Cyber Risks – Not Just a Domain for IT
The Evolving Threat to Companies in Europe and Risk Transfer
Tracie Grella
Global Head of Professional Liability
AIG Property Casualty
1
Client Perception
8/10/2013 2
How Concerned are you about this type
of risk for your company?
1 Cyber Risks 86%
2 Loss of Income 82%
3 Property Damage 80%
4 Workers Compensation 78%
5 Utility Interruption 76%
6 Securities and Investment Risk 76%
7 Auto/Fleet Risk 65%
Hackers are the primary
source of cyber threats
82% Clients who believe
human error is a
significant source
of cyber risk
74% IT is difficult to
keep up with cyber threats because they are evolving
so quickly
80%
All audiences agree:
DLA Piper CIO Daniel Pollick
“There has been a change in atmosphere in the past 18
months. Governments are taking cyber security more
seriously and are pushing it to the top of business agendas”
Cyber Crime Attacks
Causes of a Data Breach
• Threat Actions: Hacking 52%, Social Tactics 29%
• Threat Agents: Organized Crime 52%, State
Sponsored 19%, Insiders 14%
• 50% of insiders who committed sabotage were former
employees taking advantage of security that was not
disabled
(Verizon Data Breach Report 2013 and AIG)
Cyber Trends
• 70% of breaches were spotted by an external party,
9% were spotted by customers
• 76% of network intrusions exploited week or stolen
credentials
• Claim volume up by 67% in 2012 and 71% in 2013
(AIG)
• Only 20% of middle market and large organizations
purchase cyber (AIG)
(Verizon Data Breach Report 2013)
3
43% of organizations in the
EuroZone experienced more than 3 attacks
65% of companies across 62 countries are extremely concerned about
cyber attacks
4 of 5 Top banks in the UK claims that cyber attacks now represents a
major threat to their stability
Country Exposure
8/10/2013 4
Russia: number of cyber crimes
grew 33% in 2012
Belgium: Cost of Cyber Crime EUR5bn
Italy: 16,456 hacks against organizations in 1st half of 2013, up 57%
from same time last year
UK: Cost of Cyber Crime is
£27bn
• Cost to UK Business estimated
£21bn
• Average cost of resolving a data
breach is £2.04m
• Ireland: 37 breaches in 2012 with
68 over last 3 years
• Scotland: total cost of cyber
Crime is £5bn every min lose
£158
Germany: Cost to German
business EUR43bn
Business Enterprise Risk
8/10/2013 5
Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage Service 6.48 million
Energy 2.8million
Telecom 2.0 million
Manufacturing 1.6 million
Retail 1.1 million
Healthcare 636,000
Media 90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
The Accounting Employees can’t access systems
Consumers can’t access your product
You disrupt a 3rd party’s supply chain
Unexpected costs
Reputation damage
Stock drops
Investigations
Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage Service 6.48 million
Energy 2.8million
Telecom 2.0 million
Manufacturing 1.6 million
Retail 1.1 million
Healthcare 636,000
Media 90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
Business Enterprise Risk
8/10/2013 6
Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage Service 6.48 million
Energy 2.8million
Telecom 2.0 million
Manufacturing 1.6 million
Retail 1.1 million
Healthcare 636,000
Media 90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
The Accounting Employees can’t access systems
Consumers can’t access your product
You disrupt a 3rd party’s supply chain
Unexpected costs
Reputation damage
Stock drops
Investigations
Employees can’t access systems • Down for an extended period Consumers can’t access your product • Loss in Net sales • Infrastructure • Breach of service agreements
You disrupt a 3rd party’s supply chain • Inability for upstream production or delivery • Legal Penalties for breach of contractual obligations
Unexpected costs • Business continuation costs • Critical computer components damaged • Re-uploading and patching of system critical
software • Replacing lost or destroyed data sets
Reputation Damage • Cost to your Brand • Consumer churn • Loss of contracts or other business
opportunities • Business lost to competitors • Coupons and discounts
Stock drops • Average stock drop related to a cyber
event 5%
Investigations • Own internal • Regulatory • Shareholder Discovery
How Insurance Can Respond
8/10/2013 7
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
How Insurance Can Respond
8/10/2013 8
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
Awareness & Education
Loss Mitigation Tools
How Insurance Can Respond
8/10/2013 9
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
Loss of Clients
Stock Drop
Cyber Extortion
Business Interruption
Crisis Management
How Insurance Can Respond
8/10/2013 10
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
Costs to Identify Exposed Records
Contain the Breach
Restore Data
How Insurance Can Respond
8/10/2013 11
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL
NOTIFICATION
INVESTIGATION
FINES
Breach Coach and Legal Defense
Legal Costs to Aid Victims of ID Theft
How Insurance Can Respond
8/10/2013 12
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
Credit Monitoring
Germany
Norway
Austria
Spain
• Mandatory Notification Telecomm
• Countries
Regulators
Individuals
Voluntary Notification
How Insurance Can Respond
8/10/2013 13
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES
Client
Regulatory
Shareholders
3rd Party Liability
How Insurance Can Respond
8/10/2013 14
PRE BIND SOLUTIONS
INCIDENT / BREACH
FORENSICS
LEGAL / PR
NOTIFICATION
INVESTIGATION
FINES Administrative
Industry Standards
PCI
8/10/2013 15
Cyber risks – not just a domain for IT
Kevin P. Kalinich, J.D.
