How to Prepare for a Data Breach

(1)

eab.com

IT Forum

How to Prepare for a

Data Breach

Expediting Response and Minimizing Losses

Presentation for SURA IT Committee November 5, ,2014

(2)

2

EAB in Brief

Thirty Years Serving Health Care, Eight with Colleges and Universities

First membership for healthcare executives; practice now serves 3,000 executives

Advisory Board founded in Washington, DC doing bespoke research

1979 1986 1993 2007 2014 Membership for Fortune 500

C-level executives, spun off as Corporate Executive Board

EAB launched serving university president’s cabinet

Research and Insights Memberships Performance Collaboratives Academic Affairs Forum University Spend Collaborative Student Success Collaborative Business Affairs Forum Student Affairs Forum COE Forum Advancement Forum IT Forum Enrollment Management Forum EAB Today:

Work with 600+ institutions in North America

Conduct 1000s of research interviews annually Serve members through  best-practice research  leadership meetings  analyst consultations  virtual events  implementation artifacts  diagnostics  survey tools

(3)

3

Road Map For Discussion

1 Preparing for an Inevitable Threat

2

What Happens During a Breach?

(4)

4

Chronology of Data Breaches 2005-Present, Privacy Rights Clearinghouse, https://www.privacyrights.org/data-breach. Last updated December 31, 2013. Higher Education totals reflect manual grouping of like institutions.

Institutional Data At Risk

Turnover, Mobile Devices, and Weak Compliance Generate Risk

Payment Card Fraud, 0.18% Unknown, 1.41% Stationary Device, 6.51% Insider Theft, 3.17% Physical Loss, 5.28% Unintended Disclosure, 29.40% Hacking or Malware, 36.80% Portable Device, 17.25%

Data Breaches in Higher Education

2005-2014, All Institution Types

(5)

5

Chronology of Data Breaches 2005-Present, Privacy Rights Clearinghouse, https://www.privacyrights.org/data-breach. Last updated December 31, 2013. Higher Education totals reflect manual grouping of like institutions.

No Immunity from Data Breaches

Research Titans and Teaching-Focused Schools at Risk

Date Made Public

Institution Name Type of Breach Records

Compromised

1-Oct-14 Fort Hays State University Unintended Disclosure 138 5-Sep-14 California State University, East Bay Hack Unknown 7-Aug-14 University California Santa Barbara Hack Unknown 14-Jul-14 Orangeburg-Calhoun Technical College Portable Device 20,000 11-Jul-14 University of Illinois, Chicago Hacking or Malware Unknown 10-Jul-14 Penn State College of Medicine Hacking or Malware 1,176

30-Jun-14 Butler University Hacking or Malware 163,000

16-Jun-14 Riverside Community College Unintended Disclosure 35,212

9-Jun-14 College of the Desert Insider Theft 1,900

30-May-14 Arkansas State University Hacking or Malware 50,000 22-May-14 San Diego State University Unintended Disclosure Unknown 14-May-14 University California Irvine Hacking or Malware Unknown 22-Apr-14 Iowa State University Hacking or Malware 29,780 27-Mar-14 The University of Wisconsin-Parkside Hacking or Malware 15,000 7-Mar-14 John Hopkins University Hacking or Malware Unknown 6-Mar-14 North Dakota University Hacking or Malware 290,780

(6)

6

A Matter of When, Not If

Higher Education Significant Target of Malicious Attacks on Data

 Financial data, intellectual property, and research information put institutions in the crosshairs.

 Accidental exposure, petty theft, and major criminal attacks compromise systems daily.

 Mobile device expansion, increased wireless access, and extensive collaboration between higher education institutions and private partners expose more data faster than ever before.

 Without strong budgets or levers on diverse institutional partners, IT leaders struggle to enable the gains of new technology while protecting vital data of participants.

 While Chief Information Officers may not directly control department policies, effective preparation and processes may reduce the likelihood, duration, and cost of data breaches.

(7)

7

Ponemon Institute, Sponsored by Symantec, 2013 Cost of Data Breach Study: Global Analysis,

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_W

P_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. May 2013.

The Spiraling Costs of Inaction

Incidence and Cost of Breaches On the Rise

Cost per Capita

$294

The most recent analysis by the Ponemon Institute calculates that breaches in higher education cost an average of $294 per compromised record. Across all industries, the per capita cost of data breaches is rising.

Ineffective procedures for a security breach can put

sensitive information at risk and damage the reputation of the whole institution

Smaller breaches might can cost several thousand dollars, and a data breach earlier in 2014 at Maricopa Community College District in Arizona is estimated to cost the system at least $17 million; major breaches can impact every campus constituency.

While the IT team might identify and repair a security threat quickly, the escalating costs of forensics and verification can take months away from the most valuable technology staff, necessitate expensive vendor consultation, and result in lasting damage to the institution’s reputation.

(8)

8

Breach Plan and Management

Preparation Simple, Cheap, and Effective Way to Improve Risk Profile

Preparation

Breach event occurs

Staff and plan in place and ready to respond Post-event lessons feed updated monitoring plan Security policies, tools and monitoring Attack attempts occur, sources & methods tracked Management of response and communication Systems and Workflow Mobilizing Response Resolution and Analysis Assessment Breach Notification Defense

(9)

9

1

Preparing for an Inevitable Threat

2 What Happens During a Breach?

(10)

10

Laying the Foundation

Develop a Consistent Workflow Before Any Incident Occurs

Who Owns Decisions

During the Breach?

 Security Officer

– Detect and Report Incident  Chief and Deputy Information

Officer

– Approve Incident Category – Manage Internal

Communication

 Incident Response Leader – Build Incident Response Team

Does the Breach Affect a

Critical System?

