Sandra Fathi, profile picture
Uploaded bySandra Fathi
PDF, PPTX502 views

Cyber Security 101: What Your Agency Needs to Know

This document provides an overview and agenda for a presentation on cyber security for agencies. The presentation will cover: 1) An introduction to cyber security threats in an agency environment and what agencies need to know. 2) The legal ramifications of a cyber attack and an agency's responsibilities and liabilities. 3) Developing a crisis communications plan to respond when a cyber attack occurs and the steps agencies should take. The document then outlines one section of the presentation on defending enterprise integrity and making information security part of an organization's culture. It stresses the importance of focusing on human factors rather than just cyber defenses.

Business
Related topics:
Cyber-Security
Download as PDF, PPTX
PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies CYBER SECURITY 101: What Your Agency Needs to Know PR Council Genome Series May 4, 2017
PROPRIETARY & CONFIDENTIAL PRESENTERS Sandra Fathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure simonr@becybersure.com Vince L. Martinez Partner, K&L Gates LLP Vince.martinez@klgates.com
PROPRIETARY & CONFIDENTIAL I.  Cyber Security 101: What you need to know about cyber security and threats in an agency environment II.  Legal Ramifications: Cyber security and the law, the agency’s responsibilities and liabilities III.  Crisis Communications: When it happens to you, a plan of action AGENDA March 4, 2010Affect
PROPRIETARY & CONFIDENTIAL DEFENDING ENTERPRISE INTEGRITY Making InfoSec Part of the Culture Simon Russell, Managing Partner, BeCyberSure North America
PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( What is “Cyber Security”?( •  The(process(of(applying(security( measures(to(ensure( confiden9ality,(integrity,(and( availability(of(data( •  Essen9ally,(protec9on(against( Cyber(Risk( What is “Cyber Risk”?( •  “Cyber(Risk”(means(any(risk(of( financial(loss,(disrup9on(or(damage( to(the(reputa9on(of(an(individual(or( organiza9on(from(some(sort(of( failure(of(their(informa9on( technology(systems(
PROPRIETARY & CONFIDENTIAL ( All#Organiza+ons#are#suscep+ble#to#both#internal#&#external#a7acks( (
PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( Method# Problem# Solu+on# Wireless#Hotspots,# Bluetooth#+#Mobile# Subject(to(man(in(the( middle(aEacks( Public(WiHFi(/(VPN( Printers# LogHin(details(are( recorded( Default(password( Invoice#Processing#+# Payroll# Payment(redirec9on( Conveyancing( Payroll(Intercep9on( Loss(of(PII( Policy(and(procedures.( Friday(aPernoon( syndrome( Phishing#+#Ransomware# # Loss(of(data(/(access( Training( The#Cloud!# Lack(of(control( Use(2(FA(and(encryp9on( IT’S#ALL#TOO#EASY#
PROPRIETARY & CONFIDENTIAL The#Value#of#a#Hacked#Email#Account#
PROPRIETARY & CONFIDENTIAL The#Value#of#a#Hacked#PC#
PROPRIETARY & CONFIDENTIAL EXCUSES#FOR#NOT#ADDRESSING#CYBER# Defending(Enterprise(Integrity((( •  Usually easier targetI’M TOO SMALL •  All data has value or you could be a stepping stoneNOTHING WORTH STEALING •  Every organization is of interest to the criminal – they do not discriminate MY TYPE OF BUSINESS IS NOT A TARGET •  Not the point- there are other assets to stealI DON’T HANDLE MONEY •  You are still responsible - the responsibility is not outsourced I OUTSOURCE IT, PAYMENTS, ETC •  Not any more! SOMEONE ELSE WILL PAY IF SOMETHING GOES WRONG (e.g. banks, insurance)
PROPRIETARY & CONFIDENTIAL (( 12© 2015 Optimal Risk and its partners/affiliates. All rights reserved. Source: 2014 Verizon Data Breach Investigations Report Secs# Mins# Hrs# Days# Weeks# Months# Years# Compromise( 19%( 42%( 12%( 23%( 0%( 5%( 1%( Exfiltra9on( 3%( 27%( 21%( 21%( 18%( 9%( 0%( Discovery( 0%( 3%( 11%( 17%( 16%( 41%( 11%( Containment( 0%( 2%( 5%( 42%( 22%( 29%( 0%( Timespan of events by % of Web App breaches In 50% of breaches, data is stolen in hours 41% of breaches are not discovered for months Be Very Worried 40% of companies experienced a data breach 61% of espionage is not discovered for months More than 50% of companies do NOT conduct security testing 38% of companies are not capable of resolving an attack 51% increase of companies reporting >$10M loss 34% of companies do not know if/ how
PROPRIETARY & CONFIDENTIAL # Hidden#Costs#of#a#breach# Defending(Enterprise(Integrity(((
PROPRIETARY & CONFIDENTIAL PEOPLE#not#devices# ! Majority(of(breaches(occur(due(to(human(error( ! Training(and(awarenessH(Change(culture( SECURITY#over#compliance# ! Whilst(there(is(no(avoiding(compliance,(approaching(security( as(a(boxHchecking(exercise(is(a(huge(mistake.(If(you(are(secure( and(up(to(best(prac9ces(for(NIST(or(CIS(for(example(you(will(be( compliant(with(most(regulator s(requirements( Defending(Enterprise(Integrity((( Think(Human(NOT(Cyber(
PROPRIETARY & CONFIDENTIAL What(Steps(Should(You(Take?( •  Info(Security(audit(to(expose(holes(in(architecture,( focus(on(what(data(you(have(and(where(it(sits.(( •  Policies(and(Procedures( •  Social(engineering(tes9ng(i.e.(Phishing(( •  Ongoing(Penetra9on(tes9ng( •  Staff(training( •  System(monitoring( •  Think(about(3rd(party(risks( # #Defending(Enterprise(Integrity(((
PROPRIETARY & CONFIDENTIAL ! SECURITY!NOT(COMPLIANCE.(( ( ( HUMAN(NOT(CYBER.(( Defending(Enterprise(Integrity((( THINK…
Regulatory and Legal Considerations