Global Practice Leader – Cyber Insurance
Aon plc
October 1, 2013
8/10/2013 16
Cyber Insurance Outline
• 2013 Evolving Trends
o Financial Statement
Impact
o Board of Directors Issue
o All Industries Impacted
• Cyber Risk Identification
o Classify, Qualify &
Quantify
• Risk Mitigation
• Existing Insurance Policy Gap
Analysis
17
2013 Evolving Trends
EU Organizations increasing reliance on
evolving technologies
o Mobile (including payments)
o Cloud Computing
o Social Media
o Data Analytics (“Big Data”)
o Third Party Vendor Issues
• Payment Card Industry Data Security Standards:
Fines & Penalties
• Data transfers to US in wake of NSA
• Cyber Risks Financial Statement Impact
o Actuarial Modeling
o Board of Directors Liability?
• Managing Cyber Security as Business Risk:
Cyber Insurance in the Digital Age (August 2013:
http://assets.fiercemarkets.com/public/newsletter
/fiercehealthit/experian-ponemonreport.pdf)
Hacker steals data of 2 million Vodafone Germany
clients
British police arrest eight over cyber theft at Barclays
http://www.emwllp.com/news/confidential-
information-theft-cases-reach-record-high/
Aon Risk Solutions EMEA
Proprietary & Confidential |
E-Business Evolution
18
Global Business
Social Networks
SaaS On-line
subscription
Mobile Apps Cloud
Computing
Outsourcing
Aon Risk Solutions EMEA
Proprietary & Confidential |
Proposed New EU Data Privacy Protection Law
72 Hour Notice Period
“Right to be forgotten”
Penalties up to 2% of global annual turnover
Take effect two years after adoption
Cyber Risk Identification
19
• Identify & Classify Cyber Exposures (online and offline – hard copy)
• Qualify
• Quantify
• Financial Statement Impact
• A Checklist for Corporate Directors and the C-Suite: Data privacy & Security Oversight
(http://www.networkedlawyers.com/category/confidential-information-trade-secrets/)
http://www.aon.com/unitedkingdom/products-and-services/risk-services/datarisks.jsp
Aon Risk Solutions EMEA
Proprietary & Confidential |
20
Exposure Analysis
Aon Risk Solutions EMEA
Proprietary & Confidential |
Proprietary Cyber Risk Discovery Process
21
Risk Transfer Needs
Diagnostic
Program Design & Marketing
Customized Ongoing Services
New Products
and/or
Services
Quality
Controls
Employee
Training
Contract
Management
Dispute
Resolution
Data Risks
Privacy
Policy
Security
Controls
Data
Breach
Response
Plan
Content
development/
clearance
Intellectual
Property
Review
Procurement
Process
Vendor
Diligence
Limitation of
Liability
Cloud
Aon Risk Solutions EMEA
Proprietary & Confidential |
Cyber Risk Actuarial Analysis growing
22
RISK vs. UNCERTAINTY
RISK = Something you can put a
price on
(e.g. exactly 1 chance in 11 to hit
an inside straight in Texas
Hold’Em)
UNCERTAINTY = risk that is
hard to measure (e.g. Cyber
exposure frequency & severity)
“We ignore the risks that are
hardest to measure, even when
they pose the greatest threats
to our well-being”
-- Nate Silver, The Signal
And The Noise: Why So Many
Predictions Fail – But Some Don’t
Review Comparable Cyber
Losses
Peer Benchmarking
Monte Carlo Simulations
Financial Impact Options
Risk Acceptance
Risk Avoidance
Risk Retention
Risk Transfer
Contractual Allocation
Cyber Insurance
Risk mitigation is key in all cases
Board of Directors Liability?????
Integrate with Enterprise Risk
Management
Aon Risk Solutions EMEA
Proprietary & Confidential |
Risk Mitigation
23
• Comprehensive Cyber Risk Mitigation Program: Need Management Support
• Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT
SECURITY ISSUE
• Engage inter-departmental coordination and cooperation
• Risk Management
• Finance/Treasury
• Legal
• Human Resources
• CIO, CPO, CISO, etc.
