The data breach lifecycle: From prevention to ...The data breach lifecycle: From prevention to...
Transcript of The data breach lifecycle: From prevention to ...The data breach lifecycle: From prevention to...
The data breach lifecycle: From prevention to response IAPP global privacy summit
March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com
PwC
Common Myths
1. You have not been hacked.
2. Cyber security is about keeping the hacker out.
3. Cyber threats are a technical issue managed locally.
4. You are not in a regulated industry so you don’t have to worry.
5. Your contract and/or your insurance protects you from a breach at your third party provider.
6. You don’t need to think about data breaches and privacy incidents until they happen.
7. You are [insert regulation here] compliant, and you have privacy notices, so you are all set.
8. “There’s an App for that!”
2
March 6, 2014
PwC
Myth #1
You have not been hacked.
March 6, 2014
3
PwC
Reality: Don’t bet on it. Advanced threats usually maintain remote access to target environments for 6-18 months before being detected.
4
March 6, 2014
Security Market Paradigm Shift:
“Inclusion & Exclusion
Security”
“Layered
Security”
“Perimeter
Security”
Assumed state of compromise
Heavy focus on identity management –
right people, right place, right access
Focus on enhanced layers of security,
adoption of incremental security solutions
Focus on security technology for the
perimeter
Tech
no
log
y R
elian
ce/C
om
ple
xit
y
Time
“Resilient Cyber Security”
2010+ 2000s 1990s 1980s
• Significant and evolving cyber threats unlike ever before
• Highly skilled/motivated, and yet patient adversaries, including nation states
• Increasing speed of business, digital transformation, and hyper connectivity across
supply chain and to customers
• Massive consumerization of IT and reliance on mobile technologies
• Increasing regulatory compliance requirements (e.g., State and Global Breach
notification laws, HIPAA)
PwC
Myth #2
Cyber security is about keeping the hacker out.
March 6, 2014
5
PwC
Reality: Not anymore. Evolution of IT as well as sophistication of the threat drive a need for anticipation and resilience, not just prevention.
6
March 6, 2014
Cyber Evolution:
A new holistic approach
Increased volume, complexity, and
detection difficulty of attacks and the
associated impact are driving
enterprises to adopt a new approach
to security and privacy. Cyber Incident
& Crisis
Management
Security & Privacy
Management
Prevent
Detect
Detect/Discover
Triage/Contain
Respond/ Remediate
Correct/Enhance
Traditional Security &
Privacy Lifecycle
State of Compromise
PwC
Myth #3
Cyber threats are a technical issue managed locally.
March 6, 2014
7
PwC
Reality: Security and privacy are more than a local IT challenge – They are a global business challenge.
8
March 6, 2014
g Historical IT security perspectives Today’s leading
cybersecurity and privacy insights
Scope of the challenge • Limited to your “four walls” and the extended
enterprise
• Spans your interconnected global business
ecosystem
• Borderless data collection, transfer and storage
• Regulations and cross-border data flow frameworks
vary by country, region and state.
Ownership and
accountability
• IT led and operated • Business-aligned and owned; CEO and board
accountable
Adversaries’
characteristics
• One-off and opportunistic; motivated by
notoriety, technical challenge, and individual
gain
• Organized, funded and targeted; motivated by
economic, monetary and political gain
Information asset
protection
• One-size-fits-all approach • Data flow analysis and risk based mitigation approach
• Prioritize and protect your “crown jewels”
Defense posture • Protect the perimeter; respond if attacked • Proactive, continuous risk assessment & monitoring
• Plan, monitor, and rapidly respond for when attacked
or when an incident occurs
Security and privacy
intelligence and information
sharing
• Keep to yourself
• Public/private partnerships; collaboration with industry
working groups
Enforcement • Rare • Increasing fines and public disclosures for data
breaches and privacy incidents
PwC
Myth #4
You are not in a regulated industry so you don’t have to worry.
March 6, 2014
9
PwC
1,037 1,612
2011 2012
492
May 31, 2013
2,562
2,989
3,741
2011 2012 2013
Reality: Threats and regulatory enforcement are industry agnostic. Breaches are costly. The number of incidents detected in the past 12 months increased by 25%1
10
March 6, 2014
1 Source: PwC: Global Information Security Survey 2014 2 Source: Ponemon Institute 2013 Cost of a Data Breach Study: U.S.
Industries reporting $10million+
losses1
Oil & Gas: 24%
Pharmaceuticals: 20%
Financial Services: 9%
Technology: 9%
Industrial Products: 8%
August 2012
FTC issues a large fine for a
privacy violation.
September 2013
FTC sanctions a large technology company for security
flaws in their web-enabled video camera.
August 2013
The OCR fines a company for
not removing sensitive data from
returned leased equipment: Average cost of a compromised record:
$1882
Financial losses due1
to security incidents in Europe increased
Over last year.
In North America,1
detected incidents increased
Over last year. 28% 117%
Average number of security incidents in post 12 months1
Do not
allow
9%
Do not
allow
14%
Do not
allow
18%
PwC
Myth #5
Your contract and/or your insurance protects you from a breach at your third party provider.
March 6, 2014
11
PwC
Reality– More than 40% of companies sustained a data breach caused by a third party1. Breaches caused by third party errors cost more1.
12
March 6, 2014
57% of companies do not evaluate security at third parties or are not sure if they do2
78% of companies do not or are unsure if they conduct incident response planning with third parties2
Key foundational areas for establishing an effective third-party risk management
program
• Vendor management
office
• Operational risk
governance body
Data & Information
Governance Methodology
• Standard operational risk
methodologies and defined
risk levels
• Standard controls
effectiveness assessment
methodology
• Escalation, exception, and
exemption process
• Well defined general ledger
• Comprehensive contracts management system and contract data
• Well defined and maintained third-party repositories (vendor master, etc.)
