Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Security 101: What Your Agency Needs to Know

PR Council's Genome Series Webinar on Cyber Security 101 for Agencies.

  • Login to see the comments

Cyber Security 101: What Your Agency Needs to Know

  1. 1. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies CYBER SECURITY 101: What Your Agency Needs to Know PR Council Genome Series May 4, 2017
  2. 2. PROPRIETARY & CONFIDENTIAL PRESENTERS Sandra Fathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure simonr@becybersure.com Vince L. Martinez Partner, K&L Gates LLP Vince.martinez@klgates.com
  3. 3. PROPRIETARY & CONFIDENTIAL I.  Cyber Security 101: What you need to know about cyber security and threats in an agency environment II.  Legal Ramifications: Cyber security and the law, the agency’s responsibilities and liabilities III.  Crisis Communications: When it happens to you, a plan of action AGENDA March 4, 2010Affect
  4. 4. PROPRIETARY & CONFIDENTIAL DEFENDING ENTERPRISE INTEGRITY Making InfoSec Part of the Culture Simon Russell, Managing Partner, BeCyberSure North America
  5. 5. PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( What is “Cyber Security”?( •  The(process(of(applying(security( measures(to(ensure( confiden9ality,(integrity,(and( availability(of(data( •  Essen9ally,(protec9on(against( Cyber(Risk( What is “Cyber Risk”?( •  “Cyber(Risk”(means(any(risk(of( financial(loss,(disrup9on(or(damage( to(the(reputa9on(of(an(individual(or( organiza9on(from(some(sort(of( failure(of(their(informa9on( technology(systems(
  6. 6. PROPRIETARY & CONFIDENTIAL ( All#Organiza+ons#are#suscep+ble#to#both#internal#&#external#a7acks( (
  7. 7. PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( Method# Problem# Solu+on# Wireless#Hotspots,# Bluetooth#+#Mobile# Subject(to(man(in(the( middle(aEacks( Public(WiHFi(/(VPN( Printers# LogHin(details(are( recorded( Default(password( Invoice#Processing#+# Payroll# Payment(redirec9on( Conveyancing( Payroll(Intercep9on( Loss(of(PII( Policy(and(procedures.( Friday(aPernoon( syndrome( Phishing#+#Ransomware# # Loss(of(data(/(access( Training( The#Cloud!# Lack(of(control( Use(2(FA(and(encryp9on( IT’S#ALL#TOO#EASY#
  8. 8. PROPRIETARY & CONFIDENTIAL The#Value#of#a#Hacked#Email#Account#
  9. 9. PROPRIETARY & CONFIDENTIAL The#Value#of#a#Hacked#PC#
  10. 10. PROPRIETARY & CONFIDENTIAL EXCUSES#FOR#NOT#ADDRESSING#CYBER# Defending(Enterprise(Integrity((( •  Usually easier targetI’M TOO SMALL •  All data has value or you could be a stepping stoneNOTHING WORTH STEALING •  Every organization is of interest to the criminal – they do not discriminate MY TYPE OF BUSINESS IS NOT A TARGET •  Not the point- there are other assets to stealI DON’T HANDLE MONEY •  You are still responsible - the responsibility is not outsourced I OUTSOURCE IT, PAYMENTS, ETC •  Not any more! SOMEONE ELSE WILL PAY IF SOMETHING GOES WRONG (e.g. banks, insurance)
  11. 11. PROPRIETARY & CONFIDENTIAL (( 12© 2015 Optimal Risk and its partners/affiliates. All rights reserved. Source: 2014 Verizon Data Breach Investigations Report Secs# Mins# Hrs# Days# Weeks# Months# Years# Compromise( 19%( 42%( 12%( 23%( 0%( 5%( 1%( Exfiltra9on( 3%( 27%( 21%( 21%( 18%( 9%( 0%( Discovery( 0%( 3%( 11%( 17%( 16%( 41%( 11%( Containment( 0%( 2%( 5%( 42%( 22%( 29%( 0%( Timespan of events by % of Web App breaches In 50% of breaches, data is stolen in hours 41% of breaches are not discovered for months Be Very Worried 40% of companies experienced a data breach 61% of espionage is not discovered for months More than 50% of companies do NOT conduct security testing 38% of companies are not capable of resolving an attack 51% increase of companies reporting >$10M loss 34% of companies do not know if/ how
  12. 12. PROPRIETARY & CONFIDENTIAL # Hidden#Costs#of#a#breach# Defending(Enterprise(Integrity(((
