the unseen enemy - protecting the brand, the assets and the customers
DESCRIPTION
Michael Barba and Jeff Hall discuss the most pressing cyber-threats facing retailers and what companies can do in the event of a cyber breach, data loss or claim. Mr. Barba is a managing director and Mr. Hall is a senior manager with BDO Consulting.TRANSCRIPT
THE UNSEEN ENEMY PROTECTING THE BRAND, THE ASSETS AND THE CUSTOMERS
Technology – Connecting the world…
9 billon connected devices predicted to rise to 24 billion by 2020
If Facebook were a country, it would be the 3rd largest in the world
Facebook kicks off over 1000 users per day because they are too young
In 2011, more video was uploaded to YouTube in a two month time period than if ABC, CBS, and NBC had been airing new content 24/7/365 since:
1948
Page 2
In the News
Page 3
Recent Studies
2013 Trustwave Global Security Report • Retail industry made up 45% of data breach investigations studied (15%
increase from 2011)
• E-commerce sites were #1 targeted asset, accounting for 48% of all investigations
Symantec • Cumulative bill for cyber crimes in 24 countries totaled $388 billion last year
• 431 million adults experienced some form of cyber crime last year, equating to nearly 1.2 million people per day or 14 per second
Page 4
Why Should Retailers Be Concerned?
Retail industry is now the top target for cybercriminals
Annual U.S. retail e-commerce spending has surged 143% since 2004 to $161.52 billion last year. In fact, a report from IRMG indicates that internet/mobile shopping increased 15% in 2013.
Early estimates indicate that 20% of the upcoming holiday sales will be online
E-commerce attacks are emerging as a growing trend, surpassing the amount of point-of-sale attacks
Financial cost of a cyber attack is higher for businesses that sell products on the front-end, such as retailers
The SEC is pushing to require that companies disclose data breaches in their financial statements
Page 5
What Must Retailers Protect?
Page 6
Customer Information
Credit card information
Private employee
data
Confidential business
information
Intellectual Property
Reputation and
good will
How Breaches Occur
Page 7
Criminal Act by Outsider
Technology Failure
Employee Misconduct Human Error
Vendor Error
Case Studies
Page 8
Resource: Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest
What are the options for handling the risk?
Page 9
Retain
Allocate
Transfer
Keep the risk within the organization
Transfer the risk to another entity
Involve counsel to shift risk to suppliers and business partners
Types of Insurable Risks
Page 10
Third Party First Party
Costs
Types • Hard
• Soft
• Time
Retail companies see much more significant costs around cyber attacks
According to Neustar’s May 2012 report: • 65% of businesses said a site outage
would cost them up to $10,000 an hour
• 21% said it would cost $50,000/hour
• 13% would lose $100,000/hour
Page 11
What Do You Know About Your Data?
Location • Cloud
• Physical environment
• Is your data co-located?
Service Level Agreements • Breach notification
Law enforcement considerations need to be considered and addressed: • Requests to maintain secrecy or limit knowledge
• Maintaining control of the investigation
Communications with insurers presumably are not privileged
Page 12
Actions Following a Breach Functional Steps
DEPLOY AN INCIDENT RESPONSE TEAM
IT Director
CIO
Human Resources
Legal
Internal or external security experts
Page 13
Deploy Preserve Identify Notify
PRESERVE SYSTEM LOGS
Date, time, duration, and location of breach
Actions Following a Breach (Continued) Functional Steps
Page 14
Deploy Preserve Identify Notify
IDENTIFY THE FOLLOWING
How was the breach discovered?
By whom?
Any additional details:
• Entry and exit points
• Compromised systems
• Data deleted vs. modified vs. viewed
Identify and understand details of the affected data
NOTIFY
Public relations
Insurance carrier
Insurance Recovery Considerations in the Face of a Security Breach or Data Loss or Claim
Timely notice of claim (claims made and reported?) Involvement of counsel (internal & external) to review how coverage
may respond. Consent to incur prudent or necessary expenses may be required:
• Costs of crisis stage or legal compliance such as breach notification, credit monitoring, call center, forensics are vast majority of the expense on per record figures ($194 /record)
• Defense expenses (private claims, regulatory claims) Communications with insurers presumably are not privileged “Labeling” of first party costs/categorization
Page 15
Who Provides Services Around Cyber Risk?
Page 16
Preventative/ Proactive
Assessment
Data Hosting/ Monitoring
Technology/ Data
Analytics
Legal Forensic Accounting
Public Relations
CONTACT
Michael Barba, CISSP, CPP, DFCP, CNE, EnCE
Managing Director, BDO USA, LLP
212-885-8120
Jeff Hall
Senior Manager, BDO USA, LLP
212-885-7339
Page 17
Page 18
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 40 offices and more than 400 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multinational clients through a global network of 1,204 offices in 138 countries. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. www.bdo.com
To ensure compliance with Treasury Department regulations, we wish to inform you that any tax advice that may be contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Code or applicable state or local tax or (ii) promoting, marketing or recommending to another party any tax-related matters addressed herein. Material discussed in this publication is meant to provide general information and should not be acted on without professional advice tailored to your individual needs. © 2013 BDO USA, LLP. All rights reserved. www.bdo.com