Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

1. Spencer Fane LLP | spencerfane.com Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP | @spencerfane spencerfane.com | @shawnetuma

2. Spencer Fane LLP | spencerfane.com

3. Spencer Fane LLP | spencerfane.com Laws and regulations • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (20+) – NYDFS, Colo FinServ, CaCPA • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum

4. Spencer Fane LLP | spencerfane.com Cybersecurity is no longer just an IT issue – it is an overall business risk issue.

5. Spencer Fane LLP | spencerfane.com Common objections 1. We are not a large company 2. Our data is not that valuable 3. We have an “IT Guy” 4. We have an “IT Company” 5. We have cyber insurance

11. Spencer Fane LLP | spencerfane.com Cyber attacks against SMBs SMB – Small & Medium Size Business (1 – 1,000) Cyber attacks in 2018 • 61% 67% Data breaches in 2018 • 54%  58% Source: Ponemon Institute LLC, 2018 State of Cybersecurity in Small & Medium Size Businesses Report (Sponsored by Keeper Security, Inc.)

12. Spencer Fane LLP | spencerfane.com Most Likely Real-World Risks Most Companies Face

13. Spencer Fane LLP | spencerfane.com Is it really always the Russians? • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Incidents 91% in 2015 91% in 2016 93% in 2017

14. Spencer Fane LLP | spencerfane.com Cyber attacks against SMBs Source: Ponemon Institute LLC, 2018 State of Cybersecurity in Small & Medium Size Businesses Report (Sponsored by Keeper Security, Inc.)

15. Spencer Fane LLP | spencerfane.com Common cybersecurity best practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance.

16. Spencer Fane LLP | spencerfane.com Canary in the coal mine • What is your role? • How does your company handle: – P&P + Training – MFA – Phishing – Backups – IRP & IR Team – Cyber Insurance

18. Spencer Fane LLP | spencerfane.com How mature is the company’s cyber risk management program? • “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) • “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) • “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32

19. Spencer Fane LLP | spencerfane.com How mature is the company’s cyber risk management program? • “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) • “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) • “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32 “A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” – Ken Paxton

20. Spencer Fane LLP | spencerfane.com What is reasonable cybersecurity? Too little – “just check the box” Too much – “boiling the ocean”

21. Spencer Fane LLP | spencerfane.com Reasonable cybersecurity is a process, Not a definition

22. Spencer Fane LLP | spencerfane.com Prioritizing Limited Resources to Most Effectively Manage Most Likely Real- World Risks

23. Spencer Fane LLP | spencerfane.com Assess cyber risk “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu The most essential step? • How do you protect against what you don’t know? • How do you protect what you don’t know you have? • How do you comply with rules you don’t know exist? • Demonstrates real commitment to protect, not just “check the box compliance.” • No two companies are alike, neither are their risks, neither are their risk tolerances.

24. Spencer Fane LLP | spencerfane.com What do you think? What do you think is the most glaring thing missing when I look at substantial incidents and data breaches I have handled over the past 20 years? 1. Lack of hardware, services, gadgets, and gizmos? 2. Lack of support from management? 3. Lack of funding? 4. Lack of talent? 5. Lack of skills and knowledge? 6. Lack of strategy?

27. Spencer Fane LLP | spencerfane.com Strategic leadership and planning “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” – Sun Tsu What does strategy consider? • Who is your head coach? • Who is on your team? – Inside and outside – Technical, Business, Operations, HR, Marketing, and …yes, even Legal • Risk analysis • Resources • Don’t forget 3rd and Nth party risk! • Objectives – what is a “win”?

28. Spencer Fane LLP | spencerfane.com Evaluating risk and prioritization “You can’t boil the ocean” Traditional risk equation Risk = probability x loss More realistic risk equation – this is a business issue Risk = probability x loss x cost x time to implement x impact on resources x benefits to the business x detriments to the business

29. Spencer Fane LLP | spencerfane.com Your Team – People & Personalities

33. Spencer Fane LLP | spencerfane.com Psychology and personality • Psychology: “the scientific study of the human mind and its functions, especially those affecting behavior in a given context.” • Personality: “the combination of characteristics or qualities that form an individual’s distinctive character.” • How do you tell the difference between an introvert and extrovert IT guy?

34. Spencer Fane LLP | spencerfane.com Myers-Briggs Personality Type Indicator Extraversion (E) Introversion (I) How people respond and interact with the world around them. • (E) turns inward, deep meaning, time alone • (I) turns outward, social interaction, w/others Sensing (S) Intuition (N) How people gather information from the world around them. • (S) focus on what learn from senses, facts • (N) focus on patterns impressions, abstracts Thinking (T) Feeling (F) How people make decisions based on the information they gathered from their sensing or intuition functions. • (T) focus on facts and objective data • (F) consider people and emotions more Judging (J) Perceiving (P) How people tend to deal with the outside world. • (J) prefer structure and firm decisions • (P) more open, flexible, adaptable

35. Spencer Fane LLP | spencerfane.com Common questions about teams 1. Who should be on the team and what should they know? 2. What are the team members’ responsibilities? 3. Who is responsible for developing the strategy and seeing the whole playing field? 4. How do team members’ personalities affect their roles and performance? 5. How should the team be organized? 6. If you have cyber insurance, who is the contact person?

36. Spencer Fane LLP | spencerfane.com Because There is No Such Thing as “Secure”

37. Spencer Fane LLP | spencerfane.com Incident Response Planning & Practicing Incident Response Checklist • Determine whether incident justifies escalation • Begin documentation of decisions and actions • Engage experienced legal counsel to lead process, determine privilege vs disclosure tracks • Notify and convene Incident Response Team • Notify cyber insurance carrier • Engage specialized security/forensics to mitigate continued harm, gather evidence, and investigate • Assess scope and nature of data compromised • Preliminarily determine legal obligations • Determine whether to notify law enforcement • Begin preparing public relations message • Engage notification / credit services vendor • Notify affected business partners • Investigate whether data has been “breached” • Determine when notification “clock” started • Remediate and protect against future breaches • Confirm notification / remediation obligations • Determine proper remediation services • Obtain contact information for notifications • Prepare notification letters, frequently asked questions, and call centers • Plan and time notification “drop” • Implement public relations strategy • Administrative reporting (i.e., FTC, HHS, SEC & AGs) • Implement Cybersecurity Risk Management Program

38. Spencer Fane LLP | spencerfane.com Cyber / Privacy Risk Insurance Key considerations about cyber insurance: • If you don’t know you have it, you don’t! • Does your provider or broker really “get” cyber? • Is your coverage based on your risk? • Was security/IT involved in procurement? • Does your coverage include social engineering? • Does your coverage include contractual liability? • Do you have first-party and third-party coverage? • Do you understand your sub-limits? • Can you chose your counsel and vendors?

39. Spencer Fane LLP | spencerfane.com “You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole

40. Spencer Fane LLP | spencerfane.com Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • Board of Directors & General Counsel, Cyber Future Foundation • Board, Southern Methodist University Cyber Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-18 • Best Lawyers in Dallas 2014-18, D Magazine (Cybersecurity Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

Estás leyendo una previsualización.

Eche un vistazo a continuación

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk (20)

Más de Shawn Tuma (13)

Más reciente (20)