Basic Incident Response Steps •  Recognize the occurrence of an incident. •  Notify and assemble the incident response team to begin the investigation. •  The internal team can include IT, Security, HR, Counsel, Compliance, business heads and IR. •  The external team can include outside counsel, technological consultancies and crisis management / public relations firms. •  Identify and fix (or contain) the technological issue. •  Determine any legal obligations and comply. •  Determine if any public reporting obligations exist. •  Communicate with the public as appropriate. •  Eradicate remnants of the security incident and recover business operations.
Data Breach Notification Requirements •  The primary consideration is the exposure of personally identifiable information (PII). •  All states except AL and SD require companies to notify affected individuals when their PII has been compromised. •  There are variances in notification laws and the types of data considered PII. •  Most states require notice as soon as reasonably possible; a few require notice within 30 to 45 days of discovery. •  Certain federal laws, such as HIPAA and GLBA, require companies to notify affected individuals. •  Certain federal regulators, including the FTC and FCC, are active within their jurisdictions. •  Breach notification can also be a function of contract, which should be known before an incident occurs.
Notifying Law Enforcement •  Relevant federal law enforcement agencies include the FBI and the Secret Service. •  The Department of Justice has issued guidance for interacting with federal law enforcement authorities in the wake of a cybersecurity event. •  https://www.justice.gov/sites/default/files/criminal-ccips/legacy/ 2015/04/30/04272015reporting-cyber-incidents-final.pdf •  State Attorneys General may also be required to be notified. •  It is a best practice to have pre-established contacts with law enforcement before an event. •  Remember that law enforcement has different goals than you when responding to a cybersecurity event, and the logistics and possible issues surrounding law enforcement involvement should be understood beforehand.
Public Company Reporting Obligations •  The SEC’s Division of Corporation Finance offered guidance in 2011. •  https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm •  The guidance gives context to materiality in several parts of periodic reports. •  Some incidents may be described generally in quarterly and annual filings. •  Filing a Form 8-K is most appropriate for events of immediate material consequence to investors. •  The SEC has not yet brought an enforcement action for inadequate cybersecurity disclosure, but has frequently indicated its interest in doing so.
Recent Regulatory Developments •  The New York Department of Financial Services recently implemented regulations for certain financial institutions: •  http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf •  Affects both businesses registered under the New York Banking, Insurance and Financial Services Laws, as well as certain third parties that service those businesses. •  Contains specific technological measures required of covered entities. •  The Colorado Division of Securities recently proposed enhanced cybersecurity measures for broker-dealers and investment advisers: •  https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view •  Specifies what measures firms should consider in order to have “written procedures reasonably designed to ensure cybersecurity.” •  Takeaway: More regulators are beginning to list specific measures required.
Consequences of a Cyber Incident •  Major damage to the company’s operations, customer loyalty, reputation and financial results. •  Litigation, settlement, repair and remediation costs in recent cases have reached into the tens of millions of dollars, including: •  Example: Target - breach related costs approaching $180 million per latest Form 10-K. •  Shareholder derivative actions, including against directors •  Customer class actions •  Litigation with (former) business partners •  Regulatory investigations, actions and remediation oversight •  Example: FTC v. Wyndham Worldwide Corp. •  Inadequate or misleading data security protections can be charged as unfair and deceptive trade practices. •  Activist investor campaigns
Roles for Outside Counsel •  Extend attorney-client privilege to response advice. •  Extend work product protection to investigative documentation. •  Hire other third parties as agents of the legal engagement. •  Establish contact with law enforcement. •  Identify likely regulators and applicable standards and guidance. •  Identify legal and contractual obligations to notify or report. •  Ensure legal accuracy of public statements.
PROPRIETARY & CONFIDENTIALAffect SCALE OF THE ISSUE
PROPRIETARY & CONFIDENTIAL WHY DO AGENCIES THINK THEY ARE IMMUNE?
PROPRIETARY & CONFIDENTIAL WHAT’S THE SCENARIO •  Scenario #1: A reporter tweets that they’ve broken a story about your data breach – you were unaware that the press was aware. •  Scenario #2: IT department detects a breach and informs the PR department that it has been mitigated. •  Scenario #3: The FBI calls to tell you that they are investigating your data breach. •  Scenario #4: The IT department reports a breach to PR, but has no idea how large it is or what the total impact will be. •  Scenario #5: A Hacker threatens to release your client’s data if you don’t pay $100,000 in Bitcoin You need a plan and you needed it yesterday.
