cybersecurity risk: how a data breach can impact a transaction€¦ · cybersecurity risk: how a...
TRANSCRIPT
![Page 1: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/1.jpg)
![Page 2: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/2.jpg)
Cybersecurity Risk: How a Data Breach Can Impact a Transaction
John Williamson, CPA, CIA, CISA
Jesus Vega, CISSP
![Page 3: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/3.jpg)
• Anatomy of a Breach• How Breaches Happen
• Latest Trends
• Financial Impact of Breach• The Cost of a Breach
• Case Study Review
• How It Impacts Your Transaction• Industry Profiles
• Top Risks/Questions You Should Ask
• Q&A session
Agenda
2
![Page 4: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/4.jpg)
4
Anatomy of a Breach
![Page 5: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/5.jpg)
Verizon Enterprise Solutions: A division of Verizon Communications that offers cloud services and managed security services.
A report summarizing security incidents and breaches investigated by Verizon or provided by a set of 73 contributors in the security services industry.
• 41,686 incidents
• 2,013 breaches
Verizon Data Breach Investigations Report
4
![Page 6: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/6.jpg)
Incidents vs. Breaches• An incident is a security event that compromises the integrity, confidentiality, or availability of an
information asset.
• A breach is an incident that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.
Personal Data
• Personal data are data that allow the identification of a person directly or indirectly.
Key Definitions
• Name and surname• Home address• Email address• Identification card number• Location data
• Internet Protocol (IP) address• Cookie ID• Advertising identifier of your phone• Medical data
5
![Page 7: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/7.jpg)
How Breaches Happen
7
![Page 8: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/8.jpg)
Who Are the Victims?
8
![Page 9: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/9.jpg)
Latest Trends
9
![Page 10: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/10.jpg)
Financial Impact of a Breach
10
![Page 11: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/11.jpg)
Financial Impact
11
1. Detection & Escalation Costs2. Notification Costs
3. Post Breach Costs4. Lost Business Costs
Primary Cost Drivers:
![Page 12: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/12.jpg)
Financial Impact (cost per record, by industry)
12
![Page 13: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/13.jpg)
Financial Impact
13
![Page 14: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/14.jpg)
Impact on Your Transaction
13
![Page 15: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/15.jpg)
• Organization acquires a small company to break into a niche market
• The following unexpected surprises occurred:• $9,000 monthly colocation cost
• 75% of the equipment used to host application was beyond End-Of-Life
• Company did not meet PCI compliance regulations • The Payment Card Industry Data Security Standard (PCI DSS) is an information security
standard for organizations that handle branded credit cards from the major card schemes
• You’ll hear talk of PCI compliance fines, and those fines can range from $5,000 to $100,000 a month, depending on factors like the size of your business and the length and degree of your non-compliance.
Case Study
15
![Page 16: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/16.jpg)
• Trust but Verify: has a 3rd party performed any type of due diligence• Financial Audit
• Quality of Earnings
• Cybersecurity Examination
• Has the organization identified the risky data they hold • Personal Identifiable Information (PII)
• Payment Card Data (PCI-DSS)
• Protected Health Information (PHI)
• Intellectual Property
Risk in Your Transaction
16
![Page 17: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/17.jpg)
HIPAA/HITECH• Know your business associates
• Segmentation and protection of PHI
• Encryption methods (in transit and at rest)
• Privacy practices and notices
• Incident response planning is key
Industry Profile: Healthcare
Unaware of violation and exercising reasonable due
diligence
$100 to $25,000
Reasonable cause that the entity knew about or should have known
$1,000 to $100,000
Willful neglect, but corrected within 30 days
of discovery
$10,000 to $250,000
Willful neglect and made no effort to correct within
30 days of discovery
$50,000 to $1.5M
Tier 1 Tier 2 Tier 3 Tier 4
HHS
17
![Page 18: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/18.jpg)
Payment Card Industry Data Security Standard (PCI-DSS)
• Does the business process credit cards themselves or do they outsource to a 3rd party processor?
• If they process the cards themselves, focus on:• Network segmentation
• Data classification
• Cardholder Data Flow
• Self-Assessment Questionnaires/Reports on Compliance
• Central logging of events
• If they use a 3rd party processor, focus on:• Contractual commitments with vendors
• Vendor PCI compliance reporting
Industry Profile: Retail
18
![Page 19: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/19.jpg)
• Generally, technology companies will collect, process, and store data on behalf of their customers.
• Focus on the types of data processed (PII, PHI, Cardholder data)
• Privacy commitments• Data belonging to California residents
• Data belonging to EU citizens
• Data belonging to US citizens (no current legislation, but its on its way)
• 3rd party risk (SOC reports, contracts, SLAs)
• Independent assessment to determine: Scalability, Security, and Integration
Industry Profile: Technology
19
![Page 20: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/20.jpg)
The Value of IT Due Diligence
20
![Page 21: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/21.jpg)
The Top Concerns from Security Professionals:
• No vulnerability scans
• No asset inventory
• No data mapping (which is a method of understanding physical and logical location of data)
• Poorly defined/lack of contracts with vendors (no SLAs)
• Poorly designed architecture (which impacts scalability, security, and integration)
• Diversification risk regarding key personnel/no succession planning
Overall Risks/Red Flags
21
![Page 22: Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach](https://reader030.vdocuments.us/reader030/viewer/2022011900/5f03c4707e708231d40aab9d/html5/thumbnails/22.jpg)
Questions?
22