Cybersecurity in convention centres: Understanding and ...aipc.org/uploadFiles/ANNUAL...
Transcript of Cybersecurity in convention centres: Understanding and ...aipc.org/uploadFiles/ANNUAL...
1
Allens is an independent partnership operating in alliance with Linklaters LLP.
Cybersecurity in convention centres: Understanding and managing the riskMichael ParkPartner
4 July 2017
Allens is an independent partnership operating in alliance with Linklaters LLP.
2
1. The global cyber battlefield
2. Common external and internal threats
3. The cost of cyber incidents
4. Global cyber attack trends
5. Australian legal landscape
6. Preparing for and managing a breach
7. Key learnings
Overview of today’s session
3
Allens is an independent partnership operating in alliance with Linklaters LLP.
The global cyber battlefield
4
Allens is an independent partnership operating in alliance with Linklaters LLP.
5
Allens is an independent partnership operating in alliance with Linklaters LLP.
6
Allens is an independent partnership operating in alliance with Linklaters LLP.
7
• 42,068 reported security
incidents in 2016
• 1,935 confirmed data
breaches in 2016
Source:
Verizon 2017 Data Breach Investigation Report
Security incidents far exceed data breaches
Image extracted from Verizon 2017 Data Breach Investigation Report
8
Trends
75% of
breaches
perpetrated
by
outsiders
Majority of
breaches
are
detected by
an external
party
Delayed
detection
Hacking is
the leading
type of
breach
Source: Verizon 2017 Data Breach Investigation Report
9
• Volume of digitised data has increased
• Cyber-attacks are becoming
increasingly sophisticated
• Regulatory requirements to retain data
Why have we seen an increase in cyber incidents and data breaches?
10
Allens is an independent partnership operating in alliance with Linklaters LLP.
Common external and internal threats
11
Why phishing scams keep working
12
• Phishing emails/websites – rely on vulnerable staff and customers
• Distributed denial of service attacks (DDoS)
• Malware targeted at mobile devices (still mainly Android)
• Malware that gathers or intercepts passwords
• Online account hacking
• Ransomware (eg Cryptolocker, WannaCry)
• Global espionage campaigns
Some common external threats
13
• Password protocol
• Corporate laptops containing confidential information without encryption (or sometimes even password control)
• Loss of laptops, tablets, phones, USB drives
• Staff revealing password to phishing fraudsters
• Transfer of computer viruses and malware from poorly secured home computers (often usually via USB drive sharing)
• Improper destruction of corporate records
Typical internal threats
14
0
10
20
30
40
50
60
70
80
90
100
Number of incidents
Hackers
Accidentally made public
Theft or loss of computer/device
Insider theft
Unknown
Fraud
Internal threats remain important
Symantec: Internet Security Threat Report
15
Allens is an independent partnership operating in alliance with Linklaters LLP.
The cost of cyber incidents
16
Typical costs
BusinessesUS$4 million
Average cost of a data breach
Reputational29% increase in
recent years
Individuals Administrative nightmare
Identity theft Indirect consequences
17
Typical costsExternal security
consultants
Repair or replacement of
systems and data
Downtime while system is fixed
Crisis team management
Notification and audit services
Litigation and third party costs
Brand damage
Management distraction
Loss of IP
Loss of goodwill
18
• Most common cybercrimes in Australia
▪ Denial of service
▪ Malicious insiders
▪ Malicious code
• Most common costs
▪ Business disruption
▪ Costs to repair information loss
Ponemon ‘Cost of Cybercrime Study’
19
Allens is an independent partnership operating in alliance with Linklaters LLP.
Global cyber attack trends
20
• Top three industries: Healthcare, Public Sector, Retail
▪ Where personally identifiable information is commonly held
• Key threat actions: RAM scraping and use of credentials
▪ Remain hidden on average 229 days until discovery of breach
• Multi-tiered attacks: phishing, DDoS, then breach
▪ Ransomware dramatically on the rise in 2017
• Breach victims increasingly getting on front foot to manage PR
• Data breaches often arise from breach of your supplier’s systems
▪ So supplier cyber-risk management programmes and contractual obligations are critical
Cyber attack trends
21
• Small and medium business commonly attacked
▪ Common vulnerabilities exploited
▪ Social engineering and phishing attacks employed
▪ Automated and scaled attacks (often with hacker tools)
• Highly organised and efficient marketplace for monetising information, with organised crime becoming more involved
• Class action litigation very common in the US
▪ driven largely by mandatory data breach notification
▪ settlement value often small per plaintiff, but significant in total
▪ Australia could head the same way with mandatory data breach notification
• Take up of cyber-risk insurance increasing, but is it creating the market for litigation?
Cyber attack trends
22
Allens is an independent partnership operating in alliance with Linklaters LLP.
Australian legal landscape
23
Legal ramifications of data breaches
Data security breach
Privacy laws
Sector-specific
regulations
Competition &
Consumer Act
Business
interruption
impact and
losses
Reputational
risk
Civil actions
by individuals
Director’s
duties
Disclosure
obligations
under listing
rules
24
Australian Privacy Act 1988 (Cth)
APP 11.1
If an APP entity holds personal
information, the entity must take such
steps as are reasonable in the
circumstances to protect the
information:
(a) from misuse, interference
and loss; and
(b) from unauthorised access,
modification or disclosure.