PROPRIETARY & CONFIDENTIAL THE THREAT IS REAL •  The Element of Surprise: breaches are often leaked to the media before full investigations are complete •  Under Pressure: Customers, media, employees etc. demand information •  The Gift that Keeps on Giving: Data breach incidents tend to have more than one news cycle •  Social Media Wildfire: False information spreads quickly on sites like Twitter, Facebook and LinkedIn If you are prepared for data breach response, you have a better chance of controlling your message and preserving your reputation.
PROPRIETARY & CONFIDENTIALAffect CORE CONCEPTS CRISIS COMMUNICATIONS 4 Phases of Crisis Communications 1.  Readiness 2.  Response 3.  Reassurance 4.  Recovery
PROPRIETARY & CONFIDENTIALAffect PHASE 1: READINESS PREVENTATIVE MEDICINE Anticipating a Crisis 1.  Crisis Mapping (SWOT Analysis) 2.  Policies and Procedures (Prevention) 3.  Crisis Monitoring 4.  Crisis Communications Plan 5.  Crisis Action Plan 6.  Crisis Standard Communications Template
PROPRIETARY & CONFIDENTIALAffect THREAT MAPPING RISK ASSESSMENT Internal •  Employees •  Facilities •  Vendors/Suppliers •  Distributors/Resellers •  Product External •  Acts of Nature •  Market •  Legal Restrictions/Law •  Customers •  Advocacy Groups Anticipating & Understanding Threats to a Business People, Products, Facilities, Environment, Information
PROPRIETARY & CONFIDENTIALAffect INFORMATION THREATS What’s in your files? 1.  HR – Name, Address, Social Security 2.  Payroll – Name, Address, Social Security & Bank Account 3.  Customer – Name, Address, Credit Card & Bank Account 4.  Vendor – Name, Address, Credit Card & Bank Account 5.  Other – Medical Records, Demographic Information, Email, File Servers etc.
PROPRIETARY & CONFIDENTIALAffect CRISIS COMMUNICATIONS ANTICIPATING THREATS Create A Chart: Potential Informational Threats to Your Business HR Sales Marketing Finance Rank Order High Risk to Low Risk
PROPRIETARY & CONFIDENTIALAffect CRISIS TOOLKIT RESPONSE RESOURCES 1. Develop materials: •  Messages/FAQ •  Prepared statements •  Press release template •  Customer letters 2.  Train employees •  Awareness •  Anticipation •  Organizational Preparation 3. Prepare channels: •  Hotline •  Dark site •  Social Media 4. Data Breach/Customer Assistance Resources •  Microsite/Landing Page FAQ •  Identity Theft Remediation Services •  Force Password/Account Information Change •  Special Customer Advocate/Team
PROPRIETARY & CONFIDENTIALAffect IMMEDIATE ACTION BEST PRACTICES Preparing a Response 1.  Don’t delay 2.  Acknowledge situation 3.  Acknowledge impact and ‘victims’ 4.  Commit to investigate 5.  Commit to sharing information and cooperation with relevant parties 6.  Share corrective action plan if available 7.  Respond in the format in which the crisis was received**
PROPRIETARY & CONFIDENTIALAffect RESPONSE OUTLINE CRITICAL INFORMATION Prepare a Template Crisis Response: 1.  What happened? 2.  What do we know about it? 3.  Who/what was impacted? 4.  How do we feel about it? (How should we feel?) 5.  What are we going to do about it? 6.  When are we going to do it? 7.  When/how will we communicate next?
PROPRIETARY & CONFIDENTIALAffect CUSTOMER COMMUNICATION Notice of Data Breach 1.  Introduction: Why are we contacting you? 2.  What happened? 3.  What information was compromised? 4.  What are we doing to remedy the situation? 5.  What can you do to prevent/mitigate further risk? 6.  Where can you find more information?
PROPRIETARY & CONFIDENTIAL BREACH NOTIFICATIONS SAMPLES
PROPRIETARY & CONFIDENTIALAffect PHASE 3: REASSURANCE DOSE OF MEDICINE Who to Reassure? How to Reassure? 1.  Develop full response plan 2.  Put plan into action: Immediate remedy 3.  Communicate results of plan and impact 4.  Reaffirm commitment to correction 5.  Demonstrate results of program
PROPRIETARY & CONFIDENTIALAffect PHASE 4: RECOVERY LONG-TERM TREATMENT PLAN Rebuilding reputation, trust and customer loyalty Implementing preventative measures for long-term crisis mitigation and/or prevention 1.  Review need for operational, regulatory, environmental and employee changes 2.  Develop long-term plan including policies and prevention tactics 3.  Reassess crisis plan 4.  Regain customer/public trust
PROPRIETARY & CONFIDENTIALAffect 1.  Implement Policies to Address Potential Vulnerabilities 2.  Establish a Regular Review Cycle for Information Security 3.  Establish Inter-Departmental Cooperation 4.  Establish a Framework for Response 5.  Build a Data Breach Crisis Toolkit 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
PROPRIETARY & CONFIDENTIALAffect 6.  Know Where & How to Respond 7.  Prepare Your Employees in Advance 8.  Establish Assistance Services for those Impacted 9.  Know the Law Regarding Reporting in All Regions of Operations 10.  Be Honest, Be Transparent 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
PROPRIETARY & CONFIDENTIALAffect RESOURCES White Paper: Crisis Communications in the Social Media Age Download at: Affect.com
PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies Thank you Slides Available: Slideshare.net/sfathi Sandra Fathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure simonr@becybersure.com Vince L. Martinez Partner, K&L Gates LLP Vince.martinez@klgates.com