  13. 13. PROPRIETARY & CONFIDENTIAL PEOPLE#not#devices# ! Majority(of(breaches(occur(due(to(human(error( ! Training(and(awarenessH(Change(culture( SECURITY#over#compliance# ! Whilst(there(is(no(avoiding(compliance,(approaching(security( as(a(boxHchecking(exercise(is(a(huge(mistake.(If(you(are(secure( and(up(to(best(prac9ces(for(NIST(or(CIS(for(example(you(will(be( compliant(with(most(regulator s(requirements( Defending(Enterprise(Integrity((( Think(Human(NOT(Cyber(
  14. 14. PROPRIETARY & CONFIDENTIAL What(Steps(Should(You(Take?( •  Info(Security(audit(to(expose(holes(in(architecture,( focus(on(what(data(you(have(and(where(it(sits.(( •  Policies(and(Procedures( •  Social(engineering(tes9ng(i.e.(Phishing(( •  Ongoing(Penetra9on(tes9ng( •  Staff(training( •  System(monitoring( •  Think(about(3rd(party(risks( # #Defending(Enterprise(Integrity(((
  15. 15. PROPRIETARY & CONFIDENTIAL ! SECURITY!NOT(COMPLIANCE.(( ( ( HUMAN(NOT(CYBER.(( Defending(Enterprise(Integrity((( THINK…
  16. 16. Regulatory and Legal Considerations
  17. 17. Basic Incident Response Steps •  Recognize the occurrence of an incident. •  Notify and assemble the incident response team to begin the investigation. •  The internal team can include IT, Security, HR, Counsel, Compliance, business heads and IR. •  The external team can include outside counsel, technological consultancies and crisis management / public relations firms. •  Identify and fix (or contain) the technological issue. •  Determine any legal obligations and comply. •  Determine if any public reporting obligations exist. •  Communicate with the public as appropriate. •  Eradicate remnants of the security incident and recover business operations.
  18. 18. Data Breach Notification Requirements •  The primary consideration is the exposure of personally identifiable information (PII). •  All states except AL and SD require companies to notify affected individuals when their PII has been compromised. •  There are variances in notification laws and the types of data considered PII. •  Most states require notice as soon as reasonably possible; a few require notice within 30 to 45 days of discovery. •  Certain federal laws, such as HIPAA and GLBA, require companies to notify affected individuals. •  Certain federal regulators, including the FTC and FCC, are active within their jurisdictions. •  Breach notification can also be a function of contract, which should be known before an incident occurs.
  19. 19. Notifying Law Enforcement •  Relevant federal law enforcement agencies include the FBI and the Secret Service. •  The Department of Justice has issued guidance for interacting with federal law enforcement authorities in the wake of a cybersecurity event. •  https://www.justice.gov/sites/default/files/criminal-ccips/legacy/ 2015/04/30/04272015reporting-cyber-incidents-final.pdf •  State Attorneys General may also be required to be notified. •  It is a best practice to have pre-established contacts with law enforcement before an event. •  Remember that law enforcement has different goals than you when responding to a cybersecurity event, and the logistics and possible issues surrounding law enforcement involvement should be understood beforehand.
  20. 20. Public Company Reporting Obligations •  The SEC’s Division of Corporation Finance offered guidance in 2011. •  https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm •  The guidance gives context to materiality in several parts of periodic reports. •  Some incidents may be described generally in quarterly and annual filings. •  Filing a Form 8-K is most appropriate for events of immediate material consequence to investors. •  The SEC has not yet brought an enforcement action for inadequate cybersecurity disclosure, but has frequently indicated its interest in doing so.
