2011 12 02 larry clinton cyber risk and data breach management summit presentation in nyc about pwc...
TRANSCRIPT
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
1/31
Larry ClintonPresident & CEO
Internet Security [email protected]
202-236-0001
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
2/31
During the Last Minute
45 new viruses 200 new malicious web sites 180 personal identities stolen 5,000 new versions of malware created 2 million dollars lost
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
3/31
Technology or Economics?
Security failure is caused as least as often by bad
incentives as by bad technological designeverywhere we look we see online risk allocated
poorlypeople who connect their machines torisky places do not bear full consequences of
their actions. And developers are not
compensated for costly efforts to strengthen theircode. Anderson & Moore, Economics of
Information Security
Anderson and Moore The Economics of Information Security
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
4/31
Sr. Management & Cyber
SecurityGood News!!! PricewaterhouseCoopers survey of 9,000executives published September 2011
Executives were confident in their ability to securetheir information systems and bullish about cyber
security spending
43% had confidence in their security protocols 50% expected their companies to spend increasing
amounts of money on cyber security
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
5/31
Now the Harsh Reality
Only 13% of the Executives polled by PWCactually had done what is considered to be
adequate security.
Most executives didnt have an overall securitystrategy, had not reviewed the effectiveness oftheir strategy or knew what types of breaches had
hit them in the past 12 months. Only 1 in 3 said their companies had a policy for
dealing with employee use of social media
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
6/31
Digital Growth?
Companies have built into their business models theefficiencies of digital technologies such as real time
tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital
lifestyle is already built into almost every companys
assumptions for growth.
---Stanford University Study, July 2006
Sure
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
7/31
Digital Defense ------
Not So Much
23% of CTOs did not know if cyber losses were coveredby insurance.
34% of CTOs thought cyber losses would be covered byinsurance----and were wrong. SONY v Zurich insurance---when comprehensive doesnt
mean comprehensive (CGL policies)
The biggest network vulnerability in Americancorporations are extra connections added for seniorexecutives without proper security.
---Source: DHS Chief Economist Scott Borg
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
8/31
The Cyber Security
Economic Equation
Technological analysis tells us HOW cyber attacksoccur. Economics tells us WHY they occur
All the economic incentives favor the attackers Attacks are cheap, easy, profitable and chances of
getting caught are small
Defense is a generation behind the attacker, theperimeter to defend is endless, ROI is hard to show
Until we solve the cyber economics equation wewill not have cyber security
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
9/31
Efficiency and Security
Business efficiency demands LESS securesystems (VOIP/international supply chains/Cloud)
Cost is the single biggest problem ininformation security
In 2010 50%-66% of US Companies aredeferring or reducing investment in cyber
security
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
10/31
Corp Cyber Practices Are
Degrading
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
11/31
Why is this the case?
The vast majority of Sr management---and themajority of all employees---are digital immigrants
Cyber Security is not, just, an IT problem Insiders (including lawyers and PR/sales Execs)
are the single biggest cyber security vulnerability
We compensate for productivity and cost savings,we dont compensate for security
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
12/31
50 Questions Every CFO
Should Ask (2008)
It is not enough for the information technologyworkforce to understand the importance of cyber
security; leaders at all levels of government andindustry need to be able to make business and
investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space
Policy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management
of Cyber Events: 50 Questions Every CFO
should Ask ----including what they ought to beasking their General Counsel and outside
counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
13/31
Financial Management of
Cyber Rick (2010)
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
14/31
ANSI-ISA Program
Outlines an enterprise wide process to attackcyber security broadly and economically
CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
15/31
What CFO needs to do
Own the problem Appoint an enterprise wide cyber risk team
Meet regularly Develop an enterprise wide cyber risk
management plan
Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and
reform based on EW feedback
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
16/31
Human Resources
Recruitment Awareness
Remote Access Compensate for cyber security Discipline for bad behavior Manage social networking Beware of vulnerability especially from IT and
former employees
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
17/31
Legal/Compliance Cyber
Issues What rules/regulations apply to us and partners? Exposure to theft of our trade secrets?
Exposure to shareholder and class action suits? Are we prepared for govt. investigations? Are we prepared for suits by customers and
suppliers?
Are our contracts up to date and protecting us?
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
18/31
Operations/IT
What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information
classification systems?
Are we complying with best practices/standards How good is our physical security? Do we have an incident response plan? How long till we are back up?---do we want that? Continuity Plan? Vendors/partners/providers plan?
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
19/31
Communications
Do we have a plan for multiple audiences?--general public
--shareholders--Govt./regulators
--affected clients
--employees
---press
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
20/31
InsuranceRisk
Management Are we covered?----Are we sure????????? What can be covered How do we measure cyber losses? D and O exposure? Who sells cyber insurance & what does it cost? How do we evaluate insurance coverage?
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
21/31
Growth toward Enterprise
wide cyber management In 2008 only 15% of companies had enterprise
wide risk management teams for privacy/cyber
In 2011 87% of companies had crossorganizational cyber/privacy teams
Major firms (E & Y) are now including ISA FinancialRisk Management in their Enterprise Programs
Even govt. (e.g DOE) has now adopted theseprinciples for their sector risk management
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
22/31
DOE Risk management
FrameworkSenior executives are responsible how cyber security
risk impacts the organizations mission and business
functions . As part of governance, each
organization establishes a risk executive functionthat develops an organization-wide strategy to
address risks and set direction from the top. Therisk executive is a functional role established within
organizations to provide a more comprehensive,organization-wide approach.
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
23/31
Two Types of Attacks
Basic attacks Vast majority Can be very damaging Can be managed
Ultra-Sophisticated Attacks (e.g., APT) Well organized, well funded, multiple methods,
probably state supported
They will get in
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
24/31
Best Practices do Work
PWC/Gl Inform Study 2006--- best practices 100% CIA 2007---90% can be stopped Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be
stopped or mitigated by adopting inexpensive best
practices and standards already existing
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
25/31
Advanced Persistent
ThreatWhat is it? Well funded Well organized---state supported Highly sophisticated---NOT hackers Thousands of custom versions of malware Escalate sophistication to respond to defenses Maintain their presence and call-home They target vulnerable people more than
vulnerable systems
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
26/31
APT
The most revealing difference is that when youcombat the APT, your prevention efforts will
eventually fail. APT successfully compromises any
target it desires.----M-trend Reports
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
27/31
The APT----Average
Persistent ThreatThe most sophisticated, adaptive and persistent class
of cyber attacks is no longer a rare eventAPT is
no longer just a threat to the public sector and the
defense establishment this year significantpercentages of respondents across industries
agreed that APT drives their organizations securityspending. PricewaterhouseCoopers Global
Information Security Survey September 2011
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
28/31
% Who Say APT Drives
Their Spending 43% Consumer Products 45% Financial services 49% entertainment and media 64% industrial and manufacturing sector 49% of utilitiesPWC 2001 Global Information Security Survey
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
29/31
Are we thinking of APT
all wrong? Companies are countering the APT principally
through virus protection (51%) and either intrusion
detection/prevention solutions (27%) PWC 2011
Conventional information security defenses dontwork vs. APT. The attackers successfully evade allanti-virus network intrusion and other best
practices, remaining inside the targets networkwhile the target believes they have been
eradicated.---M-Trend Reports 2011
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
30/31
We Are Not Winning
Only 16% of respondents say their organizationssecurity policies address APT. In addition more
than half of all respondents report that their
organization does not have the core capabilitiesdirectly or indirectly relevant to countering this
strategic threat.
-
7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT
31/31
Larry ClintonPresident & CEO
Internet Security Alliance
202-236-0001