Cyber Security Updates and Trends Affecting the Real Estate Industry
What, Why, and How? Agenda Cyber Security Today Changes to Security Standards and Trends Protecting Yourself and Your Organization Takeways 2
Introductions David Hendrickson Cyber Security Manager Micah Wenz IT Risk Services Manager 3
Cyber Security Today The Why 4
5
Cyber Attacks Path of Attack Services in the Cloud i Employees Web App Firewall Remote Access Customers / Clients 3 rd Parties 6
Cyber Attacks Anatomy of a Breach Discovery Capture Web App Firewall Remote Access Internal Attacks Exfiltration 9
Breach Snapshot Malicious Actors in a Breach Organized Criminal Groups 51% Involved Partners Multiple Parties 2% 3% State-Affiliated Actors Internal Actors 18% 25% Outsiders 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Verizon Enterprise 2017 Data Breach Investigations Report (4/27/2017) 8
Breach Snapshot Tactics Used in a Breach Physical Actions Privilege Misuse Errors 8% 14% 14% Social Attacks 43% Stolen/Weak Passwords 81% Malware 51% Hacking 62% 0% 20% 40% 60% 80% 100% Verizon Enterprise 2017 Data Breach Investigations Report (4/27/2017) 9
Big 3 Issues Now Security Hygiene Assess Third Parties Operate Design Implement People 10
High Profile Breaches from the Big 3 Fraud & Extortion Intelligence Gathering Massively Successful 11
And of course. Equifax data breach affects 143 million consumers Handling of breach called a dumpster fire Stock is already down 36% from high Separate breach in March was just disclosed Lawsuits are on the way This will likely be the most costly breach in U.S. history 12
Changes to Security Standards and Trends Part of the How 13
General Information Discussion: Why this matters to your business Every major standard update is now including: Supply Chain Security Emphasis/Focus on Multi-Factor Authentication Standards changes are migrating from: U.S. Government Critical Infrastructure Highly Regulated All organizations 14
Real Estate Concerns and Considerations 15
The Real Estate Industry is a Current Target Primary Target: $$ Re-directing payments Fake bills and invoices Theft of Tenant financial information Secondary Targets: Personal Information Sensitive/Confidential Information Control of Systems and Devices Access to Additional Locations 16
Example FBI Reports: $19 Million diverted from real estate purchases in 2016 using email (phishing) techniques As of Jan 2017, one Memphis real estate company had lost at least $2.2 Million and was targeted on a daily basis for additional fraud. Targets of the Attacks Include: 17 Real Estate Agents Real Estate Companies Closing and Title Companies Tenants
Understand Your Current Exposure Assessing Security and Risk 18
Risk and Security Assessments Understand the current posture Prepare the environment Consider the following assessments: Enterprise Risk Assessment IT/Cyber Risk Assessment Data Classification Compliance (as needed) Technical Assessments Readiness Assessments 19
Understand Our Environment Data Flow Our Environment File Storage Service Provider On Premise Systems Service Provider Email and Workflow Service Provider Portals & Documents Direct management Third Party Management 33
Understand Our Environment Risk 34
Design Better Security Resources & Capabilities People Process Technology Assess Drivers & Requirements Confidentiality Integrity Availability Cyber Security Program 35
Basic Cybersecurity No need to be a technical guru to be able to implement basic cybersecurity practice. Topics to be knowledgeable on: Phishing emails USB practices Internet browsing Password security 23
Phishing Emails 24
Phishing Emails 25
USB Good Practice USB devices can be utilized to migrate malware onto the target computer. Do not accept or use USBs from strangers. Disable USB ports on computers. 26
Internet Browsing Beware URLs and links that contain typos. HTTP vs HTTPS http://bit.ly/ifhzvo 27
Password Security Do not reuse passwords across websites. Use a combination of letters, symbols, and numbers in your password. The longer the password, the more difficult it is for a hacker to crack it. Don t store passwords in plain text files or on your desk. Encrypted, centralized location for passwords. 28
What we can do People Training DON T CLICK! Culture Reporting & Response Technical Controls designed in to the process Internal Controls use your people & processes 29 I may have clicked on something. Use the capabilities included in your technology. Processes designed to support proper controls and approvals.
Key Takeaways & Action Items Get Started! Perform initial cyber risk assessment Define what is important and why Define how you want to proceed Design and Build Your Program Perform ongoing assessments to support needs 30
Questions? 31
Contact Information RubinBrown Denver office 303.698.1883 David Hendrickson 720.709.5604 David.Hendrickson@rubinbrown.com Micah Wenz 303.952.1215 Micah.Wenz@rubinbrown.com 32