• Third-party/vendor usage data
• Strong organizational and employee data for identifying third-party linkages across the
organization
• Issue an and incidents repositories to track third-party issues
1 Source: Ponemon Institute 2013 Cost of Data Breach Study: U.S. 2 Source: PwC Global State of Information Security Survey 2014
PwC
Myth #6
You don’t need to think about data breaches and privacy incidents until they happen.
March 6, 2014
13
PwC
Reality: Threat Actors are thinking about you. Effective cybersecurity includes understanding the threat, prioritizing critical data assets, and creating a crisis response plan.
14
March 6, 2014
Adversary Motives Targets Impact
Insiders
• Personal advantage,
monetary gain
• Professional revenge
• Patriotism
• Sales, deals, market strategies
• Corporate secrets, IP, R&D
• Business operations
• Personnel information
• Loss of market share
• Erosion of corporate confidence
• National security impact
Organized Crime
• Immediate financial gain
• Collect information for
future financial gains
• Financial/Payment Systems
• Personally Identifiable
Information
• Payment Card Information
• Protected Health Information
• Costly regulatory inquiries and
penalties
• Consumer and shareholder
lawsuits
• Loss of consumer confidence
Hacktivists
• Influence political and/or
social change
• Pressure business to
change their practices
• Corporate secrets
• Sensitive business information
• Information related to key
executives, employees,
customers & business partners
• Disruption of business activities
• Brand and reputation
• Loss of consumer confidence
Nation State
• Economic, political,
and/or military
advantage
• Trade secrets
• Sensitive business
information
• Emerging technologies
• Critical infrastructure
• Loss of competitive advantage
• Disruption to critical
infrastructure
PwC
Reality. It takes a village. Breach response is more than a technical problem with a technical solution.
15
March 6, 2014
Cyber crisis management team
External counsel
External
counsel
Stakeholders
Privacy, Legal, IT,
Finance, Sr. Executives
Investigative team
Technical Lead,
Info. Security, BU SME
Cyber incident
management team
Public relations
Breach notification
Credit monitoring
Fraud mitigation
Monitor criminal
underground
External service
providers
Law enforcement
Government
regulators
Law enforcement &
government regulators
Core Team
Team Leader,
Support Team
PwC
Threats actors are organized, funded and targeted; you should be too.
Data Breach and Privacy Incident Life Cycle
16
March 6, 2014
Su
pp
ort
Are
a I
nv
olv
em
en
t
Risk
Assessment
Develop
Program Detection
Incident
Response
Notification/
Media Remediation
Post Mortem/
Strategy
Privacy
Legal
Incident Response
Internal Audit
BU SME/Leadership
Internal Audit
Information Security
Compliance
IT
Compliance
PwC
Learning from each other is critical in building and maintaining an effective program.
17
March 6, 2014
Incident lifecycle Leading practice Common pitfalls
Risk Assessment • Ongoing assessment of internal and external privacy
and security threats
• Policies and procedures that are current,
communicated, and followed
• Non existent. incomplete, or outdated data
inventory, including third parties
• No process for consistent threat analysis
Develop Program • Cross-stakeholder, multi-disciplinary effort
• Process for program training and awareness,
communication, and maintenance
• Controls aligned with threats from risk assessment
and a selected framework
• Design privacy and security into products and
systems
• Minimum senior leadership involvement and
lack of governance structure and processes
• Focus solely on regulatory compliance
Detection • Automation, risk based tuning/correlation
• Process for managing privacy and security concerns
raised by employees and consumers
• Not understanding data flow
Incident Response • Testing that includes all stakeholders and external
providers
• Inventory of breach notification laws/regulations
• Lack of clarity around roles and responsibilities
• Limited forensic capabilities or trusted partner
Notification/Media • Template media notice/Pre-defined pubic relations
process
• Notification prior to completion of full analysis
Remediation/Post
Mortem/Strategy
• Strategic versus tactical focus and approach. • Limited involvement from internal
audit/compliance
PwC
Myth #7
You are [insert regulation here] compliant, and you have privacy notices, so you are all set.
March 6, 2014
18
PwC
Reality. There is much more at stake than compliance. Key drivers for data protection & privacy.
19
March 6, 2014
Legal Requirements
Reputation/Brand
Competitive Advantage
National Security
Contractual Requirements
Shareholder Value/Financial
Proprietary Business Information: intellectual
property, pricing & sales/marketing strategy,
sourcing strategy
Personally Identifiable Information: name, age,
identification numbers, home or e-mail address,
income or physical characteristics; opinions
Sensitive Personal Information: Information on
medical or health conditions, financial information
(including credit cards), racial or ethnic origin
Business Customer Information: Franchisee
information, Customer sensitive information
(financial, IP, etc.)
PwC
Myth #8
“There’s an App for that!”
March 6, 2014
20
PwC
Reality. There is no silver bullet. A comprehensive data protection & privacy program is required.
21
March 6, 2014
Data and Vendor Inventory Accountability and
Governance
Vendor
Management Process and Controls
Incident Management and
Response
Training and Awareness
Monitoring and
Auditing
Risk and Compliance
Assessment Data
PwC
Thank you!
22
March 6, 2014
Carolyn Holcomb Partner, National Data Protection & Privacy Leader [email protected] (678) 419-1696
Emily Stapf Director, Forensic Technology [email protected] (703) 868-0269
© 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable
professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC
has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy,
adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for
any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to,
warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in
connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not
endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with
the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser.