Today every company is an IT company. They have valuable data and technology assets regardless of the industry. Cyber attacks can come from all sectors. Boards and Executive teams are now being held accountable for preparation and action plans. Five steps for the Board
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
1. Privileged and Confidential Information Twitter:@RevInnovator
CyberSecurity
Five Ways for Boards to Prepare
October 2015
2. Privileged and Confidential Information Twitter:@RevInnovator
The Last Year of High Profile Breaches
1
11,000,000
Bank
Accounts
Social
Security
Numbers
80,000,000
Social
Security
Numbers
eMail
Addresses
Physical
Addresses
47,000
Proprietary
Info
Employee
info
109,000,000
Credit
Cards
eMail
Addresses
83,000,000
eMail
Addresses
Physical
Addresses
145,000,000
eMail
Addresses
Physical
Addresses
Login
CredenIals
110,000,000
Credit
Card
Numbers
Source:
Bloomberg.com
-‐
A
Quick
Guide
to
the
Worst
Corporate
Hack
AQacks
3. Privileged and Confidential Information Twitter:@RevInnovator
High Profile Firings: Not Just IT
2
Mailroom Employee
Highmark
MDF Transcription
Boston Medical Group
Two hospital workers
Georgia Hospital
“Terrific Employee”
Goold Health System
Target
CIO
–
Beth
Jacobs
Maricopa
County
Community
College
District
–
Miguel
Corozo
The
Texas
State
Comptroller's
office
–
Susan
Combs
Target
CEO
Gregg
Steinhafel
The
Utah
state
Department
of
Technology
Service
4. Privileged and Confidential Information Twitter:@RevInnovator 3
A primary responsibility of every board is
to secure the future of the organization.
- Tom Horton – Boards & Directors
5. Privileged and Confidential Information Twitter:@RevInnovator
The New Normal
• Every company is an IT Company
• Every company is a Big Data Company
• BYOX will continue to grow
• Most security is perimeter security
• ~25% of HIPAA breaches involve a trusted
partner
– That number is poised to increase as business
associates are now liable under the new HIPAA
rule
4
6. Privileged and Confidential Information Twitter:@RevInnovator
Top Three Industry Breaches
5
Number
of
Incidents Confirmed
Data
Loss
Total Small Large Unknown Total Small Large Unknown
Public 50,315
19 49,596 700 303 6 241 56
InformaIon 1,496 36 34 1,426 95 13 17 65
Financial 642 44 177 421 277 33 136 108
Dollar loss is difficult to calculate
Boards and Executives care about business
impact
8. Privileged and Confidential Information Twitter:@RevInnovator
30 years later: Why do Companies still #Fail?
• Security and Compliance treated as “IT
problems” and not as core Business Operations
• Security spend is perceived as a burden
expense
– Consider it in the same as your Accounting function
• Most compliance and security needs primarily
addresses the complex internal IT requirements
– Governance, human and wider partner network
vulnerabilities are lightly considered
7
9. Privileged and Confidential Information Twitter:@RevInnovator
According to a 2014 Verizon Report,
only 10% of Merchants/Service
Providers were fully compliant with
DSS 2.0 standards*
8
*Verizon 2014 Pci Compliance Report - http://www.verizonenterprise.com/pcireport/2014/
Compliance ≠ Security!
10. Privileged and Confidential Information Twitter:@RevInnovator
Five Mandates for the Board
Understanding
People
Process
Technology
Preparedness
9
• Understanding
– What are the risks?
– Chain of trust?
– Do they understand Cyber?
• People
– Are the right people in place?
– Do they have the resources they need?
– Do they understand the companies
strategic risks?
• Process
– Is there are breach response plan?
– Do you have partners ready to support?
– How often is it tested?
• Technology
– Cyber-risk is not an IT problem.
– IT is one of the enablers
• Preparedness
– Is business continuity ready?
– Is it tested?
– Are out-of-band methods in place?
12. Privileged and Confidential Information Twitter:@RevInnovator
Example of a Prepared Team
11
April 2014: A Dutch teenage girl
sends a “prank” tweet
threatening American Airlines.
American Airlines’ response was
direct and got media airplay.
@AmericanAir tweeted
“@QueenDemetriax_ Sarah, we take
these threats very seriously. Your IP
address and details will be forwarded to
security and the FBI.”
@QueenDemetriax_ tweeted
"@AmericanAir hello my name's Ibrahim
and I'm from Afghanistan. I'm part of Al
Qaida and on June 1st I'm gonna do
something really big bye.”
13. Privileged and Confidential Information Twitter:@RevInnovator
Five Questions for Executives and Boards
• Is an up to date security framework in
place?
• Does a breach response plan exist?
• How much does (cyber) insurance cover?
• Are both internal and external (partner)
resources considered?
• Do employee’s understand their role in
relation to company security?
12
15. Privileged and Confidential Information Twitter:@RevInnovator
NACD Five Principles
1. Cyber security is an enterprise-wide risk management
issues, not just an IT problem.
2. Address the serious legal consequences of cyber risks.
3. Cyber security must be addressed with professionals
and given board-level priority.
4. Directors must advise management to take all steps
necessary to comprehensively address cyber risk with
personnel and resources.
5. Determine how your organization would deal with a
breach and whether liability can be addressed via
insurance.
14