  21. 21. Recent Regulatory Developments •  The New York Department of Financial Services recently implemented regulations for certain financial institutions: •  http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf •  Affects both businesses registered under the New York Banking, Insurance and Financial Services Laws, as well as certain third parties that service those businesses. •  Contains specific technological measures required of covered entities. •  The Colorado Division of Securities recently proposed enhanced cybersecurity measures for broker-dealers and investment advisers: •  https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view •  Specifies what measures firms should consider in order to have “written procedures reasonably designed to ensure cybersecurity.” •  Takeaway: More regulators are beginning to list specific measures required.
  22. 22. Consequences of a Cyber Incident •  Major damage to the company’s operations, customer loyalty, reputation and financial results. •  Litigation, settlement, repair and remediation costs in recent cases have reached into the tens of millions of dollars, including: •  Example: Target - breach related costs approaching $180 million per latest Form 10-K. •  Shareholder derivative actions, including against directors •  Customer class actions •  Litigation with (former) business partners •  Regulatory investigations, actions and remediation oversight •  Example: FTC v. Wyndham Worldwide Corp. •  Inadequate or misleading data security protections can be charged as unfair and deceptive trade practices. •  Activist investor campaigns
  23. 23. Roles for Outside Counsel •  Extend attorney-client privilege to response advice. •  Extend work product protection to investigative documentation. •  Hire other third parties as agents of the legal engagement. •  Establish contact with law enforcement. •  Identify likely regulators and applicable standards and guidance. •  Identify legal and contractual obligations to notify or report. •  Ensure legal accuracy of public statements.
  24. 24. PROPRIETARY & CONFIDENTIALAffect SCALE OF THE ISSUE
  25. 25. PROPRIETARY & CONFIDENTIAL WHY DO AGENCIES THINK THEY ARE IMMUNE?
  26. 26. PROPRIETARY & CONFIDENTIAL WHAT’S THE SCENARIO •  Scenario #1: A reporter tweets that they’ve broken a story about your data breach – you were unaware that the press was aware. •  Scenario #2: IT department detects a breach and informs the PR department that it has been mitigated. •  Scenario #3: The FBI calls to tell you that they are investigating your data breach. •  Scenario #4: The IT department reports a breach to PR, but has no idea how large it is or what the total impact will be. •  Scenario #5: A Hacker threatens to release your client’s data if you don’t pay $100,000 in Bitcoin You need a plan and you needed it yesterday.
  27. 27. PROPRIETARY & CONFIDENTIAL THE THREAT IS REAL •  The Element of Surprise: breaches are often leaked to the media before full investigations are complete •  Under Pressure: Customers, media, employees etc. demand information •  The Gift that Keeps on Giving: Data breach incidents tend to have more than one news cycle •  Social Media Wildfire: False information spreads quickly on sites like Twitter, Facebook and LinkedIn If you are prepared for data breach response, you have a better chance of controlling your message and preserving your reputation.
  28. 28. PROPRIETARY & CONFIDENTIALAffect CORE CONCEPTS CRISIS COMMUNICATIONS 4 Phases of Crisis Communications 1.  Readiness 2.  Response 3.  Reassurance 4.  Recovery
  29. 29. PROPRIETARY & CONFIDENTIALAffect PHASE 1: READINESS PREVENTATIVE MEDICINE Anticipating a Crisis 1.  Crisis Mapping (SWOT Analysis) 2.  Policies and Procedures (Prevention) 3.  Crisis Monitoring 4.  Crisis Communications Plan 5.  Crisis Action Plan 6.  Crisis Standard Communications Template
  30. 30. PROPRIETARY & CONFIDENTIALAffect THREAT MAPPING RISK ASSESSMENT Internal •  Employees •  Facilities •  Vendors/Suppliers •  Distributors/Resellers •  Product External •  Acts of Nature •  Market •  Legal Restrictions/Law •  Customers •  Advocacy Groups Anticipating & Understanding Threats to a Business People, Products, Facilities, Environment, Information
  31. 31. PROPRIETARY & CONFIDENTIALAffect INFORMATION THREATS What’s in your files? 1.  HR – Name, Address, Social Security 2.  Payroll – Name, Address, Social Security & Bank Account 3.  Customer – Name, Address, Credit Card & Bank Account 4.  Vendor – Name, Address, Credit Card & Bank Account 5.  Other – Medical Records, Demographic Information, Email, File Servers etc.