• IT Security
• Education on Legal Exposures: train & monitor employees & all others
• Ensure Compliance with Organization’s Privacy Policy regarding 3rd party Personally Identifiable
Information
• Data Breach Management Policy – continuously update
• Third Party Exposures
• Vendor/Supplier Management
• Contractual Considerations
• Vendor/Supplier Audits
Aon Risk Solutions EMEA
Proprietary & Confidential |
Sample 10 Questions To Ask
24
Question Takeaways/Possible Conclusion
Do you have an Information Security Policy ? Most will say yes.
If no, it would suggest a lack of awareness of the issues and therefore
would be unlikely to be ready for the product.
Is it based on any Information Security
Standard?
Ideal answer would be ISO27002 as this is well understood and recognised
by the market.
What is the Governance Structure for
management IS Risk & Controls?
Presence of a structure is an indicator of a mature organisation who
understands and is looking to manage the risks.
How do you maintain assurance of your internal
IT controls ?
If there is an indication that a robust regime in place – a free scan should be
positioned as additional assurance. No evidence is an opportunity for a free
scan, but may also indicate a high risk.
Do you use third party suppliers? Need for the product is increased if yes; need to find out the scope of
services – if critical, need for cyber risk transfer is increased.
Do you obtain assurance of their Data/Security
Controls?
Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other
auditing standard. These will be readily accepted as evidence.
What is your approach to the management of
mobile devices?
Every client will have this issue; Laptop and device encryption are key
controls. Lack of an informed response is not a good indicator.
What are your key controls to determine if are
being subject to a cyber attack?
This provides an insight to the monitoring capability of the organisation.
Most have poor levels of control unless they have outsourced a service.
Do you have a Cyber response team or plan? Key area for extra service sales – most do not and failure to response
quickly enough drives up and final incident cost.
Have you ever needed to complete a forensic
examination of your IT equipment?
As above – often key evidence is destroyed through lack of awareness
Aon Risk Solutions EMEA
Proprietary & Confidential |
Can’t ‘traditional’ insurance help?
25
Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap &
Ransom Policies
Malware and
Denial-of-
Service attacks
do not constitute
‘physical perils’
and do not
damage
‘tangible
property’
CGL Privacy
coverage limited
to ‘publication
or utterance’
resulting in one
of traditional
privacy torts.
Unauthorized
access
exclusions.
Requires
negligence in
provision of
defined
business
activities.
Crime policies
require intent…
theft of money,
securities, or
tangible
property.
Intentional acts
and insured vs.
insured issues.
No coverage for
expensive
crisis
expenses
required by law
or to protect
reputation.
Generally
E&O
Crime
Property
General
Liability
Aon Risk Solutions EMEA
Proprietary & Confidential |
Existing Coverage & Gaps
26
Aon Risk Solutions EMEA
Proprietary & Confidential |
Existing Insurance Policy Claims Trends
Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages
(Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies
impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs
we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a
liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a
result.”
State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding
excess Professional Liability policy: Card association claims do not arise out of negligence from “professional services”
or “technology-based services”
Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy):
– Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal.
2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)
– Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23,
2011);.
Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence
suit against insurance broker for not placing proper coverage
Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) – no negligence of
insurer for not warning insured to purchase special cyber policy
Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies
Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy
27
Aon Risk Solutions EMEA
Proprietary & Confidential |
Scope of Available Coverage
28
Breac
h
Mitigation Regulator
y
Liability
• Online and offline
breaches
• Accidental or “rogue”
employee actions
• Breaches caused by
vendors or
outsourcers
• Notification
Costs
• IT Forensics
• PR +
Advertising
• Credit
Monitoring
• “Turnkey”
breach
response from
carrier partners
• Regulatory
Investigations
• Consumer
Redress Funds
• Civil Penalties
• PCI – DSS
Fines
• UK & EU
country specific
laws
• Individual
Actions
• Consumer
Class Actions
• Suits from
business
partners
• Suits from
financial
institutions • Coverage should be customized based on the nature of the business
o For example, FI consumer facing businesses can face a different liability chain (see recent
ATM’s)
• Additional coverage available:
o 1st Party Business Interruption: Lost revenue due to failed network security
o Information Asset: Loss or costs associated with restoring destroyed data
o Cyber Extortion: Pays an extortion demand to a party that holds the Insured’s system or data
hostage
o Media: Content based injuries (online and may include offline) Aon Risk Solutions EMEA
Proprietary & Confidential |
Insurance Underwriter Issues To Address
29
I. Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties
II. Are all subsidiaries 100% wholly owned or are there joint ventures?
III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance
(ADR’s)?
IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name
Insured as “Additional Insured?”) We have set up “affinity” type programs for large players in the Financial Institutions space
where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI
V. Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and
products and what are the revenues compared to total revenues?
V. Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and
severity?
VII. What percentage of the products and services have been provided for over five years (at least 5 year’s worth of Loss History)?
VIII. What percentage of products and services have been provided for less than one year?
IX. What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16?
X. What is the QA process for new products and services?
XI. What is the escalation process to approve contractual changes with customers?
XII. What is the escalation process to address and remedy complaints from customers?
XIII. What percentage of customers are business (B2B) vs. Individuals (B2C)?
Aon Risk Solutions EMEA
Proprietary & Confidential |
Optimal Cyber Program
30
Optimal Program
Insurable Risks
Contractual Requirement
s
Budget
Risk
Tolerance
Maximum Probable
Loss Peer
Purchasing
Data
Scope of Coverage/
Control
Market Limitations
Aon Risk Solutions EMEA
Proprietary & Confidential |
PID#
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
LIMITING THE IMPACT OF CYBER INCIDENTS
Presented by Ben Van Erck
EMEA RISK team
32 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
32
PROPRIETARY STATEMENT
© 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services
are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.
All other trademarks and service marks are the property of their respective owners.
This document and any attached materials are the sole property
of Verizon and are not to be used by you other than to evaluate
Verizon’s service.
This document and any attached materials are not to be disseminated,
distributed, or otherwise conveyed throughout your organization to
employees without a need for this information or to any third parties
without the express written permission of Verizon.
33 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33
34 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
34
VARIED MOTIVATIONS VARIED TACTICS
• Aim is to maximize disruption
and embarrass victims from
both public and private sector.
• Use very basic methods and are
opportunistic.
• Rely on sheer numbers.
• Motivated by financial gain,
so will take any data that might
have financial value.
• More calculated and complex in
how they chose their targets.
• Criminals are now trading
information for cash.
• Often state-sponsored.
• Driven to get exactly what
they want, from intellectual
property to insider information.
• Often state-sponsored, use most
sophisticated tools to commit
most targeted attacks.
• Tend to be relentless.
UNDERSTANDING THE WHO
35 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
35 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
• STATE-AFFILIATED ACTORS PERPETRATED
19% OF ATTACKS LAST YEAR.
• TARGETS ARE NOT JUST GOVERNMENT AGENCIES,
AND NOT JUST MILITARY CONTRACTORS.
• BE AWARE OF THE “KNOCK-ON EFFECT” IN
YOUR SUPPLY CHAIN.
STATE-AFFILIATED
ESPIONAGE.
ESPIONAGE
36 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
DIFFICULTY OF ATTACK
36
37 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
37
THIS YEAR’S BIGGEST THREATS?
SAME AS LAST YEAR’S.
WHAT TO WORRY ABOUT
• Very few surprises, mostly variations on theme.
• 75% of breaches were driven by financial motives.
• 95% of espionage relied on
plain old phishing.
• Well-established threats
shouldn’t be ignored.
38 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
38
• The weak links haven’t changed much:
–Desktops 25%
–File servers 22%
–Laptops 22%
• Unapproved hardware accounts
for 43% of misuse cases.
WHAT DO ATTACKERS TARGET? STILL THE TRADITIONAL ASSETS.
WHAT TO WORRY ABOUT
39 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
39
• In 84% of cases, initial compromise took hours or less.
ATTACK VELOCITY
QUICK TO COMPROMISE
40 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
40
SLOW TO DISCOVERY
• 66% of breaches went undiscovered for months…
… Or even years.
QUICK TO COMPROMISE
DETECTION VELOCITY
RECOMMENDATIONS
42 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
42
INCIDENT RESPONSE PLAN
• Develop an IR plan (people, process, technology)
• Mock incident testing
– Table-top
– Fake incident
– Red vs Blue team
• Most important step in your IR process: learning from mistakes (yours and other people’s)
• Stakeholders
• Decision makers
IT’S NOT ABOUT THE PLAN, IT’S ABOUT THE PLANNING!
Additional Information
• Download DBIR – www.verizonenterprise.com/dbir
• Learn about VERIS - www.veriscommunity.net and
http://github.com/vz-risk/veris
• Explore the VERIS Community Database:
http://public.tableausoftware.com/views/vcdb/Overview and learn
more about this data http://veriscommunity.net/doku.php?id=public
• Ask a question – [email protected]
• Read our blog - http://www.verizonenterprise.com/security/blog/
• Follow on Twitter - @vzdbir and hashtag #dbir
43
44 44
DBIR: www.verizon.com/enterprise/databreach
VERIS: www.veriscommunity.net/
Please fill in the session feedback through the FERMA Mobile app 45