data breaches rear view mirror - doug robinson

7/27/2019 Data Breaches Rear View Mirror - Doug Robinson

1/19

Data Breaches A Lookin the Rear View Mirror


2/19

State Governments at Risk!

States are attractive targets data!

More aggressive threats organizedcrime, unorganized crime, hacktivism

Critical infrastructure protection Lack of broad executive support

Governance and authority lacking

Data on the move

Need more training, awareness


3/19

Growing Security Risks in the States

Protecting legacysystems

Malicious software

Foreign state-sponsoredespionage

Mobile devices andservices

Use of social mediaplatforms

Use of personally-owned devices(BYOD) for state

business

Adoption of cloudservices; rogue

cloud users

Inadequate policycompliance

Third-partycontractors and

managed services

Source: Deloitte-NASCIO Cybersecurity Study, October 2012


4/19

State Data Breach Loss of Citizen Trust!


5/19

State CIO Priorities for 2013

Source: NASCIO State CIO Survey, November 2012

1. Consolidation/Optimization

2. Cloud Services 3. Security

4. Mobile Services/Mobility

5. Budget and CostControl 6. Shared Services

7. Health Care8. Legacymodernization

9. Nationwide PublicSafety BroadbandNetwork

10. Disaster Recovery/Business Continuity


6/19

What Are Top Priorities for State CISOs?

Source: Deloitte-NASCIO Cybersecurity Study, October 2012


7/19

What Do We Know aboutState Government Data

Breaches?


8/19

Over 20% of US data breaches

happen in the public sector

Government agencies have lost

more than 94 million records of

citizens since 2009 97% increase in personal health

information breaches over

2010

Average cost per lost or

breached record is $194

By the

Numbers:

TheConsequences

For States

Sources: "Rapid7 Report: Data Breaches in the Government Sector." Rapid7. September 6, 2012.

"2011 Cost of Data Breach Study: Global." Ponemon Institute. March 2012


9/19Source: www2.idexpertscorp.com


10/19

1. Unintended disclosure

2. Portable device

3. Physical loss

4. Hacking or malware

5. Insider

6. Stationary device

7. Unknown or other

Reported Causes of

Government Data Breaches

Sources: Privacy Rights Clearinghouse, Rapid7 Report, US-CERT


11/19

Hacking is easy. Targeted attacks against business and government

increased to 30,000 a year in 2012

More than 90% of successful penetrations of networks requiredonly the most basic techniques

75% of attacks use publicly known vulnerabilities in commercial

software that could be prevented by regular patching

85% of breaches took to months to discover

Sources: CSIS, Symantec 2012 Threat Report, Verizon 2013 DataBreaches Report, Trustwave, US-CERT, NASCIO

Cybersecurity Resources Often Spent on

Ineffective Activities


12/19

Source: State of South Carolina, Office of the Inspector General, State Government

Information Security Initiative Current Situation & A Way Forward Interim Report,

November 30, 2012

Autopsy of a Data Breach: Findings from

the Inspector Generals Report

Finding # 1: The state does not have a statewide INFOSEC program which

undermines an effective statewide security posture, as well as creating

unmanaged and uncontrolled statewide INFOSEC risks having potential

impact on the entire state government.

Finding #2: The state has not fixed responsibility, accountability, and authority

for statewide INFOSEC.

Finding #3: Consultants, with expertise in developing and implementing

statewide INFOSEC programs, will be required to assist in establishing a

statewide INFOSEC governance framework and implementation options.


13/19

More Governance,Collaboration and Compliance

is Needed


14/19

Whos Responsible for

Protecting State Data?

Chief Information Officer

Information Security Officer

Agency Leaders

Data Owners

Human Resources

Legal

Employees Third Party Contractors


15/19

Protecting critical data is a coreresponsibility of the state and

investment in risk management.

State leaders ignore this at their peril.


16/19

A Call to Action for States: Execute on an effectivecybersecurity strategy, with strong governance and

compliance monitoring measures


17/19

The Tactical Guide to Data Protection

Know your assets where is the data?

Classify data and assess known risks

Clearly document and consistently enforce

policies and controls Implement strict password and account

management policies and practices

Implement a security information and eventmanagement solution (SIEM)

Trust, but verify


18/19

Establish a governance and authority structure for

cybersecurity

Conduct risk assessments and allocate resourcesaccordingly

Implement continuous vulnerability assessments

and threat mitigation practices

Ensure that the state complies with current securitymethodologies and business disciplines in

cybersecurity

Create a culture of risk awareness

Act and Adjust: A Call to Action for

Governors for CybersecurityNational Governors Association, September 26, 2013

Source: NGAs Resource Center for State Cybersecurity, 2013


19/19

Thank You!And be careful backing up.

data breaches rear view mirror - doug robinson

Documents