Upload
garcyber
View
218
Download
0
Embed Size (px)
Citation preview
8/14/2019 Business Considerations for Cyber Security
1/15
A BRIEFING FOR THE
WASHINGTON CAMPUS
GREG GARCIA
GARCIA STRATEGIES, LLC
MAY 13, 2009
02/22/10
1
Homeland Security:
Business as a Target
Garcia Strategies, LLC
8/14/2019 Business Considerations for Cyber Security
2/15
Cyber Security:What Are We Talking About?
02/22/10Garcia Strategies, LLC
2
CYBER CRIME IS BIG BUSINESSComputersCommunications
E-CommerceOnline BankingStock TransactionsElectricity Generation and Distribution
Transportation Systemsand everything we do:
IS VULNERABLE TO CYBER ATTACK
8/14/2019 Business Considerations for Cyber Security
3/15
Cyber Security:What Are We Talking About?
02/22/10Garcia Strategies, LLC
3
SUCH AS:Viruses often sent through spam email, requiring
human click
Worms sent through email and web pages notrequiring human clickTrojans malicious programs disguised as
legitimate
Denial of service attacksBotnetsControl systems attacks
8/14/2019 Business Considerations for Cyber Security
4/15
02/22/10Garcia Strategies, LLC
4
In the last five years, approximately 500 million records containing
personal identifying information of United States residents stored
in government and corporate databases was either lost or stolen.
Loss of existing customers; difficulties in acquiring new ones
Loss of intellectual property Loss of R&D data, including product designs, road maps
Brand name and corporate image damage
Negative impact on competitive position
Loss of market share
Potential lawsuits and class actions
Penalties for non-compliance with rules and regulations
Loss of productivity due to downtime, investigations, damage control
Why Should You Care?
8/14/2019 Business Considerations for Cyber Security
5/15
02/22/10Garcia Strategies, LLC
5
Losses
Poneman Institute survey:
Average total cost per reporting company was morethan $6.6 million per breach ($613k - $32m)
Lost business the most costly effect of a breach,averaging $4.59 million or $139 per recordcompromised
44 percent of respondents reported breaches by
third-party organizations such as outsourcers,contractors, consultants, and business partners
8/14/2019 Business Considerations for Cyber Security
6/15
02/22/10Garcia Strategies, LLC
6
Examples
Security firm Finjan uncovered one of the largest bot networks controlledby a single cybergang, with 1.9 million infected zombie computers usingWindows XP and instructed to copy files, record keystrokes, send spam,and take screenshots. The criminals operating the botnet can make as muchas $190,000 in one day renting out the zombies to others.
The 2007 cyberattacks on the retailer Marshalls and TJ Maxx (TJXCompanies) will result in an estimated $500 million in costs, includinglitigation fees and government fines.
In January 2008, data broker ChoicePoint agreed to pay $10 million tosettle a class-action lawsuit brought against it over the 2004 theft of
163,000 personal information records by a ring of Nigerian identity thieves
The computer network of Hannaford supermarkets was breached inDecember 2007, resulting in 4.2 million credit and debit card numbers
being exposed, of which several thousands were subjected to fraud.
8/14/2019 Business Considerations for Cyber Security
7/15
02/22/10Garcia Strategies, LLC
7
What Do You Do About It?
Cyber Security is Everyones Responsibility
CEO
CFOCMO
General Counsel
Investor RelationsCommunications
Operations
8/14/2019 Business Considerations for Cyber Security
8/15
02/22/10Garcia Strategies, LLC
8
What Do You Do About It?
Hire a CISO
Inventory your IT assets and assess vulnerabilities
Develop a security policy
Train your people and enforce the policyUse a third party auditor to test your policy
implementation
Review your vulnerability assessmentAdjust your policy, refresh technology, more training
Wash, Rinse, Repeat
8/14/2019 Business Considerations for Cyber Security
9/15
02/22/10Garcia Strategies, LLC
9
What You Need to Ask
LEGAL COUNSEL
Have we analyzed our liabilities
What legal rules apply to data collection and storage
Potential for class action and shareholder suitsWhat terms ion for cyber security have included in
contracts
Different state rules
8/14/2019 Business Considerations for Cyber Security
10/15
02/22/10Garcia Strategies, LLC
10
What You Need to Ask
COMPLIANCE OFFICER
Regulatory compliance
What regulated data do we have
Regulatory risk with vendors and other businesspartners
Have we documented our procedures
Policies and process promulgated, understood, andenforced?
Privacy policy compliance
8/14/2019 Business Considerations for Cyber Security
11/15
02/22/10Garcia Strategies, LLC
11
What You Need to Ask
BUSINESS OPERATIONS
Characterize vulnerabilities confidentiality,integrity, availability
Business continuity planning how long till wereback up and running if breached or DDOS
Proper staffing
What is assessment of physical security controls onour network sites and data centers
8/14/2019 Business Considerations for Cyber Security
12/15
8/14/2019 Business Considerations for Cyber Security
13/15
02/22/10Garcia Strategies, LLC
13
What You Need to Ask
RISK MANAGER FOR CORP INSURANCE
What does cyber risk insurance cover?
What types of events?
What are known losses for actuarial data?
8/14/2019 Business Considerations for Cyber Security
14/15
02/22/10Garcia Strategies, LLC
14
Where to Go for Help and to Share
http://www.us-cert.gov/
https://www.it-isac.org/
http://www.fsisac.com/
http://www.ftc.gov/bcp/edu/microsites/idtheft/
http://www.us-cert.gov/https://www.it-isac.org/https://www.it-isac.org/http://www.us-cert.gov/8/14/2019 Business Considerations for Cyber Security
15/15
DISCUSSION
02/22/10Garcia Strategies, LLC
15
THANK YOU
Greg Garcia443-510-8641