Employee Security Awareness Training September 2016
Purpose Employees have access to sensitive data through the work they perform for York. Examples of sensitive data include social security numbers, medical information and credit card data. Lack of data protection can put York at risk for a data breach resulting in lost customers, tarnished reputation, penalties and fines. Protection of sensitive data is everyone s job responsibility. 2
What is a Data Breach? A data breach is an incident in which sensitive data has potentially been viewed, stolen or used by an individual unauthorized to do so. Thieves target sensitive data in order to commit crimes: Stealing financial data to access personal bank accounts Stealing people s identities to open lines of credit Stealing medical data to commit insurance fraud Data breaches are expensive and damaging to a company: Anthem 80 million records stolen JP Morgan 76 million records stolen Target 70 million records stolen US Office of Personnel Management 21.5 million records stolen A single data breach costs $3.79 million (average) in 2015. Source: Ponemon Institute Global Cost of Data Breach Study 3
Data Breaches Impact People Data breaches not only affect companies they also harm the individuals whose data was stolen; below is John Harrison s story: Jerry Phillips, a twenty year old stole John Harrison s identity and went on a shopping spree including purchases from Home Depot, JC Penny, Sears, Lowes, two cars from Ford, a Kawasaki and a Harley. In four months Jerry made $265,000 in purchases. Jerry was arrested and imprisoned for three years. Despite Jerry going to jail and a letter from the Justice Department confirming John was a victim of identify theft, John still owed $140,000 to creditors. 4
How do Data Breaches Occur? Employee Misuse: Weak passwords Accidentally downloading a virus from the internet Unnecessary sharing of sensitive data Phishing: Thief attempts to acquire information such as username and password by pretending to be a trustworthy entity (e.g. Fake email from your bank asking you to enter your username and password) Malware: Malicious code infiltrates system to perform a variety of actions (e.g. Takes over computer, watches user s every move, exports data, crashes system) Physical Theft: Unsecured sensitive data physically stolen (e.g. Hard copy documents, flash drive, laptop) 5
Phishing Examples 6
Target Data Breach Case Study How Did it Happen? 1. A phishing email was sent to someone who worked at Target s HVAC vendor. That person opened the email and an attachment allowing the thief to obtain the HVAC vendor credential s for one of Target s computer systems. 2. The thief logged into Target s computer system and infiltrated Target s network using malware to steal credit card data. 3. Federal investigators identified Target credit card data on the black market and notified Target of potential breach. 4. Target confirmed the breach after 40 million credit card numbers had been stolen. 7
What Can You Do? Never share your username and password with others. Create strong passwords for systems you use. A strong password is comprised of: Eight or more characters Combination of letters, numbers and symbols Upper and lower case letters Do not open email attachments or click on links unless you are expecting the email and you trust the sender. Do not forward information to anyone who does not have a legitimate need for receiving it. Do not remove sensitive data from the office unless there is an approved business need. 8
What Can You Do? Physically secure hard copy records and electronic media (e.g. flash drives, CDs) in a locked desk drawer or cabinet. Shred hard copy documents when no longer needed Secure mobile devices (e.g. laptops, tablets, phones) at all locations including office, home, hotel and/or car. If you suspect a data breach has occurred immediately notify your supervisor. 9
What Have You Learned? 10
Question #1 Why is it important for employees to be educated on protecting information? A. Helps protect York and individuals from being victims of a data breach B. Provides an understanding of steps to follow to protect sensitive data C. Helps employees to understand their responsibility in protecting sensitive data D. All of the above 11
Question #2 Which of the following is a good way to create a password? A. Your children's or pet's names B. Using a simple four character password C. A combination of upper and lowercase letters mixed with numbers and symbols D. Using common names or words from the dictionary 12
Question #3 Which of the following would be the best password? A. MySecret B. Dp0si#Z$2 C. Abc123 D. Keyboard 13
Question #4 When receiving an email from an unknown contact that has an attachment, you should: A. Open the attachment to view its contents B. Delete the email C. Forward the email to your co-workers to allow them to open the attachment first D. Forward the email to your personal email account so you can open it at home 14
Question #5 Which of the following is a good practice to avoid email viruses? A. Delete an unexpected or unsolicited message B. Use anti-virus software to scan attachments before opening C. Delete similar messages that appears more than once in your Inbox D. All the above 15
Question #6 The first step in Security Awareness is being able to a security threat. A. Avoid B. Recognize C. Challenge D. Log 16
Question #7 What should you do if you think your password has been compromised? A. Change your password B. Report the incident to the HelpDesk C. Check other systems that you have accounts on as they may be compromised as well D. All the above 17
Question #8 A file or program created with the purpose of doing harm is known as: A. Malware B. Password C. Social Engineering Attack D. Hacker 18
Question #9 What is the best way to protect the data on your computer when going to lunch? A. Log off or lock the computer with your password B. Turn off the monitor C. Shut your door D. Close out of all programs 19
Question #10 What should everyone know about data protection? A. Data protection is part of everyone's job B. Do not ignore unusual computer functioning; it might be a sign of malware. C. Report anything suspicious to the HelpDesk D. All the above 20
Training Completion An email was sent to you from echosign@echosign.com with a link to electronically sign the training completion form. Ensure signed form is submitted no later than Sept. 30, 2016. Signatures are required for compliance purposes and are reviewed by York s auditors to ensure all employees have received this important training. Send questions to Tina Price, AVP IT Security & Governance at tina.price@yorkrsg.com. 21
Security Depends on Everyone Thank You! 22