Corporate Cybersecurity Supply Chain

Corporate Cybersecurity Management: Course Notes

Presented by Carter Schoenberg

contact@hemispherecybersec.com

 

Translating Technical Threats Into Understandable Business Terms

Part 1 - Introduction to Corporate

Legal concepts relative to cybersecurity

TCO vs. ROI

How does a spoliation order impact your liability as a cyber professional

Supply Chain

Cyber implications for publicly traded companies

 

Takeaways

Understand how to discern a cyber threat from a business risk

Understand legal concepts relative to cybersecurity

Understand how your business partners increase your risk exposure

Provide greater value to C-Suite or System Owners

Position your career path for growth

 

Cyber - What the heck is it?

Computers, smartphones, networks, cloud infrastructure, data centers and data itself.

 

Cybersecurity Market Annual Forecast

Increasing incidents reported yearly

 

How We Conduct Business Today

Sales/Pipeline

Program or Project Management

Staffing Resources

Cash Flow and Accounting

 

What is Generally Overlooked

Cyber Risk

Legal Considerations

Insurance

(these areas of business operations represent the greatest exposure to financial devastation)

 

How do we know what is important for us to look at?

Risk = Threats x Vulnerabilities x Impact

 

Weighted scoring system

1. The Tool's Score 40%
2. Compensating Controls 20%
3. Data 40%

This can adjust based on importance to your org.

Part 2 - 4 Steps on Prioritizing

Focus on priority

How do you prioritize?

1. Understand your mission/business operations
   • Critical Infrastructure / Healthcare / Manufacturing / Finance / Law Enforcement
2. Understand Your Threat Landscape
   • Individual Actors / Nation State / Organized Criminal Syndicate
3. Probable Outcomes
   • System Disruption / Ransomware File Locking / Data Manipulation
4. Legal Considerations
   • Critical Infrastructure
     • Power Outages leading to Exposure
     • Transportation disruption
   • Healthcare
     • Patient Record Dissemination/HIPAA Violation
     • inability to access critical resources
     • Ransomware that results in physical harm
   • Manufacturing
     • Production halted
     • Breach of contract
   • Finance
     • Dissemination of bank account details
     • Stock market manipulation
     • Bank Fraud
   • Law Enforcement
     • Disruption of 911
     • Increased risk to loss of life
     • Unauthorized access to criminal justice records

Part 3 - Legal Concepts Relative to Cybersecurity

Open Source Information - Not Legal Advice - Informational Purposes Only

Legal Concepts Relative to Cybersecurity

Lets examine the element (if met and cause harm) leading to a case based on negligence.

Duty: Does the defendant have a responsibility to protect information?

Negligence: Is there evidence that the defendant did not fulfill his or her duty of care?

Damage: Did the plaintiff suffer quantifiable harm?

Cause: Can the breach of duty related to the damages be considered a primary cause?

 

*In tort law, a duty of care is a legal obligation which is imposed on an individual requiring adherence to a standard of reasonable care while performing any acts that could foreseeably harm others.  It is the first element that must be established to proceed with an action in negligence.

(Sometimes referred to as "Standard of Care" - Nelson Law)

Legal Concepts Relative to Cybersecurity

Due Diligence: Such a measure of prudence, activity, or assiduity as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent man under the particular circumstances.

 

Due Care: Just, proper, and sufficient care, so far as the circumstances demand it.

-Blacks Law

 

Due Diligence + Due Care = Standard/Duty of Care

 

Legal Concepts in Recent Court Cases

• 2003: Maine Public Utilities Commission v. Verizon
  • Due Care & Neighbor Policy / Course advise "Foreseeable and Preventable"
• 2007: Class Action against TJ Maxx
  • Harm to plaintiffs could not be shown
• 2009: Class Action against Heartland
  • Harm to plaintiffs could not be shown
• 2013: Banks and Class Action against TARGET
  • Focus on who incurred harm shifts from individuals to banks
•  2014: Class Action against Home Depot
  • Harm to individuals in question but failure to address 47 states data breach reporting requirements forced settlement

 

Part 4 - TCO vs. ROI

TCO vs. ROI

You cannot show ROI on cybersecurity, right?

A performance measure used to evaluate the efficient of an investment or to compare the efficiency of a number of different investments.  ROI measures the amount of return on an investment relative to the investment's cost.  To calculate ROI, the benefit (or return) of an investment is divided by the cost of the investment, and the result is expressed as a percentage of a ratio.

The return on investment formula:

ROI = (gain from investment - cost of investment)/(cost of investment)

Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation.  When choosing among alternatives in a purchasing decision, buyers should look not just at an item's short-term price, which is its purchasep rice, but also at its long-term price, which is its total cost of ownership. 

The item with the lower total cost of ownership will be the better value in the long run. ~Investopedia

Syslog Monitoring

Manual Review once a month = 8 man hours

Firewall Review once a month = 8 man hours

ID/AU Review once a month = 8 man hours

Patch Management Updates = 16 man hours

Location: Atlanta, Georgia

 

$83,953/2080 = $40.36 per hour

TCO for Syslog Reviews

$40.36 * 40 * 12 = $19,372.80 Annually

 

Cost ot Beat = $19,372.80 per year

Quote = $15,000 per year = Lower TCO

Quote = $25,000 per year = Higher TCO

Other factors to consider

• Cost of IR/DR
• Cost of Legal Defense
• Cost of Breach Notifications
• Cost of Credit Monitoring (if applicable)
• Do you have cyber insurance?

How will you pay?

 

Part 5 - Translating Technical Threats into Business Risk

Recommendations and Cost of Ownership

 

Risks - Remediation - Incident Response & Recovery

Direct - $4,044 - $23,709

Indirect - $2,993 - HIPAA Sanctions & Breach Notification Costs

• Litigation Costs
• Violation of Georgia Personal Identity Protection Act

Part 6 - Spoliation in the Field of Cyber

Spoliation occurs when a person or company withholds, alters, hides, or detroys evidence that's relevant to a civil or criminal case, either intentionally or negligently. -Rottenstein

Examples May Include: (After a security event has occurred and an order is issued)

• Deleting Syslog Files
• Wiping Smartphones
• Re-imaging a desktop or Server
• Reconfiguring firewalls

Part 7 - Supply Chain

Business Partners - Supply Chain

• Network connectivity
• Fire sharing/records management

 

OPM vs. Target breaches

• Both tied to 3rd party
• Both experienced massive costs to remediate
• OPM could not offset by insurance
• OPM could not have costs pushed back to 3rd party.
• Both experienced civil litigation

 

Part 8 - Cyber Implications for Publicly Traded Companies

2015 Challenged - Highlights

The No. 1 challenge: cybersecurity

 

Things they are looking at:

• Identifying risks related to cybersecurity
• Establishing cybersecurity governance
• Including policies
• Procedures and oversight processes
• Protecting firm networks and information
• Identifying and addressing risks associated with the remote access to client information and funds transfer requests
• Identifying and addressing risks associated with vendors and other third parties; and
• Detecting unauthorized activity
• (SEC)

 

Part 9 - Underwriting Process and Considerations

• Determine the hazard grade
• Review controls in place
• Consider discretionary factors
• Evaluate individual risk exposure
• Understand the Limits Needed to Address the Exposures

 

• Other factors to consider
• Cost of IR/DR
• Cost of Legal Defense
• Cost of Breach Notifications
• Cost of Credit Monitoring (if applicable)
• Do you have cyber insurance?