More Related Content

PPT
Breaking down the cyber security framework closing critical it security gaps
byIBM Security
 
PDF
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
PPTX
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 
PDF
Cyber security-in-india-present-status
byRama Reddy
 
PPTX
NCSAM = Cyber Security Awareness Month: Trends and Resources
byStephen Cobb
 
PDF
Must Know Cyber Security Stats of 2016
byDWP Information Architects Inc.
 
PDF
Outlook Briefing 2016: Cyber Security
byMastel Indonesia
 
Breaking down the cyber security framework closing critical it security gaps
byIBM Security
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 
Cyber security-in-india-present-status
byRama Reddy
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
byStephen Cobb
 
Must Know Cyber Security Stats of 2016
byDWP Information Architects Inc.
 
Outlook Briefing 2016: Cyber Security
byMastel Indonesia
 

What's hot

PDF
Building Cyber Resilience in the Digital Economy
byAgus Wicaksono
 
PDF
Insights into cyber security and risk
byEY
 
PPTX
The State Of Information and Cyber Security in 2016
byShannon G., MBA
 
PDF
The IBM X-Force 2016 Cyber Security Intelligence Index
byKanishka Ramyar
 
PPTX
Enterprise Cyber Security 2016
bySupply Chain Coalition
 
PDF
ICION 2016 - Cyber Security Governance
byCharles Lim
 
PDF
Cyber security-report-2017
byNRC
 
PDF
Cyber Resilience
byIan-Edward Stafrace
 
PPTX
Summer internship - Cybersecurity
byAbhilashYadav14
 
PPTX
Cyber Hygiene
byGAURAV. H .TANDON
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
PDF
Shift Toward Dynamic Cyber Resilience
byDarren Argyle
 
PDF
CSE 2016 Future of Cyber Security by Matthew Rosenquist
byMatthew Rosenquist
 
PDF
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 
PPTX
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
PDF
Symantec Intelligence Report - October 2014
bySymantec
 
Building Cyber Resilience in the Digital Economy
byAgus Wicaksono
 
Insights into cyber security and risk
byEY
 
The State Of Information and Cyber Security in 2016
byShannon G., MBA
 
The IBM X-Force 2016 Cyber Security Intelligence Index
byKanishka Ramyar
 
Enterprise Cyber Security 2016
bySupply Chain Coalition
 
ICION 2016 - Cyber Security Governance
byCharles Lim
 
Cyber security-report-2017
byNRC
 
Cyber Resilience
byIan-Edward Stafrace
 
Summer internship - Cybersecurity
byAbhilashYadav14
 
Cyber Hygiene
byGAURAV. H .TANDON
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
Shift Toward Dynamic Cyber Resilience
byDarren Argyle
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
byMatthew Rosenquist
 
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
Symantec Intelligence Report - October 2014
bySymantec
 

Similar to Cyber Security 101: What Your Agency Needs to Know

PDF
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
PPTX
What Small Business Can Do To Protect Themselves Now in Cybersecurity
byReading Works Detroit
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PPTX
CyberCare Pro - Cybersecurity for SME's updated.pptx
bymargueritemcleod1
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
PPTX
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
byShawn Tuma
 
PPSX
November 2017: Part 6
byseadeloitte
 
PPTX
IT & Network Security Awareness
byThe Network Support Company
 
PPTX
ACEDS-ACFCS Cybersecurity Webcast
byLogikcull.com
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
PDF
Managing a Hack: Orchestrating Incident Response to Preserve Brand Reputation
bySandra Fathi
 
PDF
Cybersecurity: How to be Proactive
byBrown Smith Wallace
 
PPTX
Cybersecurity: How Safe Is Your Organization?
byCBIZ, Inc.
 
PDF
How Cyber Threats Can Impact Your Business.pdf
byapurvar399
 
PPTX
Module 8 - External Crisis – Changing Technology.pptx
bycaniceconsulting
 
PDF
Cyber Crime: Preparing Your Organization for the New Normal
bySandra Fathi
 
ODP
Cyber Security: Whose problem is it?
byEversheds Sutherland
 
PDF
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
PDF
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
byReading Works Detroit
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
CyberCare Pro - Cybersecurity for SME's updated.pptx
bymargueritemcleod1
 
BEA Presentation
byGlenn E. Davis
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
byShawn Tuma
 
November 2017: Part 6
byseadeloitte
 
IT & Network Security Awareness
byThe Network Support Company
 
ACEDS-ACFCS Cybersecurity Webcast
byLogikcull.com
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
Managing a Hack: Orchestrating Incident Response to Preserve Brand Reputation
bySandra Fathi
 
Cybersecurity: How to be Proactive
byBrown Smith Wallace
 
Cybersecurity: How Safe Is Your Organization?
byCBIZ, Inc.
 
How Cyber Threats Can Impact Your Business.pdf
byapurvar399
 
Module 8 - External Crisis – Changing Technology.pptx
bycaniceconsulting
 
Cyber Crime: Preparing Your Organization for the New Normal
bySandra Fathi
 
Cyber Security: Whose problem is it?
byEversheds Sutherland
 
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 

More from Sandra Fathi

PDF
Show Me the Money: PR Metrics that Impress the C-Suite
bySandra Fathi
 
PDF
Before Disaster Strikes: Creating an Effective Crisis Communications Plan
bySandra Fathi
 
PDF
Data-Driven PR Metrics: Share of Voice, Competitive Benchmarking, Correlations
bySandra Fathi
 
PDF
FPRA Capital Chapter: Managing a Hack
bySandra Fathi
 
PDF
Managing a Hack: A Communicator's Guide to a Data Breach
bySandra Fathi
 
PDF
Trade Secrets Your Agency Isn't Sharing
bySandra Fathi
 
PDF
How to Develop a Content Strategy
bySandra Fathi
 
PDF
Before Disaster Strikes: Creating an Effective Crisis Communications Plan
bySandra Fathi
 
PDF
Bloggers Speak Out: New paid and pitching techniques to score more placement
bySandra Fathi
 
