• Like
  • Save
FORUM 2013 Cyber Risks - not just a domain for IT
Upcoming SlideShare
Loading in...5
×
 

FORUM 2013 Cyber Risks - not just a domain for IT

on

  • 388 views

 

Statistics

Views

Total Views
388
Views on SlideShare
388
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    FORUM 2013 Cyber Risks - not just a domain for IT FORUM 2013 Cyber Risks - not just a domain for IT Presentation Transcript

    • Cyber Risks – Not Just a Domain for IT The Evolving Threat to Companies in Europe and Risk Transfer Tracie Grella Global Head of Professional Liability AIG Property Casualty 1
    • Client Perception How Concerned are you about this type of risk for your company? 1 Cyber Risks 86% 2 Loss of Income 82% 3 Property Damage 80% 4 Workers Compensation 78% 5 Utility Interruption 76% 6 Securities and Investment Risk 76% 7 Auto/Fleet Risk 65% All audiences agree: Clients who believe human error is a significant source of cyber risk 74% Hackers are the primary source of cyber threats 82% IT is difficult to keep up with cyber threats because they are evolving so quickly 80% 8/10/2013 2
    • Cyber Crime Attacks 43% of organizations in the EuroZone experienced more than 3 attacks 65% of companies across 62 countries are extremely concerned about cyber attacks Causes of a Data Breach • Top banks in the UK claims that cyber attacks now represents a major threat to their stability Cyber Trends • • 4 of 5 • Threat Actions: Hacking 52%, Social Tactics 29% Threat Agents: Organized Crime 52%, State Sponsored 19%, Insiders 14% 50% of insiders who committed sabotage were former employees taking advantage of security that was not disabled (Verizon Data Breach Report 2013 and AIG) • • • 70% of breaches were spotted by an external party, 9% were spotted by customers 76% of network intrusions exploited week or stolen credentials Claim volume up by 67% in 2012 and 71% in 2013 (AIG) Only 20% of middle market and large organizations purchase cyber (AIG) (Verizon Data Breach Report 2013) DLA Piper CIO Daniel Pollick “There has been a change in atmosphere in the past 18 months. Governments are taking cyber security more seriously and are pushing it to the top of business agendas” 3
    • Country Exposure Italy: 16,456 hacks against organizations in 1st half of 2013, up 57% from same time last year UK: Cost of Cyber Crime is £27bn Belgium: Cost of Cyber Crime EUR5bn • Cost to UK Business estimated £21bn • Average cost of resolving a data breach is £2.04m • Ireland: 37 breaches in 2012 with 68 over last 3 years Russia: number of cyber crimes grew 33% in 2012 8/10/2013 Germany: Cost to German business EUR43bn • Scotland: total cost of cyber Crime is £5bn every min lose £158 4
    • Business Enterprise Risk Typical Hourly Cost of Downtime by Industry (in US Dollars) The 6.48 million Brokerage Service Accounting  Employees can’t access systems Energy 2.8million  Consumers can’t access your product Telecom 2.0You disrupt a 3rd party’s supply chain million  Manufacturing  million 1.6Unexpected costs Typical Hourly Cost of Downtime by Industry (in US Dollars) Brokerage RetailService Energy Telecom Healthcare Manufacturing Retail Healthcare Media Media 6.48 million 2.8million 2.0 million 1.6 million 1.1 million 636,000  Reputation damage 1.1 million  Stock drops 636,000  Investigations 90,000 90,000 *Source: Network Computing, the Meta Group and Contingency Planning Research *Source: Network Computing, the Meta Group and Contingency Planning Research 8/10/2013 5
    • Business Enterprise Risk Employees can’t access systems • Down for an extended period Consumers can’t access your product • Loss in Net sales • Infrastructure • Breach of service agreements Reputation Damage • Cost to your Brand • Consumer churn • Loss of contracts or other business opportunities access systems Employees can’t • Business lost to competitors •Coupons and discounts product Consumers can’t access your You disrupt a 3rd party’s supply chain • Inability for upstream production or delivery • Legal Penalties for breach of contractual obligations Stock drops a 3rd party’s supply chain  You disrupt • Average stock drop related to a cyber event 5% Typical Hourly Cost Unexpected of Downtime by Industry (in US Dollars) costs Brokerage Service continuation costs million 6.48 • Business 2.8million • Energy Critical computer components damaged • Telecom Re-uploading and patching of system critical 2.0 million software Manufacturing 1.6 million • Retail Replacing lost or destroyed data sets 1.1 million Investigations Reputation damage •Own internal • Regulatory Stock drops •Shareholder Discovery Healthcare  Unexpected costs  Investigations 636,000 Media The Accounting 90,000 *Source: Network Computing, the Meta Group and Contingency Planning Research 8/10/2013 6
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS LEGAL / PR 8/10/2013 7
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS Awareness & Education Loss Mitigation Tools INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS LEGAL / PR 8/10/2013 8