 Hierarchy of Priorities: – Human Life and Safety – Sensitive and Regulated

Information

– Critical Networks and Systems

– Business Continuity – Internal Customer Service

See Toolkit for Additional Resources

(11)

11

Prepare and Empower First Responders

Define Responsibilities of the Incident Response Leader

Staff Response

Team

Ensure Data

Collection

Manage Internal

Communication

 Recruit technical staff members with experience in compromised data  As necessary, involve

escalating group of key participants

 Define incident priority level and notify CIO if necessary

 Update key staff (e.g., CIO, General Counsel) on breach during investigation

 With technical team members, collect forensic evidence and KPI’s  Compile report on data

breach and response for future security preparation

Incident Response is a ‘Drop Everything’ Priority

Make sure that response leaders have the authority to clear all other team responsibilities during response.

!

(12)

12

Act Quickly to Minimize Response Cost

Know the Necessary Immediate Steps

Collect Information

 Document Key Facts:

– Record date and time of breach incident, breach discovery, and when response efforts began

– Record who discovered the breach, reporting chain, and who on campus has been notified

 Begin Assessment and Analysis – Estimate impact to institution and

possible victims

– Prioritize response and notification components

Mobilize Response

 Limit Damage:

– Limit and secure access to compromised systems

– If necessary, shut down affected machines and networks until forensic support arrives

 Alert Team:

– Activate response leaders, who will be responsible for pulling in support personnel

– Alert external response component groups (e.g., forensic data specialists)

(13)

13

Assemble Your Team

Escalate Response Team With Threat Level

Incident Response Leader

Media Relations Department IT Technical Expert

Compliance Officer

General Counsel

 Lead Breach Response, Fix, and Verification  Manage Resources and Communication  Collect Evidence, Lead Quarantine and Fix  Record and Report Key Metrics

 Provide Guidance on Regulations and Rules Governing Compromised Data

 Expedite Communication with Internal Staff  Provide Context on Local Data Practices  Evaluate Legal Risk to Institution and Victims  Assist in External Communication

 Coordinate All Internal and External Communication  Protect Public Image of Technology Unit, Institution

M in im um Nec e s s a ry M e di um -Le v e l Th rea t or Ris k High Ris k to Res ou rce s or Rep uta tio n

(14)

14

Who Do You Need to Call?

Maintain and Update Contact Lists for All Contingencies

Data Breach Services

Community Contacts

 Forensic Investigators  Private Investigators  Outside Legal Counsel  Mailing Services  Call Centers

 Public Relations Firms

 Law Enforcement  Local Media Outlets  Vendors Connected with

Compromised Data  Professional

Organizations Affected by Breach

Keep All Response Leaders Updated with Key

Contacts

Review lists of breach service providers and community contacts at least quarterly, and make sure all response leaders have accurate information when launching into team recruitment and investigation.

(15)

15

Striking the Right Tone

Focus on the Details in Communication with Victims

Notification of Data Breach Details about breach and nature of lost data. Steps the institution is taking to avoid future incidents. Concern for constituent, contact information for remediation services.

Sample Notification Letter

Sweat the Details

Remember that a breach can damage relationships with students, staff, and vendors. Ensure that every detail of external communication expresses sincere apologies and conveys determination to do better – down to the quality of paper used in outreach.

!

(16)

16

The New KPIs of Response

Measure Your Efficiency to Identify Opportunity

“Cyber Security Incident Response: Are we as prepared as we think?” Ponemon Institute LLC, January 2014.

http://www.lancope.com/files/documents/Industry-Reports/Lancope-Ponemon-Report-Cyber-Security-Incident-Response.pdf/.

Progressive Model*

Standard Model

 Did we detect the breach and understand the problem?  Did we assign an appropriate

incident response team?  Did we fix the problem?  Did we notify the appropriate

authorities and affected parties?  Is service restored?

 Measure Mean Time to:

 Identify: How long between breach and detection?

 Know: How long between detection and understanding of root causes?  Fix: How long to resolve the situation

and restore service?

 Verify: How long to confirm resolution with affected parties?

Any Breach Will Hit Your Pocketbook

While the per-capita remediation fees associated with large-scale breaches can mount up, it’s the fixed cost of responding to a breach itself that is inevitable. Boosting your ability to act efficiently is a high-leverage investment.

(17)

17

Turn Vulnerabilities Into Strengths

Build New Threat Indicators Into Future Planning

Outside Attacks and

Threat Indicators

Inside Theft and

Accidental Exposure

 What was the source of the attack?

 What are the key characteristics of the attacking individual or group?

 What was the vulnerability

exploited (e.g., social engineering, poor security architecture)?  How can future response

processes and communications for similar incidents be improved?

 What was the source of the theft or loss?

 What vulnerabilities were exploited or exposed by the incident?  Has the responsible employee or

department caused problems before?

 Can improved awareness and trainings for local staff prevent future similar incidents?

(18)

18

Are You (Basically) Prepared for a Breach?

Vetting Policies and People – minimum expectations

 I have a written policy to respond to data breach.

 My breach plan is approved by the General Counsel and compliance staff.  I have a pool of incident leaders ready to coordinate and lead response when

necessary.

 I have drafted template release and notification documents approved by the

General Counsel.

 I have a list of local breach services vendors and community contacts on hand

(19)

19

Questions?

After this presentation…

Review the Security Breach Toolkit handouts (IT Forum members may download e-copies at eab.com.)

Go through our self-diagnostic with your security lead.

Get in touch with our research team to learn more about our security work and business intelligence research.

Laura Whitaker

Practice Manager, IT Forum

[email protected] (202) 568-7483