PDF
Recovering from a Social Media Mistake (SMX)
bySandra Fathi
 
PDF
PR in the Era of Fake News
bySandra Fathi
 
PPTX
PR Measurement Clinic: Assessing the Success of a Communications Strategy
bySandra Fathi
 
PDF
Fear Factor Metrics: PR Metrics Communicators Fear Most
bySandra Fathi
 
PDF
Social Shakeup Atlanta: When the Sh*t Hits the Fan - Managing Crises on Socia...
bySandra Fathi
 
PDF
Payback: The ROI of SM & PR Measurement
bySandra Fathi
 
PDF
Data-Driven PR Measurement (eMetrics Chicago)
bySandra Fathi
 
PDF
Flash Fires: Crisis Communications in the Age of NOW
bySandra Fathi
 
PDF
News Making Machine - How Story Hijacking & Trend Intervention Can Transform ...
bySandra Fathi
 
PDF
Break From the Pack with Data Visualization & Infographics
bySandra Fathi
 
PPTX
Women's Leadership Conference: Changing Perceptions to Change Reality
bySandra Fathi
 
Show Me the Money: PR Metrics that Impress the C-Suite
bySandra Fathi
 
Before Disaster Strikes: Creating an Effective Crisis Communications Plan
bySandra Fathi
 
Data-Driven PR Metrics: Share of Voice, Competitive Benchmarking, Correlations
bySandra Fathi
 
FPRA Capital Chapter: Managing a Hack
bySandra Fathi
 
Managing a Hack: A Communicator's Guide to a Data Breach
bySandra Fathi
 
Trade Secrets Your Agency Isn't Sharing
bySandra Fathi
 
How to Develop a Content Strategy
bySandra Fathi
 
Before Disaster Strikes: Creating an Effective Crisis Communications Plan
bySandra Fathi
 
Bloggers Speak Out: New paid and pitching techniques to score more placement
bySandra Fathi
 
Recovering from a Social Media Mistake (SMX)
bySandra Fathi
 
PR in the Era of Fake News
bySandra Fathi
 
PR Measurement Clinic: Assessing the Success of a Communications Strategy
bySandra Fathi
 
Fear Factor Metrics: PR Metrics Communicators Fear Most
bySandra Fathi
 
Social Shakeup Atlanta: When the Sh*t Hits the Fan - Managing Crises on Socia...
bySandra Fathi
 
Payback: The ROI of SM & PR Measurement
bySandra Fathi
 
Data-Driven PR Measurement (eMetrics Chicago)
bySandra Fathi
 
Flash Fires: Crisis Communications in the Age of NOW
bySandra Fathi
 
News Making Machine - How Story Hijacking & Trend Intervention Can Transform ...
bySandra Fathi
 
Break From the Pack with Data Visualization & Infographics
bySandra Fathi
 
Women's Leadership Conference: Changing Perceptions to Change Reality
bySandra Fathi
 

Recently uploaded

PDF
Top 5 Sites to Buy Verified Wise Accounts Today .pdf
bymmgjqqhs38
 
PDF
LCP-Corporate-Report-Autumn-2025.pdf worth a read
byHenry Tapper
 
PDF
Raport Reuters International Digital News Report 2025
byagatadrynko
 
PDF
A Brief Introduction About Albert Pintoy
byAlbert Pintoy
 
PDF
Is it legal to buy verified Binance accounts (Personal &amp .pdf
bymarketing
 
PPTX
PhD Viva Presentation for Sumit Pundhir.
bySumitPundhir4
 
DOCX
The World Inside WeChat_ Understanding the Power and Purpose of a WeChat Acco...
byhoovazuh63
 
PPTX
Search Engine Optimization (SEO) Solutions.pptx
byDigital Hub Solution
 
PDF
Emerging HRM Trends_Labour Market Forecast 2026
byCharles Cotter, PhD
 
PDF
Nominowani_Innovation-2025_LISTA UCZESTNIKÓW
bydominikamizerska1
 
PPTX
Thermal Energy International - Q1 2026 Earnings Call Slides
byMarketing847413
 
DOCX
Get a Pinterest account in[ pvatopservice ]sell regular every day.docx
bypvatopservice345
 
PDF
Keppel Ltd. 9M 2025 Business Update Presentation Slides
byKeppelCorporation
 
PPTX
How To Disrupt Yourself and Your Business: Strategic Learning Resources
byFahri Karakas
 
PPTX
The Marketing Gaps & Needs - الاحتياجات والفجوات التسويقية
byHossam El Din Hafez Mohamed
 
PDF
Danielle Oliveira New Jersey - A Trailblazing Lieutenant
byDanielle Oliveira New Jersey
 
PDF
Ted Sumrall - A Visionary Innovator
byTed Sumrall
 
PDF
Dana Guerin - A Policy Advocate And Producer
byDana Guerin
 
PDF
A Brief Introduction About Dominic Cipolla
byDominic Cipolla
 
PDF
Julia Allison - A Harvard-Educated Entrepreneur
byJulia Allison
 
Top 5 Sites to Buy Verified Wise Accounts Today .pdf
bymmgjqqhs38
 
LCP-Corporate-Report-Autumn-2025.pdf worth a read
byHenry Tapper
 
Raport Reuters International Digital News Report 2025
byagatadrynko
 
A Brief Introduction About Albert Pintoy
byAlbert Pintoy
 
Is it legal to buy verified Binance accounts (Personal &amp .pdf
bymarketing
 
PhD Viva Presentation for Sumit Pundhir.
bySumitPundhir4
 
The World Inside WeChat_ Understanding the Power and Purpose of a WeChat Acco...
byhoovazuh63
 
