Citizens Academy Class of 2012, FBI InfraGard Public
Private Alliance, Guidepoint Global Advisors, and Risk Insurance
Management Society
Graduated from the University of Dayton in 1981
Information Governance
What is Information Governance?
“Information governance is a holistic approach to managing corporate
information by implementing processes, roles, controls and metrics that treat
information as a valuable business asset.”
http://searchcompliance.techtarget.com/definition/information-governance
"Information governance is the activities and technologies that organizations
employ to maximize the value of their information while minimizing risks and
costs." http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-
Articles/T/The-IG-Initiative-Definition-of-Information-Governance.aspx#sthash.RxzcIMEl.dpuf
“Information governance is a set of established policies and procedures you and
your employees implement and follow in order to manage sensitive and
proprietary information.” John G. Iannarelli, Assistant Special Agent in Charge of the FBI Phoenix Division
Information Governance
Information Governance Program Checklist
Implement an information governance policy
Require annual information security training and education
Understand what type of employee, customer and member data is being
collected, stored, protected
Constantly assess and test your organization’s needs and requirements
Know your organization’s strengths and weaknesses
Implement baseline safeguards and controls
Vigilance – including annual pre-employment screening
Be aware of current and former employees, customers and vendors
Information Governance
SMBs handle customer, employee and
vendor information
including social security numbers,
bank/credit card/loan account information,
drivers license numbers, birth dates, etc.
SMBs use e-mail, computerized
accounting, electronic procurement, and/or stores electronic employee and
customer information
SMBs rely on electronic networks including the information, data and the e-
records within and outside these computer networks
Information Governance
Size Doesn’t Matter!
Small to medium size businesses are now
the target of cyber attacks and
ID Theft criminals
Why?
Because of large business financial and
IT resources, hackers and thieves are
going after small to medium size businesses
The Best Defense?
Web filtering, security software and employee and customer education
The Threat Landscape
of breaches are to businesses of
100 employees or fewer
of SMBs have
no formal cybersecurity plan
of companies who
experienced a
data breach didn’t know
it…Notified by 3rd party
The Threat Landscape
The Threat Landscape
Privacy Rights Clearinghouse Data Breach Timeline for 2005 – 2015 Jan 19, 2015
Since January 2005 there have been 4,478
data breaches affecting nearly 1 billion records
30 percent of these data breaches were impacted by hackers and IT related
events
70 percent of these data breaches were impacted by social engineering (the
human element)
Data Breach Trends
320 breaches reported between July and September, 2014 November 19, 2014 - http://www.net-security.org/secworld.php?id=17659
Data Breach Trends
Websense Warns Doctors to be on High Alert for 2015 Cyber Blitz 19 Nov 2014 | News
Security experts have warned healthcare organizations to prepare for tidal wave
of online attacks in 2015
600% increase in attacks targeting healthcare data since the start of 2014
Security is often seen as an inhibitor leaving dangerous gaps for hackers to
exploit
Social media platforms would increasingly be used by cyber-criminals as covert
C&C infrastructure
Data Breach Trends
Ponemon Institute Study: Cost of a Data Breach March 2014
Total Costs – averaged $201 per lost
customer record
Direct Incremental Costs – including free/discounted services, notification letters, legal/accounting fees, etc.
Lost Productivity Costs – including lost time of employees and contractors diverted from other tasks
Customer Opportunity Costs – including cost of lost customers and cost of acquiring new customers
Regulatory, Consumer and Data Security Laws
HIPPA Data Breach Requirements (February 17, 2010)
FACT Act Red Flags Rule (December 31, 2010)
47 State Security Breach Notification Laws
http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx
Legislative Changes/Updates
Creating a Breach Response Plan
Data Breach Responsibility is on the SMB or “Data Owner”
Whether the business data is accidentally lost or it is stolen with malicious intent
Any business that experiences a data breach should work with legal counsel to
determine regulatory requirements including but not limited to state breach
notification laws:
the FACT Act Red Flags Rule
the HIPAA HITECH Data Breach Requirements
the PCI Data Security Standards
COPPA (Children’s Online Privacy Protection Act)
the 47 state breach notification laws
Creating a Breach Response Plan
Small business data breach risk factors include people, processes and
technologies:
• People – the insider threat, whether accidental or malicious, can include current
and former employees, customers, associates, vendors, and independent
contractors.
• Processes – including information technology, enterprise risk management,
marketing/sales and human resources need to be aligned, defined, and
documented.
• Technologies – that are relied on to conduct and grow your business are also
being used to identify vulnerabilities and cyber threats on your business.
Creating a Breach Response Plan
What can a small business do?
Complete a data assessment of the type of information that is being collected, used,
stored and transmitted by asking the following questions:
What type of data (e.g. current and former employee / customer / patient
information) is in your electronic and hard copy files?
What type of Personally Identifiable, non-public Information (PII) is included in
your business data (e.g. name, address, social security number, driver’s license,
bank account information, credit/debit card, medical plan information)?
What percentage of your data involves the collection, storage, usage, and
transmittal of current and former PII?
What aspects of your business products, services and technology are performed
within and outside your business?
Creating a Breach Response Plan
What can a small business do?
Complete a data assessment (continued)
What is the value of your data assets if they were stolen and made public?
Is data that you store subject to civil fines and penalties if breached?
What is your overall financial risk if data you control is breached?
Which states does your business conduct business in and what states are your
customers / employees / patients domiciled?
Could a data breach damage your brand and if so what is the potential impact?
Does your business insurance include cyber/network liability insurance?
Creating a Breach Response Plan
Your Data breach response plan should include “5” components
1. Breach source - determine the source and make sure the data compromise is
isolated and access is closed. If you cannot determine the source of breach you
should engage a forensic investigation company.
2. Breach assessment - determine the scope of the data breach event and the
privacy and data security regulatory requirements associated with the type of
records in addition to the state of domicile.
3. Response plan - include internal employee education and talking points; public
relations press releases, customer education, and resources; the small business
or consumer solution(s) to be considered; and the content and timely release of
notification letters.
Creating a Breach Response Plan
Your data breach response plan should include “5” components
4. Protection plan - include the small business or consumer protection services to
be offered to the compromised record group and the confirmation of professional
call center and recovery advocate support services.
5. Breach victim resolution plan - provide access to professional certified
identity fraud recovery advocates that will work on behalf of the victims to
mitigate and resolve the issues caused by breach.
Creating a Breach Response Plan
Cyber Insurance Becomes Small-Business Necessity www.Advisen.com, Nov 18, 2014
Cyber liability insurance is now as important for small businesses as property
and liability insurance
A data breach can damage a small business far more than a big business
because it can put you out of business
Any firm that has a website, uses social media or stores customers' personal
records in its computers is vulnerable to a cyber-attack
Like other types of insurance, cyber insurance pays for a legal expenses to
defend the business in a lawsuit and money to cover losses
Creating a Breach Response Plan
Cyber Insurance Becomes Small-Business Necessity (continued)
Cyber insurance can provide a dedicated call center so that customers can call
a third party specializing in data breach response
Cyber insurance can include identity restoration after a breach could tie up a
business for weeks
Cyber insurance can include social media liability where libel and slander on
social media isn't covered by most standard business policies
Cyber insurance can include data recovery where a virus could destroy the
business's software and data and infect customers' computers.
Cyber insurance pays for the cost of restoring the computers or buying new
ones if necessary
Contact Information
Mark Pribish VP & ID Theft Practice Leader
Merchants Information Solutions, Inc.
602-744-3736
www.merchantsinfo.com