Cyber Security Risk Management and Identity Theft 2017 MD SHRM State Conference Presented by Robert Bob Olsen, Chief Executive Officer MS ITS, MBA, CISSP, CISM October 16, 2017 This presentation may not be reproduced or distributed without prior written approval of COMPASS Cyber Security.
Agenda Cyber Security Threats Overview Practical Tips and Considerations Responding to Identity Theft 2
Common Misconceptions We would never be targeted by a hacker, My IT team is responsible for cyber security, We do not need to train our employees on security awareness, All our data is in the cloud so we are no longer responsible for protecting it. We have cyber liability insurance so we are good. 3
2017 Verizon Data Breach Report 4
2017 Verizon Data Breach Report 5
Threat Actors External Script Kiddies, Ego, victim embarrassment, 3 rd Party Application Vendor, Financial gain, negligence, Hacktivists, Cause driven - religious, political, environmental. 6
Threat Actors External Criminal Hacker, Financial gain, Extortion, High value client targets, Nation State, Blackmail, Espionage, Financial gain. 7
Threat Actors Internal Negligent Insider, Lost mobile device, Accesses sensitive data from personal device, 3 rd Party Vendor, HVAC, security, janitorial, etc., Malicious Insider, Disgruntled employee(s), Bribed or blackmailed employee. 8
Threats and Business Impacts Phishing loss of data, brand damage, BEC transfer of $, brand damage, Ransomware loss of data and extortion, brand damage, DDoS loss of client access to portal, brand damage, Stolen user credentials unauthorized 3 rd party access, brand damage. 9
Threats and Risks Analysis 10
Phishing Example Nearly identical email address (JohnHill vs. JohnHilll) Place she had visited from Facebook Name of a local bank Home address Including phone number 11
Threat/Controls Mapping Example PEOPLE POLICY TECHNOLOGY Culture of Security Least Access Privileges Email Filters Awareness Training Incident Response Plan Firewall Mock Phishing BCP/DRP Network Segmentation Role Based Access Cyber Insurance Patch Management Data Governance SIEM IDS/IPS 12
Practical Tips Policy Inventory and classify your data, Catalog and classify your data, Focus protection measures on most sensitive data, Perform annual policy reviews, Organization changes, Emerging/new technology, Newly outsourced/insourced functions, Policies should include all departments. 13
Practical Tips People People are the weakest link! Senior leadership support is critical, Lead by example, Regularly raise employee security awareness, Drip method, Seminar, webinars, podcasts, security tips, etc., Create a culture of security and make it personal for everyone. 14
Creating a Culture of Security Make it personal, If this then that examples, Tailor training to specific functions: Option 1 Individual departments (HR, finance, legal) and general population, Option 2 Group high risk users (hr, finance, legal) and general population, Incorporate reminders into everyday activities. 15
House Analogy Technology Your Residence Locks on doors Monitored alarm system Signage Safe for valuables Dog Video cameras Security guard(s) Police activity reports Your Organization Passwords, 2 factor authentication Firewall, antivirus, security monitoring Group policies Network segmentation, encryption Firewall, intrusion detection system, network alarms Security incident & event monitoring (SIEM) Security consultants Threat intelligence 16
House Analogy People & Policy Individual keys Your Residence Alarm system code(s) Stranger danger awareness Check who is at door before opening Annual fire drill exercises Your Organization Password management; privileged access; access control policy Role based access; password management Security awareness training Role based access (guest/faculty); awareness training Phishing exercises, incident response plan 17
Practical Tips Technology Technology should support and enforce your policies, Layered defense is the most effective, Ensure that you are regularly updating your network devices (laptops, firewalls, servers, etc.), Operating systems and applications, Understand the risks of your cloud provider(s). 18
Identity Theft PII and/or PHI used to create a false identity, Employees, Family members, Clients, Usage examples include credit cards, false tax return, store loyalty programs, internal impersonation, Combination of technical and social engineering tactics being used. 19
Identity Theft Fraud Statistics 20
Identity Theft Fraud Statistics 21
Identity Theft Top 10 States 2015 1. Missouri 2. Connecticut 3. Florida 4. Maryland 5. Illinois 6. Michigan 7. Georgia 8. Texas 9. New Hampshire 10.California Ranked based upon complaints per 100,000 residents. Source Insurance Information Institute 22
Identity Theft Response Steps https://www.identitytheft.gov 23
Identity Theft Response Steps https://www.identitytheft.gov 24
Identity Theft Response Steps https://www.identitytheft.gov 25
Summary Hackers are targeting all organizations that possess high value data, Human resources professionals play a key role in cyber security, A risk management approach is the most effective and practical one, You must be proactive, Cyber security is a team sport. 26
Contact Information Robert (Bob) Olsen Chief Executive Officer rolsen@compasscyber.com 410-340-3560 LinkedIn: @rolsen3 Twitter: @rlolsen3 and @compasscyber 27
Follow Us https://www.linkedin.com/compasscyber https://www.facebook.com/compasscyber https://twitter.com/compasscyber https://plus.google.com/+compasscybersecuritybaltimore https://soundcloud.com/compasscyberguide BALTIMORE 250 S President Street Suite 2300 Baltimore, MD 21202 WASHINGTON, DC 701 8th Street NW Suite 400 Washington, DC 20001 https://itunes.apple.com/us/podcast/the-cyberguide/