Search Engine Optimization (SEO) Solutions.pptx
byDigital Hub Solution
 
Emerging HRM Trends_Labour Market Forecast 2026
byCharles Cotter, PhD
 
Nominowani_Innovation-2025_LISTA UCZESTNIKÓW
bydominikamizerska1
 
Thermal Energy International - Q1 2026 Earnings Call Slides
byMarketing847413
 
Get a Pinterest account in[ pvatopservice ]sell regular every day.docx
bypvatopservice345
 
Keppel Ltd. 9M 2025 Business Update Presentation Slides
byKeppelCorporation
 
How To Disrupt Yourself and Your Business: Strategic Learning Resources
byFahri Karakas
 
The Marketing Gaps & Needs - الاحتياجات والفجوات التسويقية
byHossam El Din Hafez Mohamed
 
Danielle Oliveira New Jersey - A Trailblazing Lieutenant
byDanielle Oliveira New Jersey
 
Ted Sumrall - A Visionary Innovator
byTed Sumrall
 
Dana Guerin - A Policy Advocate And Producer
byDana Guerin
 
A Brief Introduction About Dominic Cipolla
byDominic Cipolla
 
Julia Allison - A Harvard-Educated Entrepreneur
byJulia Allison
 

Cyber Security 101: What Your Agency Needs to Know

  • 1.
    PROPRIETARY & CONFIDENTIALMarch 4, 2010Affect Strategies CYBER SECURITY 101: What Your Agency Needs to Know PR Council Genome Series May 4, 2017
  • 2.
    PROPRIETARY & CONFIDENTIAL PRESENTERS SandraFathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure [email protected] Vince L. Martinez Partner, K&L Gates LLP [email protected]
  • 3.
    PROPRIETARY & CONFIDENTIAL I. Cyber Security 101: What you need to know about cyber security and threats in an agency environment II.  Legal Ramifications: Cyber security and the law, the agency’s responsibilities and liabilities III.  Crisis Communications: When it happens to you, a plan of action AGENDA March 4, 2010Affect
  • 4.
    PROPRIETARY & CONFIDENTIAL DEFENDINGENTERPRISE INTEGRITY Making InfoSec Part of the Culture Simon Russell, Managing Partner, BeCyberSure North America
  • 5.
    PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( Whatis “Cyber Security”?( •  The(process(of(applying(security( measures(to(ensure( confiden9ality,(integrity,(and( availability(of(data( •  Essen9ally,(protec9on(against( Cyber(Risk( What is “Cyber Risk”?( •  “Cyber(Risk”(means(any(risk(of( financial(loss,(disrup9on(or(damage( to(the(reputa9on(of(an(individual(or( organiza9on(from(some(sort(of( failure(of(their(informa9on( technology(systems(
  • 6.
  • 7.
    PROPRIETARY & CONFIDENTIAL Defending(Enterprise(Integrity((( Method#Problem# Solu+on# Wireless#Hotspots,# Bluetooth#+#Mobile# Subject(to(man(in(the( middle(aEacks( Public(WiHFi(/(VPN( Printers# LogHin(details(are( recorded( Default(password( Invoice#Processing#+# Payroll# Payment(redirec9on( Conveyancing( Payroll(Intercep9on( Loss(of(PII( Policy(and(procedures.( Friday(aPernoon( syndrome( Phishing#+#Ransomware# # Loss(of(data(/(access( Training( The#Cloud!# Lack(of(control( Use(2(FA(and(encryp9on( IT’S#ALL#TOO#EASY#
  • 8.
  • 9.
  • 10.
    PROPRIETARY & CONFIDENTIAL EXCUSES#FOR#NOT#ADDRESSING#CYBER# Defending(Enterprise(Integrity((( • Usually easier targetI’M TOO SMALL •  All data has value or you could be a stepping stoneNOTHING WORTH STEALING •  Every organization is of interest to the criminal – they do not discriminate MY TYPE OF BUSINESS IS NOT A TARGET •  Not the point- there are other assets to stealI DON’T HANDLE MONEY •  You are still responsible - the responsibility is not outsourced I OUTSOURCE IT, PAYMENTS, ETC •  Not any more! SOMEONE ELSE WILL PAY IF SOMETHING GOES WRONG (e.g. banks, insurance)
  • 11.
    PROPRIETARY & CONFIDENTIAL ((12© 2015 Optimal Risk and its partners/affiliates. All rights reserved. Source: 2014 Verizon Data Breach Investigations Report Secs# Mins# Hrs# Days# Weeks# Months# Years# Compromise( 19%( 42%( 12%( 23%( 0%( 5%( 1%( Exfiltra9on( 3%( 27%( 21%( 21%( 18%( 9%( 0%( Discovery( 0%( 3%( 11%( 17%( 16%( 41%( 11%( Containment( 0%( 2%( 5%( 42%( 22%( 29%( 0%( Timespan of events by % of Web App breaches In 50% of breaches, data is stolen in hours 41% of breaches are not discovered for months Be Very Worried 40% of companies experienced a data breach 61% of espionage is not discovered for months More than 50% of companies do NOT conduct security testing 38% of companies are not capable of resolving an attack 51% increase of companies reporting >$10M loss 34% of companies do not know if/ how
  • 12.
  • 13.
  • 14.
    PROPRIETARY & CONFIDENTIAL What(Steps(Should(You(Take?( • Info(Security(audit(to(expose(holes(in(architecture,( focus(on(what(data(you(have(and(where(it(sits.(( •  Policies(and(Procedures( •  Social(engineering(tes9ng(i.e.(Phishing(( •  Ongoing(Penetra9on(tes9ng( •  Staff(training( •  System(monitoring( •  Think(about(3rd(party(risks( # #Defending(Enterprise(Integrity(((
  • 15.
  • 16.
    Regulatory and LegalConsiderations
  • 17.
    Basic Incident ResponseSteps •  Recognize the occurrence of an incident. •  Notify and assemble the incident response team to begin the investigation. •  The internal team can include IT, Security, HR, Counsel, Compliance, business heads and IR. •  The external team can include outside counsel, technological consultancies and crisis management / public relations firms. •  Identify and fix (or contain) the technological issue. •  Determine any legal obligations and comply. •  Determine if any public reporting obligations exist. •  Communicate with the public as appropriate. •  Eradicate remnants of the security incident and recover business operations.
