Cyber Security Risk Management and Identity Theft

Transcription

1 Cyber Security Risk Management and Identity Theft 2017 MD SHRM State Conference Presented by Robert Bob Olsen, Chief Executive Officer MS ITS, MBA, CISSP, CISM October 16, 2017 This presentation may not be reproduced or distributed without prior written approval of COMPASS Cyber Security.

2 Agenda Cyber Security Threats Overview Practical Tips and Considerations Responding to Identity Theft 2

3 Common Misconceptions We would never be targeted by a hacker, My IT team is responsible for cyber security, We do not need to train our employees on security awareness, All our data is in the cloud so we are no longer responsible for protecting it. We have cyber liability insurance so we are good. 3

4 2017 Verizon Data Breach Report 4

5 2017 Verizon Data Breach Report 5

6 Threat Actors External Script Kiddies, Ego, victim embarrassment, 3 rd Party Application Vendor, Financial gain, negligence, Hacktivists, Cause driven - religious, political, environmental. 6

7 Threat Actors External Criminal Hacker, Financial gain, Extortion, High value client targets, Nation State, Blackmail, Espionage, Financial gain. 7

8 Threat Actors Internal Negligent Insider, Lost mobile device, Accesses sensitive data from personal device, 3 rd Party Vendor, HVAC, security, janitorial, etc., Malicious Insider, Disgruntled employee(s), Bribed or blackmailed employee. 8

9 Threats and Business Impacts Phishing loss of data, brand damage, BEC transfer of $, brand damage, Ransomware loss of data and extortion, brand damage, DDoS loss of client access to portal, brand damage, Stolen user credentials unauthorized 3 rd party access, brand damage. 9

10 Threats and Risks Analysis 10

11 Phishing Example Nearly identical address (JohnHill vs. JohnHilll) Place she had visited from Facebook Name of a local bank Home address Including phone number 11

12 Threat/Controls Mapping Example PEOPLE POLICY TECHNOLOGY Culture of Security Least Access Privileges Filters Awareness Training Incident Response Plan Firewall Mock Phishing BCP/DRP Network Segmentation Role Based Access Cyber Insurance Patch Management Data Governance SIEM IDS/IPS 12

13 Practical Tips Policy Inventory and classify your data, Catalog and classify your data, Focus protection measures on most sensitive data, Perform annual policy reviews, Organization changes, Emerging/new technology, Newly outsourced/insourced functions, Policies should include all departments. 13

14 Practical Tips People People are the weakest link! Senior leadership support is critical, Lead by example, Regularly raise employee security awareness, Drip method, Seminar, webinars, podcasts, security tips, etc., Create a culture of security and make it personal for everyone. 14

15 Creating a Culture of Security Make it personal, If this then that examples, Tailor training to specific functions: Option 1 Individual departments (HR, finance, legal) and general population, Option 2 Group high risk users (hr, finance, legal) and general population, Incorporate reminders into everyday activities. 15

16 House Analogy Technology Your Residence Locks on doors Monitored alarm system Signage Safe for valuables Dog Video cameras Security guard(s) Police activity reports Your Organization Passwords, 2 factor authentication Firewall, antivirus, security monitoring Group policies Network segmentation, encryption Firewall, intrusion detection system, network alarms Security incident & event monitoring (SIEM) Security consultants Threat intelligence 16

17 House Analogy People & Policy Individual keys Your Residence Alarm system code(s) Stranger danger awareness Check who is at door before opening Annual fire drill exercises Your Organization Password management; privileged access; access control policy Role based access; password management Security awareness training Role based access (guest/faculty); awareness training Phishing exercises, incident response plan 17

18 Practical Tips Technology Technology should support and enforce your policies, Layered defense is the most effective, Ensure that you are regularly updating your network devices (laptops, firewalls, servers, etc.), Operating systems and applications, Understand the risks of your cloud provider(s). 18

19 Identity Theft PII and/or PHI used to create a false identity, Employees, Family members, Clients, Usage examples include credit cards, false tax return, store loyalty programs, internal impersonation, Combination of technical and social engineering tactics being used. 19

20 Identity Theft Fraud Statistics 20

21 Identity Theft Fraud Statistics 21

22 Identity Theft Top 10 States Missouri 2. Connecticut 3. Florida 4. Maryland 5. Illinois 6. Michigan 7. Georgia 8. Texas 9. New Hampshire 10.California Ranked based upon complaints per 100,000 residents. Source Insurance Information Institute 22

23 Identity Theft Response Steps 23

24 Identity Theft Response Steps 24

25 Identity Theft Response Steps 25

26 Summary Hackers are targeting all organizations that possess high value data, Human resources professionals play a key role in cyber security, A risk management approach is the most effective and practical one, You must be proactive, Cyber security is a team sport. 26

27 Contact Information Robert (Bob) Olsen Chief Executive Officer

28 Follow Us BALTIMORE 250 S President Street Suite 2300 Baltimore, MD WASHINGTON, DC 701 8th Street NW Suite 400 Washington, DC