Vaco Cyber Security Panel

Transcription

1 Vaco Cyber Security Panel ISACA Charlotte Chapter December 5 th, 2017

2 Vaco is an international talent solutions firm headquartered in Nashville, Tennessee, with more than 35 locations around the globe. We re a different kind of company, built on an uncommon culture that values personal empowerment and fierce entrepreneurial spirit. We re here to help the best and brightest industry talent find the freedom that comes from fulfilling their professional potential with companies that value human connection. Pete Schile Partner pschile@vaco.com

3 Hard-to-find talent, impossible-to-beat service. Get the strongest short list possible. Tap into our vast international network and deep local relationships to find the right skill set and the best culture fit for your business, fast. Our internal teams are made up of industry veterans from national firms, Fortune 500 companies, and top recruiting agencies. They know qualified talent when they see it, so you get the expertise you need, right when you need it. CONSULTING STRATEGIC STAFFING PERMANENT PLACEMENT EXECUTIVE SEARCH MANAGED SERVICES CORPORATE RELOCATION ACCOUNTING AND FINANCE IT/ TECHNOLOGY HR/ MARKETING/ SALES OPERATIONS AND ADMINISTRATIVE

4 OUR CYBER SECURITY PANEL Pete Seeber CEO and Co-Founder Sarah Hutchins Partner Evan Taylor Risk Consultant

5 TECHNOLOGY CONSIDERATIONS

6 Pete Seeber CEO & Co-Founder

7 Cybersecurity Posture Cybersecurity is NOT an IT issue alone, it is an Organization-wide issue Cybersecurity is a Program, it is a Culture People, process, technology, risk and compliance Cybersecurity must start with a framework Cybersecurity must address business risk Cybersecurity is an Organization-wide Issue

8 SMB: The Cyber Challenge 70% of cyberattacks target small businesses (1) 50% of small businesses have already experienced a cyberattack (1) 67% of SMBs say their current technologies can t detect or block most cyber attacks (2) Average cost of breach is >$955,000 (2) (1) the National Cyber Security Alliance (2) Ponemon Institute 2016 State of Cybersecurity in Small and Medium Sized Businesses. SMB s are Over-Challenged & Under-Resourced

9 SMB: The Cyber Challenge SMB s have the same challenges as Enterprise organizations SMB s have less resources to deal with the challenge SMB s are a more vulnerable target # of SMB s > # of Enterprises SMB is therefore a target rich environment Broad based attacks Targeted attacks SMB s are Over-Challenged & Under-Resourced

10 SMB s: Over-Challenged & Under-Resourced Human capital: How much is enough?? Budget challenges: 5% of 7%: How much is enough?? Building the business case Technology & Tools: How much is enough?? Overwhelmed: Are you sure you re covered?? Incident Response Plan?? We re playing catch-up: systems were built for speed and reliability, NOT security

11 What is Your Security Strategy?

12 The Approach Prevent - vs Detect & Respond Stop the bad guys before they re in your environment Defense-in-depth is not the only option Consolidation: Prevention-based platforms are growing New technologies need to be leveraged in the right way Machine Learning at the endpoint vs - traditional signature-based antivirus Next-generation firewalls with advanced capabilities Focus on prevention-based strategies & also have a regularly updated Incident Response Plan

13 Threat Vectors Are You Covered? Attack Surface Reduction Vulnerability scans and patch management Employee education & awareness Phishing attacks and the weakest link gateway Filter before it hits the inbox Educate but build an environment where you assume they always click

14 Threat Vectors Are You Covered? Endpoint: machine learning vs. legacy signature-based AV Network Firewalling: at the core and at the edge Network segmentation: Hard on the outside, soft on the inside Why, Where & How Internal threats & DLP Cloud applications, mobile??? Don t underestimate the human element in cybersecurity

15 SMB Solution Don t go at it Alone Security-as-a-Service approach Modular components to fit your business Address the relevant threat vectors Dovetailed technology for effectiveness and efficiency Maintain visibility, input, control Fully-managed & Co-managed Outsource the process but not the risk SOC support Blend of automation and human components The best solution is functional AND financially attainable

16 Rocus Networks in the Community Wake Forest University Cybersecurity Certificate Program Founded and co-authored expanding to USC and others SC Cyber E2D - Eliminating the Digital Divide 501c3 Blue Diamond award winner from IT-ology Decommissioned laptops from Corporate America to kids in schools Re-Image Labs in Charlotte area high schools Easier than falling down Join!!! Get In Where You Fit In

17 Pete Seeber CEO & Co-Founder

18 LEGAL CONSIDERATIONS

19 Legal and Practical Considerations for Security & Data December 5, 2017 Sarah F. Hutchins

20 Targeted Industries Legal, Financial, Healthcare, Government, Energy/Utilities, Tech Why? Aggregated key documents Proliferation of data Lack of security Time pressures, mobility, & remote access Lots of paper (that can be copied) Threats from employees Transfer and Production 22