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS Cyber Extortion Business Interruption Crisis Management Loss of Clients Stock Drop LEGAL / PR 8/10/2013 9
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS LEGAL / PR 8/10/2013 Costs to Identify Exposed Records Contain the Breach Restore Data 10
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS Breach Coach and Legal Defense LEGAL 8/10/2013 Legal Costs to Aid Victims of ID Theft 11
    • How Insurance Can Respond Austria Germany Norway FINES PRE BIND SOLUTIONS Spain • Mandatory Notification Telecomm • Countries INCIDENT / BREACH INVESTIGATION Voluntary Notification Regulators FORENSICS NOTIFICATION Individuals Credit Monitoring 8/10/2013 LEGAL / PR 12
    • How Insurance Can Respond FINES PRE BIND SOLUTIONS 3rd Party Liability INCIDENT / BREACH INVESTIGATION Shareholders Client Regulatory NOTIFICATION FORENSICS LEGAL / PR 8/10/2013 13
    • How Insurance Can Respond Administrative FINES Industry Standards PRE BIND SOLUTIONS PCI INCIDENT / BREACH INVESTIGATION NOTIFICATION FORENSICS LEGAL / PR 8/10/2013 14
    • Cyber risks – not just a domain for IT October 1, 2013 Kevin P. Kalinich, J.D. Global Practice Leader – Cyber Insurance Aon plc Kevin.Kalinich@aon.com 8/10/2013 15
    • Cyber Insurance Outline • 2013 Evolving Trends o Financial Statement Impact o Board of Directors Issue o All Industries Impacted • Cyber Risk Identification o Classify, Qualify & Quantify • Risk Mitigation • Existing Insurance Policy Gap Analysis 8/10/2013 16
    • 2013 Evolving Trends  • • • • EU Organizations increasing reliance on  Hacker steals data of 2 million Vodafone Germany evolving technologies clients o Mobile (including payments)  British police arrest eight over cyber theft at Barclays o Cloud Computing o Social Media o Data Analytics (“Big Data”) o Third Party Vendor Issues Payment Card Industry Data Security Standards: Fines & Penalties Data transfers to US in wake of NSA Cyber Risks Financial Statement Impact o Actuarial Modeling o Board of Directors Liability? Managing Cyber Security as Business Risk: Cyber Insurance in the Digital Age (August 2013: http://assets.fiercemarkets.com/public/newsletter /fiercehealthit/experian-ponemonreport.pdf) http://www.emwllp.com/news/confidentialinformation-theft-cases-reach-record-high/ Aon Risk Solutions EMEA Proprietary & Confidential | 17
    • E-Business Evolution Social Networks SaaS On-line subscription Outsourcing Global Business Cloud Computing Aon Risk Solutions EMEA Proprietary & Confidential | Proposed New EU Data Privacy Protection Law  72 Hour Notice Period  “Right to be forgotten”  Penalties up to 2% of global annual turnover  Take effect two years after adoption Mobile Apps 18
    • Cyber Risk Identification • Identify & Classify Cyber Exposures (online and offline – hard copy) • Qualify • Quantify • Financial Statement Impact • A Checklist for Corporate Directors and the C-Suite: Data privacy & Security Oversight (http://www.networkedlawyers.com/category/confidential-information-trade-secrets/) http://www.aon.com/unitedkingdom/products-and-services/risk-services/datarisks.jsp Aon Risk Solutions EMEA Proprietary & Confidential | 19
    • Exposure Analysis Aon Risk Solutions EMEA Proprietary & Confidential | 20
    • Proprietary Cyber Risk Discovery Process  Procurement Process  Vendor Diligence  Limitation of Liability  Cloud Customized Ongoing Services  New Products and/or Services  Quality Controls  Employee Training  Contract Management  Dispute Risk Transfer Resolution Needs Diagnostic Program Design & Marketing  Content development/ clearance  Intellectual Property Review Aon Risk Solutions EMEA Proprietary & Confidential |  Data Risks  Privacy Policy  Security Controls  Data Breach Response Plan 21
    • Cyber Risk Actuarial Analysis growing  RISK vs. UNCERTAINTY  RISK = Something you can put a price on  (e.g. exactly 1 chance in 11 to hit an inside straight in Texas Hold’Em)  UNCERTAINTY = risk that is hard to measure (e.g. Cyber exposure frequency & severity)  “We ignore the risks that are hardest to measure, even when they pose the greatest threats to our well-being”  -- Nate Silver, The Signal And The Noise: Why So Many Predictions Fail – But Some Don’t Aon Risk Solutions EMEA Proprietary & Confidential |  Review Comparable Cyber Losses  Peer Benchmarking  Monte Carlo Simulations  Financial Impact Options  Risk Acceptance  Risk Avoidance  Risk Retention  Risk Transfer  Contractual Allocation  Cyber Insurance  Risk mitigation is key in all cases  Board of Directors Liability?????  Integrate with Enterprise Risk Management 22
    • Risk Mitigation • • • • • • • Comprehensive Cyber Risk Mitigation Program: Need Management Support Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT SECURITY ISSUE Engage inter-departmental coordination and cooperation • Risk Management • Finance/Treasury • Legal • Human Resources • CIO, CPO, CISO, etc. • IT Security Education on Legal Exposures: train & monitor employees & all others Ensure Compliance with Organization’s Privacy Policy regarding 3rd party Personally Identifiable Information Data Breach Management Policy – continuously update Third Party Exposures • Vendor/Supplier Management • Contractual Considerations • Vendor/Supplier Audits Aon Risk Solutions EMEA Proprietary & Confidential | 23
