Data Breaches A Look in the Rear View Mirror

State Governments at Risk!

States are attractive targets data! More aggressive threats organized crime, unorganized crime, hacktivism Critical infrastructure protection Lack of broad executive support Governance and authority lacking Data on the move Need more training, awareness

Growing Security Risks in the States

Protecting legacy systems Malicious software Inadequate policy compliance

Mobile devices and services

Use of social media platforms

Use of personallyowned devices (BYOD) for state business Third-party contractors and managed services

Adoption of cloud services; rogue cloud users

Foreign statesponsored espionage

Source: Deloitte-NASCIO Cybersecurity Study, October 2012

State Data Breach Loss of Citizen Trust!

State CIO Priorities for 2013

1. Consolidation/ Optimization

2. Cloud Services

3. Security

4. Mobile Services/ Mobility

5. Budget and Cost Control

6. Shared Services

7. Health Care

8. Legacy modernization

9. Nationwide Public Safety Broadband Network

10. Disaster Recovery/ Business Continuity

Source: NASCIO State CIO Survey, November 2012

What Are Top Priorities for State CISOs?

Source: Deloitte-NASCIO Cybersecurity Study, October 2012

What Do We Know about State Government Data Breaches?

By the Numbers: The Consequences For States

Over 20% of US data breaches happen in the public sector Government agencies have lost more than 94 million records of citizens since 2009 97% increase in personal health information breaches over 2010 Average cost per lost or breached record is $194
Sources: "Rapid7 Report: Data Breaches in the Government Sector." Rapid7. September 6, 2012. "2011 Cost of Data Breach Study: Global." Ponemon Institute. March 2012

Source: www2.idexpertscorp.com

Reported Causes of Government Data Breaches

1. Unintended disclosure 2. Portable device 3. Physical loss 4. Hacking or malware 5. Insider 6. Stationary device 7. Unknown or other
Sources: Privacy Rights Clearinghouse, Rapid7 Report, US-CERT

Cybersecurity Resources Often Spent on Ineffective Activities

Hacking is easy. Targeted attacks against business and government increased to 30,000 a year in 2012 More than 90% of successful penetrations of networks required only the most basic techniques 75% of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching 85% of breaches took to months to discover
Sources: CSIS, Symantec 2012 Threat Report, Verizon 2013 Data Breaches Report, Trustwave, US-CERT, NASCIO

Autopsy of a Data Breach: Findings from the Inspector Generals Report

Finding # 1: The state does not have a statewide INFOSEC program which undermines an effective statewide security posture, as well as creating unmanaged and uncontrolled statewide INFOSEC risks having potential impact on the entire state government. Finding #2: The state has not fixed responsibility, accountability, and authority for statewide INFOSEC. Finding #3: Consultants, with expertise in developing and implementing statewide INFOSEC programs, will be required to assist in establishing a statewide INFOSEC governance framework and implementation options.

Source: State of South Carolina, Office of the Inspector General, State Government Information Security Initiative Current Situation & A Way Forward Interim Report, November 30, 2012

More Governance, Collaboration and Compliance is Needed

Whos Responsible for Protecting State Data?

Chief Information Officer Information Security Officer Agency Leaders Data Owners Human Resources Legal Employees Third Party Contractors

Protecting critical data is a core responsibility of the state and investment in risk management. State leaders ignore this at their peril.

A Call to Action for States: Execute on an effective cybersecurity strategy, with strong governance and compliance monitoring measures

The Tactical Guide to Data Protection

Know your assets where is the data? Classify data and assess known risks Clearly document and consistently enforce policies and controls Implement strict password and account management policies and practices Implement a security information and event management solution (SIEM) Trust, but verify

Act and Adjust: A Call to Action for Governors for Cybersecurity

National Governors Association, September 26, 2013

Establish a governance and authority structure for cybersecurity Conduct risk assessments and allocate resources accordingly Implement continuous vulnerability assessments and threat mitigation practices Ensure that the state complies with current security methodologies and business disciplines in cybersecurity Create a culture of risk awareness
Source: NGAs Resource Center for State Cybersecurity, 2013

Thank You! And be careful backing up.