  • 18.
    Data Breach NotificationRequirements •  The primary consideration is the exposure of personally identifiable information (PII). •  All states except AL and SD require companies to notify affected individuals when their PII has been compromised. •  There are variances in notification laws and the types of data considered PII. •  Most states require notice as soon as reasonably possible; a few require notice within 30 to 45 days of discovery. •  Certain federal laws, such as HIPAA and GLBA, require companies to notify affected individuals. •  Certain federal regulators, including the FTC and FCC, are active within their jurisdictions. •  Breach notification can also be a function of contract, which should be known before an incident occurs.
  • 19.
    Notifying Law Enforcement • Relevant federal law enforcement agencies include the FBI and the Secret Service. •  The Department of Justice has issued guidance for interacting with federal law enforcement authorities in the wake of a cybersecurity event. •  https://www.justice.gov/sites/default/files/criminal-ccips/legacy/ 2015/04/30/04272015reporting-cyber-incidents-final.pdf •  State Attorneys General may also be required to be notified. •  It is a best practice to have pre-established contacts with law enforcement before an event. •  Remember that law enforcement has different goals than you when responding to a cybersecurity event, and the logistics and possible issues surrounding law enforcement involvement should be understood beforehand.
  • 20.
    Public Company ReportingObligations •  The SEC’s Division of Corporation Finance offered guidance in 2011. •  https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm •  The guidance gives context to materiality in several parts of periodic reports. •  Some incidents may be described generally in quarterly and annual filings. •  Filing a Form 8-K is most appropriate for events of immediate material consequence to investors. •  The SEC has not yet brought an enforcement action for inadequate cybersecurity disclosure, but has frequently indicated its interest in doing so.
  • 21.
    Recent Regulatory Developments • The New York Department of Financial Services recently implemented regulations for certain financial institutions: •  http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf •  Affects both businesses registered under the New York Banking, Insurance and Financial Services Laws, as well as certain third parties that service those businesses. •  Contains specific technological measures required of covered entities. •  The Colorado Division of Securities recently proposed enhanced cybersecurity measures for broker-dealers and investment advisers: •  https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view •  Specifies what measures firms should consider in order to have “written procedures reasonably designed to ensure cybersecurity.” •  Takeaway: More regulators are beginning to list specific measures required.
  • 22.
    Consequences of aCyber Incident •  Major damage to the company’s operations, customer loyalty, reputation and financial results. •  Litigation, settlement, repair and remediation costs in recent cases have reached into the tens of millions of dollars, including: •  Example: Target - breach related costs approaching $180 million per latest Form 10-K. •  Shareholder derivative actions, including against directors •  Customer class actions •  Litigation with (former) business partners •  Regulatory investigations, actions and remediation oversight •  Example: FTC v. Wyndham Worldwide Corp. •  Inadequate or misleading data security protections can be charged as unfair and deceptive trade practices. •  Activist investor campaigns
  • 23.
    Roles for OutsideCounsel •  Extend attorney-client privilege to response advice. •  Extend work product protection to investigative documentation. •  Hire other third parties as agents of the legal engagement. •  Establish contact with law enforcement. •  Identify likely regulators and applicable standards and guidance. •  Identify legal and contractual obligations to notify or report. •  Ensure legal accuracy of public statements.
  • 24.
  • 25.
    PROPRIETARY & CONFIDENTIAL WHYDO AGENCIES THINK THEY ARE IMMUNE?
  • 26.
    PROPRIETARY & CONFIDENTIAL WHAT’STHE SCENARIO •  Scenario #1: A reporter tweets that they’ve broken a story about your data breach – you were unaware that the press was aware. •  Scenario #2: IT department detects a breach and informs the PR department that it has been mitigated. •  Scenario #3: The FBI calls to tell you that they are investigating your data breach. •  Scenario #4: The IT department reports a breach to PR, but has no idea how large it is or what the total impact will be. •  Scenario #5: A Hacker threatens to release your client’s data if you don’t pay $100,000 in Bitcoin You need a plan and you needed it yesterday.
  • 27.