    • Sample 10 Questions To Ask Question Takeaways/Possible Conclusion Do you have an Information Security Policy ? Most will say yes. If no, it would suggest a lack of awareness of the issues and therefore would be unlikely to be ready for the product. Is it based on any Information Security Standard? Ideal answer would be ISO27002 as this is well understood and recognised by the market. What is the Governance Structure for management IS Risk & Controls? Presence of a structure is an indicator of a mature organisation who understands and is looking to manage the risks. How do you maintain assurance of your internal IT controls ? If there is an indication that a robust regime in place – a free scan should be positioned as additional assurance. No evidence is an opportunity for a free scan, but may also indicate a high risk. Do you use third party suppliers? Need for the product is increased if yes; need to find out the scope of services – if critical, need for cyber risk transfer is increased. Do you obtain assurance of their Data/Security Controls? Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other auditing standard. These will be readily accepted as evidence. What is your approach to the management of mobile devices? Every client will have this issue; Laptop and device encryption are key controls. Lack of an informed response is not a good indicator. What are your key controls to determine if are being subject to a cyber attack? This provides an insight to the monitoring capability of the organisation. Most have poor levels of control unless they have outsourced a service. Do you have a Cyber response team or plan? Key area for extra service sales – most do not and failure to response quickly enough drives up and final incident cost. Have you ever needed to complete a forensic examination of your IT equipment? As above – often key evidence is destroyed through lack of awareness Aon Risk Solutions EMEA Proprietary & Confidential | 24
    • Can’t ‘traditional’ insurance help? Property General Liability Malware and Denial-ofService attacks do not constitute ‘physical perils’ and do not damage ‘tangible property’ CGL Privacy coverage limited to ‘publication or utterance’ resulting in one of traditional privacy torts. Unauthorized access exclusions. E&O Requires negligence in provision of defined business activities. Crime Crime policies require intent… theft of money, securities, or tangible property. Generally Intentional acts and insured vs. insured issues. No coverage for expensive crisis expenses required by law or to protect reputation. Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap & Ransom Policies Aon Risk Solutions EMEA Proprietary & Confidential | 25
    • Existing Coverage & Gaps Aon Risk Solutions EMEA Proprietary & Confidential | 26
    • Existing Insurance Policy Claims Trends  Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages (Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result.”  State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding excess Professional Liability policy: Card association claims do not arise out of negligence from “professional services” or “technology-based services”  Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy): – Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal. 2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act) – Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23, 2011);.  Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence suit against insurance broker for not placing proper coverage  Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) – no negligence of insurer for not warning insured to purchase special cyber policy  Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies  Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy Aon Risk Solutions EMEA Proprietary & Confidential | 27
    • Scope of Available Coverage Breac h Mitigation Regulator y Liability • Regulatory • Individual • Notification Investigations Actions Costs • Consumer • Consumer • IT Forensics • Online and offline Redress Funds Class Actions • PR + breaches • Civil Penalties • Suits from Advertising • Accidental or “rogue” • PCI – DSS business • Credit employee actions Fines partners Monitoring • Breaches caused by • UK & EU • Suits from • “Turnkey” vendors or country specific financial breach outsourcers laws institutions response from • Coverage should be customized based on the nature of the business carrier partners o For example, FI consumer facing businesses can face a different liability chain (see recent ATM’s) • Additional coverage available: o 1st Party Business Interruption: Lost revenue due to failed network security o Information Asset: Loss or costs associated with restoring destroyed data o Cyber Extortion: Pays an extortion demand to a party that holds the Insured’s system or data hostage o Media: Content based injuries (online and may include offline) Aon Risk Solutions EMEA Proprietary & Confidential | 28
