Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a...
Transcript of Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a...
Cybersecurity Risk: How a Data Breach Can Impact a Transaction
John Williamson, CPA, CIA, CISA
Jesus Vega, CISSP
• Anatomy of a Breach• How Breaches Happen
• Latest Trends
• Financial Impact of Breach• The Cost of a Breach
• Case Study Review
• How It Impacts Your Transaction• Industry Profiles
• Top Risks/Questions You Should Ask
• Q&A session
Agenda
2
4
Anatomy of a Breach
Verizon Enterprise Solutions: A division of Verizon Communications that offers cloud services and managed security services.
A report summarizing security incidents and breaches investigated by Verizon or provided by a set of 73 contributors in the security services industry.
• 41,686 incidents
• 2,013 breaches
Verizon Data Breach Investigations Report
4
Incidents vs. Breaches• An incident is a security event that compromises the integrity, confidentiality, or availability of an
information asset.
• A breach is an incident that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.
Personal Data
• Personal data are data that allow the identification of a person directly or indirectly.
Key Definitions
• Name and surname• Home address• Email address• Identification card number• Location data
• Internet Protocol (IP) address• Cookie ID• Advertising identifier of your phone• Medical data
5
How Breaches Happen
7
Who Are the Victims?
8
Latest Trends
9
Financial Impact of a Breach
10
Financial Impact
11
1. Detection & Escalation Costs2. Notification Costs
3. Post Breach Costs4. Lost Business Costs
Primary Cost Drivers:
Financial Impact (cost per record, by industry)
12
Financial Impact
13
Impact on Your Transaction
13
• Organization acquires a small company to break into a niche market
• The following unexpected surprises occurred:• $9,000 monthly colocation cost
• 75% of the equipment used to host application was beyond End-Of-Life
• Company did not meet PCI compliance regulations • The Payment Card Industry Data Security Standard (PCI DSS) is an information security
standard for organizations that handle branded credit cards from the major card schemes
• You’ll hear talk of PCI compliance fines, and those fines can range from $5,000 to $100,000 a month, depending on factors like the size of your business and the length and degree of your non-compliance.
Case Study
15
• Trust but Verify: has a 3rd party performed any type of due diligence• Financial Audit
• Quality of Earnings
• Cybersecurity Examination
• Has the organization identified the risky data they hold • Personal Identifiable Information (PII)
• Payment Card Data (PCI-DSS)
• Protected Health Information (PHI)
• Intellectual Property
Risk in Your Transaction
16
HIPAA/HITECH• Know your business associates
• Segmentation and protection of PHI
• Encryption methods (in transit and at rest)
• Privacy practices and notices
• Incident response planning is key
Industry Profile: Healthcare
Unaware of violation and exercising reasonable due
diligence
$100 to $25,000
Reasonable cause that the entity knew about or should have known
$1,000 to $100,000
Willful neglect, but corrected within 30 days
of discovery
$10,000 to $250,000
Willful neglect and made no effort to correct within
30 days of discovery
$50,000 to $1.5M
Tier 1 Tier 2 Tier 3 Tier 4
HHS
17
Payment Card Industry Data Security Standard (PCI-DSS)
• Does the business process credit cards themselves or do they outsource to a 3rd party processor?
• If they process the cards themselves, focus on:• Network segmentation
• Data classification
• Cardholder Data Flow
• Self-Assessment Questionnaires/Reports on Compliance
• Central logging of events
• If they use a 3rd party processor, focus on:• Contractual commitments with vendors
• Vendor PCI compliance reporting
Industry Profile: Retail
18
• Generally, technology companies will collect, process, and store data on behalf of their customers.
• Focus on the types of data processed (PII, PHI, Cardholder data)
• Privacy commitments• Data belonging to California residents
• Data belonging to EU citizens
• Data belonging to US citizens (no current legislation, but its on its way)
• 3rd party risk (SOC reports, contracts, SLAs)
• Independent assessment to determine: Scalability, Security, and Integration
Industry Profile: Technology
19
The Value of IT Due Diligence
20
The Top Concerns from Security Professionals:
• No vulnerability scans
• No asset inventory
• No data mapping (which is a method of understanding physical and logical location of data)
• Poorly defined/lack of contracts with vendors (no SLAs)
• Poorly designed architecture (which impacts scalability, security, and integration)
• Diversification risk regarding key personnel/no succession planning
Overall Risks/Red Flags
21
Questions?
22