APP 1.2(a)
An APP entity must take such steps as
are reasonable in the
circumstances to implement
practices, procedures and systems
relating to the entity's functions or
activities that:
(a) will ensure that the entity
complies with the Australian
Privacy Principles and a
registered APP code (if any) that
binds the entity;
25
Enforcement action
Commenced 17
investigations
Made 7 determinations
Received
107
voluntary
data breach
notifications
Worked on 21 assessments
In 2015 – 2016 the OAIC…
26
• APP 11.1
▪ Must take reasonable steps to protect personal information held from misuse, interference, loss and unauthorised access, modification or disclosure
Australian Privacy Act: where we are now
• 2015 OAIC Guide to securing personal information: ‘reasonable steps’ to protect personal information
▪ What is reasonable will vary depending ono nature of the entity holding personal information
o sensitivity of personal information
o harm likely to result to individuals from disclosure
o how organisation stores, processes and transmits personal information
o ease with which security measures can be implemented
▪ Steps and strategies which may be reasonable to take includeo staff training – security awareness and education
o technological measures monitoring
27
• Privacy Act
▪ Currently no requirement to notify if misused or lost personal information
• 2014 OAIC Data breach notification – A guide to handling personal information security breaches
▪ Notification of a data breach supports good privacy practices
▪ If a data breach involves real risk of serious harm, individuals and OAIC should be notified (but not currently required by Privacy Act)
▪ Four recommended steps in responding to a data breacho Step 1: Contain the breach and do a preliminary assessment
o Step 2: Evaluate the risks associated with the breach
o Step 3: Notification
o Step 4: Prevent future breaches
Australian Privacy Act: where we are now
28
• Privacy Amendment (Privacy Alerts) Bill 2013 – failed to gain majority support
• Privacy Amendment (Privacy Alerts) Bill 2014 – failed to gain majority support
• February 2015: Parliamentary Joint Committee on Intelligence and Security’s report on metadata retention recommends mandatory data breach notification
• Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 – exposure draft released for comment
• Privacy Amendment (Notification of Serious Data Breaches) Bill 2016 – introduced to Parliament
• Privacy Amendment (Notifiable Data Breaches) Act 2017 – finally passed
• February 2018: Notifiable Data Breaches (NDB) scheme goes into effect, which amends Privacy Act to introduce mandatory data breach notification
Mandatory data breach notification – the journey
29
Mandatory data breach notification laws
What is an
eligible data
breach?
‘Serious harm’
the likely
result
Remedial
action
exception
Commissioner
declarations
30
Allens is an independent partnership operating in alliance with Linklaters LLP.
Preparing for and managing a breach
31
• Cyber insurance
• Governance, culture and
training
• Internal practices,
procedures and systems
• ICT security
• Access security
• Vendor due diligence and
contract management
• Data breach response plan
Minimising the fallout…when, not if, it happens
32
• Confidential information
• Security
• Access
• Notification
• Cooperation and compliance
with directions
• Audits
• Indemnities
Contractual obligations and indemnities
33
• Practical, up-to-date and easy-to-follow
• Consider different scenarios
▪ type of breach
▪ internal vs external detection
• Appoint a data breach response team
• Key person risk
• Appoint a PR team and have a comms plan
• External legal breach coach =
cloak breach with legal professional privilege
Data breach response plan
Who?
What?
When?
How?
34
Responding to a breach
Step 1: Contain the breach and undertake a preliminary assessment
Step 2: Evaluate the risk
Step 3: Consider whether notification is appropriate
Step 4: Prevent further breaches
35
Responding to a breach
Step 1: Contain the breach and undertake a preliminary assessment
Step 2: Evaluate the risk
Step 3: Consider whether notification is appropriate
Step 4: Prevent further breaches
36
Responding to a breach
Step 1: Contain the breach and undertake a preliminary assessment
Step 2: Evaluate the risk
Step 3: Consider whether notification is appropriate
Step 4: Prevent further breaches
37
Step 3: Notification
Step 1: Contain the breach and undertake a preliminary assessment
Step 2: Evaluate the risk
Step 3: Consider whether notification is appropriate
Step 4: Prevent further breaches
38
Responding to a breach
Step 1: Contain the breach and undertake a preliminary assessment
Step 2: Evaluate the risk
Step 3: Consider whether notification is appropriate
Step 4: Prevent further breaches
39
Engagement with the privacy regulator
40
Allens is an independent partnership operating in alliance with Linklaters LLP.
Key learnings
41
• Cybersecurity is not just an IT issue▪ impacts commercial, legal, HR, compliance,
privacy and insurance
▪ all staff should be trained and vigilant
• Lapses of security
loss of customer trust
and reputation
loss of business
• Cyber arms race▪ continuing escalation of threat and
countermeasure – hackers one step ahead
▪ not a question of it, but when, you will suffer a data breach – so be prepared
• Two key aspects of becoming breach-ready▪ have in place a data breach response plan
▪ Actively manage vendor cyber-risk – due diligence and contract management
Minimising the threat
42
Key learnings
Have a
functional and
up-to-date data
breach
response plan,
and test it
regularlyPrepare now
for mandatory
data breach
notification by
changing
processes and
contracts
Design
systems with
cybersecurity
in mind and not
as an
afterthought
Consider
taking out
cyber
insurance
Do due
diligence on
and have
contractual
protections
with third
parties
43
Michael ParkPartnerT +61 3 9613 8331M +61 419 049 [email protected]
Questions
Cyber Security Tip Sheet:https://www.allens.com.au/pubs/pdf/Cybersecuritypresentationflyer_A3_v3a.pdf
44Allens is an independent partnership operating in alliance with Linklaters LLP.