    • Insurance Underwriter Issues To Address I. Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties II. Are all subsidiaries 100% wholly owned or are there joint ventures? III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance (ADR’s)? IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name Insured as “Additional Insured?”) We have set up “affinity” type programs for large players in the Financial Institutions space where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI V. Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and products and what are the revenues compared to total revenues? V. Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and severity? VII. What percentage of the products and services have been provided for over five years (at least 5 year’s worth of Loss History)? VIII. What percentage of products and services have been provided for less than one year? IX. What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16? X. What is the QA process for new products and services? XI. What is the escalation process to approve contractual changes with customers? XII. What is the escalation process to address and remedy complaints from customers? XIII. What percentage of customers are business (B2B) vs. Individuals (B2C)? Aon Risk Solutions EMEA Proprietary & Confidential | 29
    • Optimal Cyber Program Risk Tolerance Maximum Probable Loss Peer Purchasing Data Budget Contractual Requirement s Insurable Risks Aon Risk Solutions EMEA Proprietary & Confidential | Scope of Coverage/ Control Optimal Program Market Limitations 30
    • LIMITING THE IMPACT OF CYBER INCIDENTS Presented by Ben Van Erck EMEA RISK team PID# Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
    • PROPRIETARY STATEMENT This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. © 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 32
    • Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33
    • UNDERSTANDING THE WHO VARIED MOTIVATIONS VARIED TACTICS • Aim is to maximize disruption and embarrass victims from both public and private sector. • Use very basic methods and are opportunistic. • Rely on sheer numbers. • Motivated by financial gain, so will take any data that might have financial value. • More calculated and complex in how they chose their targets. • Criminals are now trading information for cash. • Often state-sponsored. • Driven to get exactly what they want, from intellectual property to insider information. • Often state-sponsored, use most sophisticated tools to commit most targeted attacks. • Tend to be relentless. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 34
    • ESPIONAGE STATE-AFFILIATED ESPIONAGE. • STATE-AFFILIATED ACTORS PERPETRATED 19% OF ATTACKS LAST YEAR. • TARGETS ARE NOT JUST GOVERNMENT AGENCIES, AND NOT JUST MILITARY CONTRACTORS. • BE AWARE OF THE “KNOCK-ON EFFECT” IN YOUR SUPPLY CHAIN. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 35
    • DIFFICULTY OF ATTACK Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 36
    • WHAT TO WORRY ABOUT THIS YEAR’S BIGGEST THREATS? SAME AS LAST YEAR’S. • Very few surprises, mostly variations on theme. • 75% of breaches were driven by financial motives. • 95% of espionage relied on plain old phishing. • Well-established threats shouldn’t be ignored. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 37
    • WHAT TO WORRY ABOUT WHAT DO ATTACKERS TARGET? STILL THE TRADITIONAL ASSETS. • The weak links haven’t changed much: –Desktops 25% –File servers 22% –Laptops 22% • Unapproved hardware accounts for 43% of misuse cases. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 38
    • ATTACK VELOCITY QUICK TO COMPROMISE • In 84% of cases, initial compromise took hours or less. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 39
    • DETECTION VELOCITY QUICK TO COMPROMISE SLOW TO DISCOVERY • 66% of breaches went undiscovered for months… … Or even years. Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 40
    • RECOMMENDATIONS
    • INCIDENT RESPONSE PLAN IT’S NOT ABOUT THE PLAN, IT’S ABOUT THE PLANNING! • Develop an IR plan (people, process, technology) • Mock incident testing – Table-top – Fake incident – Red vs Blue team • Most important step in your IR process: learning from mistakes (yours and other people’s) • Stakeholders • Decision makers Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement. Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement. 42
    • Additional Information • Download DBIR – www.verizonenterprise.com/dbir • Learn about VERIS - www.veriscommunity.net and http://github.com/vz-risk/veris • Explore the VERIS Community Database: http://public.tableausoftware.com/views/vcdb/Overview and learn more about this data http://veriscommunity.net/doku.php?id=public • Ask a question – DBIR@verizon.com • Read our blog - http://www.verizonenterprise.com/security/blog/ • Follow on Twitter - @vzdbir and hashtag #dbir 43
    • DBIR: www.verizon.com/enterprise/databreach VERIS: www.veriscommunity.net/ 44
    • Please fill in the session feedback through the FERMA Mobile app 45