  32. 32. PROPRIETARY & CONFIDENTIALAffect CRISIS COMMUNICATIONS ANTICIPATING THREATS Create A Chart: Potential Informational Threats to Your Business HR Sales Marketing Finance Rank Order High Risk to Low Risk
  33. 33. PROPRIETARY & CONFIDENTIALAffect CRISIS TOOLKIT RESPONSE RESOURCES 1. Develop materials: •  Messages/FAQ •  Prepared statements •  Press release template •  Customer letters 2.  Train employees •  Awareness •  Anticipation •  Organizational Preparation 3. Prepare channels: •  Hotline •  Dark site •  Social Media 4. Data Breach/Customer Assistance Resources •  Microsite/Landing Page FAQ •  Identity Theft Remediation Services •  Force Password/Account Information Change •  Special Customer Advocate/Team
  34. 34. PROPRIETARY & CONFIDENTIALAffect IMMEDIATE ACTION BEST PRACTICES Preparing a Response 1.  Don’t delay 2.  Acknowledge situation 3.  Acknowledge impact and ‘victims’ 4.  Commit to investigate 5.  Commit to sharing information and cooperation with relevant parties 6.  Share corrective action plan if available 7.  Respond in the format in which the crisis was received**
  35. 35. PROPRIETARY & CONFIDENTIALAffect RESPONSE OUTLINE CRITICAL INFORMATION Prepare a Template Crisis Response: 1.  What happened? 2.  What do we know about it? 3.  Who/what was impacted? 4.  How do we feel about it? (How should we feel?) 5.  What are we going to do about it? 6.  When are we going to do it? 7.  When/how will we communicate next?
  36. 36. PROPRIETARY & CONFIDENTIALAffect CUSTOMER COMMUNICATION Notice of Data Breach 1.  Introduction: Why are we contacting you? 2.  What happened? 3.  What information was compromised? 4.  What are we doing to remedy the situation? 5.  What can you do to prevent/mitigate further risk? 6.  Where can you find more information?
  37. 37. PROPRIETARY & CONFIDENTIAL BREACH NOTIFICATIONS SAMPLES
  38. 38. PROPRIETARY & CONFIDENTIALAffect PHASE 3: REASSURANCE DOSE OF MEDICINE Who to Reassure? How to Reassure? 1.  Develop full response plan 2.  Put plan into action: Immediate remedy 3.  Communicate results of plan and impact 4.  Reaffirm commitment to correction 5.  Demonstrate results of program
  39. 39. PROPRIETARY & CONFIDENTIALAffect PHASE 4: RECOVERY LONG-TERM TREATMENT PLAN Rebuilding reputation, trust and customer loyalty Implementing preventative measures for long-term crisis mitigation and/or prevention 1.  Review need for operational, regulatory, environmental and employee changes 2.  Develop long-term plan including policies and prevention tactics 3.  Reassess crisis plan 4.  Regain customer/public trust
  40. 40. PROPRIETARY & CONFIDENTIALAffect 1.  Implement Policies to Address Potential Vulnerabilities 2.  Establish a Regular Review Cycle for Information Security 3.  Establish Inter-Departmental Cooperation 4.  Establish a Framework for Response 5.  Build a Data Breach Crisis Toolkit 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
  41. 41. PROPRIETARY & CONFIDENTIALAffect 6.  Know Where & How to Respond 7.  Prepare Your Employees in Advance 8.  Establish Assistance Services for those Impacted 9.  Know the Law Regarding Reporting in All Regions of Operations 10.  Be Honest, Be Transparent 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
  42. 42. PROPRIETARY & CONFIDENTIALAffect RESOURCES White Paper: Crisis Communications in the Social Media Age Download at: Affect.com
  43. 43. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies Thank you Slides Available: Slideshare.net/sfathi Sandra Fathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure simonr@becybersure.com Vince L. Martinez Partner, K&L Gates LLP Vince.martinez@klgates.com

×