    PROPRIETARY & CONFIDENTIAL THETHREAT IS REAL •  The Element of Surprise: breaches are often leaked to the media before full investigations are complete •  Under Pressure: Customers, media, employees etc. demand information •  The Gift that Keeps on Giving: Data breach incidents tend to have more than one news cycle •  Social Media Wildfire: False information spreads quickly on sites like Twitter, Facebook and LinkedIn If you are prepared for data breach response, you have a better chance of controlling your message and preserving your reputation.
  • 28.
    PROPRIETARY & CONFIDENTIALAffect CORECONCEPTS CRISIS COMMUNICATIONS 4 Phases of Crisis Communications 1.  Readiness 2.  Response 3.  Reassurance 4.  Recovery
  • 29.
    PROPRIETARY & CONFIDENTIALAffect PHASE1: READINESS PREVENTATIVE MEDICINE Anticipating a Crisis 1.  Crisis Mapping (SWOT Analysis) 2.  Policies and Procedures (Prevention) 3.  Crisis Monitoring 4.  Crisis Communications Plan 5.  Crisis Action Plan 6.  Crisis Standard Communications Template
  • 30.
    PROPRIETARY & CONFIDENTIALAffect THREATMAPPING RISK ASSESSMENT Internal •  Employees •  Facilities •  Vendors/Suppliers •  Distributors/Resellers •  Product External •  Acts of Nature •  Market •  Legal Restrictions/Law •  Customers •  Advocacy Groups Anticipating & Understanding Threats to a Business People, Products, Facilities, Environment, Information
  • 31.
    PROPRIETARY & CONFIDENTIALAffect INFORMATIONTHREATS What’s in your files? 1.  HR – Name, Address, Social Security 2.  Payroll – Name, Address, Social Security & Bank Account 3.  Customer – Name, Address, Credit Card & Bank Account 4.  Vendor – Name, Address, Credit Card & Bank Account 5.  Other – Medical Records, Demographic Information, Email, File Servers etc.
  • 32.
    PROPRIETARY & CONFIDENTIALAffect CRISISCOMMUNICATIONS ANTICIPATING THREATS Create A Chart: Potential Informational Threats to Your Business HR Sales Marketing Finance Rank Order High Risk to Low Risk
  • 33.
    PROPRIETARY & CONFIDENTIALAffect CRISISTOOLKIT RESPONSE RESOURCES 1. Develop materials: •  Messages/FAQ •  Prepared statements •  Press release template •  Customer letters 2.  Train employees •  Awareness •  Anticipation •  Organizational Preparation 3. Prepare channels: •  Hotline •  Dark site •  Social Media 4. Data Breach/Customer Assistance Resources •  Microsite/Landing Page FAQ •  Identity Theft Remediation Services •  Force Password/Account Information Change •  Special Customer Advocate/Team
  • 34.
    PROPRIETARY & CONFIDENTIALAffect IMMEDIATEACTION BEST PRACTICES Preparing a Response 1.  Don’t delay 2.  Acknowledge situation 3.  Acknowledge impact and ‘victims’ 4.  Commit to investigate 5.  Commit to sharing information and cooperation with relevant parties 6.  Share corrective action plan if available 7.  Respond in the format in which the crisis was received**
  • 35.
    PROPRIETARY & CONFIDENTIALAffect RESPONSEOUTLINE CRITICAL INFORMATION Prepare a Template Crisis Response: 1.  What happened? 2.  What do we know about it? 3.  Who/what was impacted? 4.  How do we feel about it? (How should we feel?) 5.  What are we going to do about it? 6.  When are we going to do it? 7.  When/how will we communicate next?
  • 36.
    PROPRIETARY & CONFIDENTIALAffect CUSTOMERCOMMUNICATION Notice of Data Breach 1.  Introduction: Why are we contacting you? 2.  What happened? 3.  What information was compromised? 4.  What are we doing to remedy the situation? 5.  What can you do to prevent/mitigate further risk? 6.  Where can you find more information?
  • 37.
    PROPRIETARY & CONFIDENTIAL BREACHNOTIFICATIONS SAMPLES
  • 38.
    PROPRIETARY & CONFIDENTIALAffect PHASE3: REASSURANCE DOSE OF MEDICINE Who to Reassure? How to Reassure? 1.  Develop full response plan 2.  Put plan into action: Immediate remedy 3.  Communicate results of plan and impact 4.  Reaffirm commitment to correction 5.  Demonstrate results of program
  • 39.
    PROPRIETARY & CONFIDENTIALAffect PHASE4: RECOVERY LONG-TERM TREATMENT PLAN Rebuilding reputation, trust and customer loyalty Implementing preventative measures for long-term crisis mitigation and/or prevention 1.  Review need for operational, regulatory, environmental and employee changes 2.  Develop long-term plan including policies and prevention tactics 3.  Reassess crisis plan 4.  Regain customer/public trust
  • 40.
    PROPRIETARY & CONFIDENTIALAffect 1. Implement Policies to Address Potential Vulnerabilities 2.  Establish a Regular Review Cycle for Information Security 3.  Establish Inter-Departmental Cooperation 4.  Establish a Framework for Response 5.  Build a Data Breach Crisis Toolkit 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
  • 41.
    PROPRIETARY & CONFIDENTIALAffect 6. Know Where & How to Respond 7.  Prepare Your Employees in Advance 8.  Establish Assistance Services for those Impacted 9.  Know the Law Regarding Reporting in All Regions of Operations 10.  Be Honest, Be Transparent 10 KEY TAKEAWAYS CRISIS COMMUNICATIONS FOR DATA BREACHES
  • 42.
    PROPRIETARY & CONFIDENTIALAffect RESOURCES WhitePaper: Crisis Communications in the Social Media Age Download at: Affect.com
  • 43.
    PROPRIETARY & CONFIDENTIALMarch 4, 2010Affect Strategies Thank you Slides Available: Slideshare.net/sfathi Sandra Fathi, President, Affect PR Council Board Member sfathi@affect.com @sandrafathi Simon Russell Managing Partner, BeCyberSure [email protected] Vince L. Martinez Partner, K&L Gates LLP [email protected]