Post on 14-Apr-2018
transcript
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
1/19
Data Breaches A Lookin the Rear View Mirror
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
2/19
State Governments at Risk!
States are attractive targets data!
More aggressive threats organizedcrime, unorganized crime, hacktivism
Critical infrastructure protection Lack of broad executive support
Governance and authority lacking
Data on the move
Need more training, awareness
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
3/19
Growing Security Risks in the States
Protecting legacysystems
Malicious software
Foreign state-sponsoredespionage
Mobile devices andservices
Use of social mediaplatforms
Use of personally-owned devices(BYOD) for state
business
Adoption of cloudservices; rogue
cloud users
Inadequate policycompliance
Third-partycontractors and
managed services
Source: Deloitte-NASCIO Cybersecurity Study, October 2012
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
4/19
State Data Breach Loss of Citizen Trust!
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
5/19
State CIO Priorities for 2013
Source: NASCIO State CIO Survey, November 2012
1. Consolidation/Optimization
2. Cloud Services 3. Security
4. Mobile Services/Mobility
5. Budget and CostControl 6. Shared Services
7. Health Care8. Legacymodernization
9. Nationwide PublicSafety BroadbandNetwork
10. Disaster Recovery/Business Continuity
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
6/19
What Are Top Priorities for State CISOs?
Source: Deloitte-NASCIO Cybersecurity Study, October 2012
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
7/19
What Do We Know aboutState Government Data
Breaches?
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
8/19
Over 20% of US data breaches
happen in the public sector
Government agencies have lost
more than 94 million records of
citizens since 2009 97% increase in personal health
information breaches over
2010
Average cost per lost or
breached record is $194
By the
Numbers:
TheConsequences
For States
Sources: "Rapid7 Report: Data Breaches in the Government Sector." Rapid7. September 6, 2012.
"2011 Cost of Data Breach Study: Global." Ponemon Institute. March 2012
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
9/19Source: www2.idexpertscorp.com
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
10/19
1. Unintended disclosure
2. Portable device
3. Physical loss
4. Hacking or malware
5. Insider
6. Stationary device
7. Unknown or other
Reported Causes of
Government Data Breaches
Sources: Privacy Rights Clearinghouse, Rapid7 Report, US-CERT
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
11/19
Hacking is easy. Targeted attacks against business and government
increased to 30,000 a year in 2012
More than 90% of successful penetrations of networks requiredonly the most basic techniques
75% of attacks use publicly known vulnerabilities in commercial
software that could be prevented by regular patching
85% of breaches took to months to discover
Sources: CSIS, Symantec 2012 Threat Report, Verizon 2013 DataBreaches Report, Trustwave, US-CERT, NASCIO
Cybersecurity Resources Often Spent on
Ineffective Activities
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
12/19
Source: State of South Carolina, Office of the Inspector General, State Government
Information Security Initiative Current Situation & A Way Forward Interim Report,
November 30, 2012
Autopsy of a Data Breach: Findings from
the Inspector Generals Report
Finding # 1: The state does not have a statewide INFOSEC program which
undermines an effective statewide security posture, as well as creating
unmanaged and uncontrolled statewide INFOSEC risks having potential
impact on the entire state government.
Finding #2: The state has not fixed responsibility, accountability, and authority
for statewide INFOSEC.
Finding #3: Consultants, with expertise in developing and implementing
statewide INFOSEC programs, will be required to assist in establishing a
statewide INFOSEC governance framework and implementation options.
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
13/19
More Governance,Collaboration and Compliance
is Needed
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
14/19
Whos Responsible for
Protecting State Data?
Chief Information Officer
Information Security Officer
Agency Leaders
Data Owners
Human Resources
Legal
Employees Third Party Contractors
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
15/19
Protecting critical data is a coreresponsibility of the state and
investment in risk management.
State leaders ignore this at their peril.
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
16/19
A Call to Action for States: Execute on an effectivecybersecurity strategy, with strong governance and
compliance monitoring measures
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
17/19
The Tactical Guide to Data Protection
Know your assets where is the data?
Classify data and assess known risks
Clearly document and consistently enforce
policies and controls Implement strict password and account
management policies and practices
Implement a security information and eventmanagement solution (SIEM)
Trust, but verify
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
18/19
Establish a governance and authority structure for
cybersecurity
Conduct risk assessments and allocate resourcesaccordingly
Implement continuous vulnerability assessments
and threat mitigation practices
Ensure that the state complies with current securitymethodologies and business disciplines in
cybersecurity
Create a culture of risk awareness
Act and Adjust: A Call to Action for
Governors for CybersecurityNational Governors Association, September 26, 2013
Source: NGAs Resource Center for State Cybersecurity, 2013
7/27/2019 Data Breaches Rear View Mirror - Doug Robinson
19/19
Thank You!And be careful backing up.