21 Considerations and Repercussions Domestic Data Protection Laws General and Industry Specific Domestic Data Breach Laws General and Industry Specific Ethical Obligations Reputational Risk Client and Customer Relationships Lawsuits, Damages, & Ransom Competitive Threat Creation of additional legal issues

22 International Laws: General Data Protection Regulation (GDPR) Controls how personal data of EU and UK* residents/citizens is stored, transferred, and destroyed Effective May 25, 2018 Fines up to 4% of annual gross revenue Key Provisions Applies to controllers and processors Data Mapping Privacy by Design Data Minimization Privacy Impact Assessments Consent and Notice Individual Privacy Rights Data Breach International Data Transfers 24

23 Relationships & Protections Vendor vulnerabilities Clients may request additional security precautions (or give informed consent for a lack of protection) Client and Vendor Audits Risk Assessment/ Security Audit Breach Response Plan & Security Policies Malpractice Insurance

24 Other Internal Protections Computer Use Policies Confidentiality Agreements Other Applicable Security Measures New Employee and other training and testing Limit and protect networks/files Confidentiality designations and sensitive information Mobile device and external device policies Exit Policies Collect and document materials returned Review computers

25 Questions? Sarah F. Hutchins

26 FINANCIAL LIABILITY

27 CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP

28 2017 Industry Claims Data Companies with less than $50M in revenue were most impacted Healthcare claims for victim notification were highest at $695k, on average Breach costs were 20% higher when there was cloud involvement Average PCI fines were $389k Cases of malicious insider events resulted in claims expenses four times expensive 2017 NetDiligence Claims Study This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

29 How Bad is It? Average breach cost $665K Average claim payout $495K $32K was average Ransomware ransom payment 2 million records lost on average Time of Compromise to Discovery days days days days days days 2,982 days NetDiligence Claims Study Mandiant M-Trends This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

30 Coverage 101 First Party Loss Third Party Loss First Party Breach Response Expenses Breach Coach/Legal Services Incident Response/Digital Forensics Victim Notifications Credit Monitoring Services Call Center Services Reputational Risk: PR/Crisis Management Business Income and Extra Expense Data Restoration Expense Dependent Business Interruption Extortion/Ransomware Payments Failure to Implement and Maintain Reasonable Security Measures Negligence Dependent Business Interruption Security Failure System Failure Unfair, Deceptive and Unlawful Business Practices Violation of Privacy Invasion of the Customer s Right to Privacy Breach of Contract and Violation of Consumer Fraud Act Defense and Damages Media/Intellectual Property Regulatory Actions Including Fines and Penalties, ie: PCI, HIPAA, etc. This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

31 Cyber Liability Insurance First Party Forensic Services Victim Notification Credit/ID Monitoring Legal Services Public Relations Total (Average) Get the Bad Guys Out Letters to Victims Lifelock, etc. Outside Counsel Stay Out of the News $357,000 This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

32 Poll Does your company have cyber liability insurance? If not, what was the reason for not entering the market? Risk not big enough? Difficult to find the right policy? Cost? Lack of management support? This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

33 Poll 2016 Network Security and Data Privacy Study: Wells Fargo Insurance This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

34 Questions to Ask What specifically is covered? What is excluded? How long after a breach occurs does the company have to report it without losing coverage? After reporting a breach, how quickly does the carrier respond? Is the provider, to include the carrier and the experts they employ, knowledgeable about your industry (e.g.: HIPAA, PCI-DSS, etc.)? How much will this cost? How will a breach impact your premium moving forward? Have a Plan Incident Response Plan (For Hire/for Free*) Insurance Limits SMBs $1MM-5MM initially, scaling to $5MM-20MM, sometimes layered across a number of carriers This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

35 Why Buy a Cyber Liability Policy? Cyber Liability was created to close coverage gaps in other insurance lines such as: Commercial General Liability Most cyber claims would not be covered under this policy because the resulting loss is not considered a property damage or bodily injury. Crime Policy While there may be some limited coverage under some policy forms, many traditional crime policies are adding exclusions for costs associated with the theft of personal identifiable information (PII) and trade secrets. D&O Policy This may potentially cover the Directors and Officers actions leading up to a breach, but would not cover the bulk of the associated expenses, including but not limited to: notification, crisis management, credit monitoring, and business interruption. This report is to be used for informational purposes only. This report does not amend, extend or alter coverage afforded in the certificate of insurance and/or policy. Please refer to the policy for terms and conditions. Insurance services provided by NFP Property & Casualty Services, Inc. (NFP P&C), a subsidiary of NFP Corp. In California, NFP P&C does business as NFP Property & Casualty Insurance Services, Inc. License #0F

36 Thank You. Evan Taylor Risk Consultant Copyright 2017 NFP Corp. All rights reserved.

37 QUESTIONS + COMMENTS? ISACA Charlotte Chapter December 5 th, 2017