210 likes | 230 Views
CYBER THREATS. An Unavoidable Business Risk & And How to Protect Against It. Cyber Findings.
E N D
CYBER THREATS An Unavoidable Business Risk & And How to Protect Against It
Cyber Findings • Report from Risk Based Security (RSA) showed more than 4 billion electronic records stolen in 2016 as a result of over 4,000 data breaches* ( 6 billion for 1st half of 2017—8/8/17 Breach Exchange) (Avg. 100k records /breach) • Approximately 1 million pieces of known malware (computer viruses or malicious software) are released every day • Ponemon 2017 Cost of Data Breach Study: Global Analysis • $3.62 million is the average total cost of a data breach • $141 is the average cost per lost or stolen record (healthcare $380) • 59% of all breaches caused by malicious or criminal attacks • Ponemon 2017 Cost of Data Breach Study: United States • $7.35 million is the average total cost of a data breach • $225 is the average cost per lost or stolen record • $380 (Healthcare) is the average cost per lost or stolen record • 52% of incidents involved malicious or criminal attacks • Notification costs average $0.69 million • Post data breach costs (not including notification costs) average $1.56million • *Source: breachexchange-bounces@lists.riskbasedsecurity.com on behalf of Audrey McNeil April 11, 2017
Cyber Findings • Ransomware is now the biggest cybersecurity threat • 28% of all data breaches occur in healthcare, affecting over 155 million Americans in 1,500 breaches in the past 6 years – total # of victims tripled in last 2 years • 3rd party vendors are a liability for host organizations: • Office of Personnel Management (OPM) – hack of background check vendor Keypoint Government Solutions • Home Depot – hackers used 3rd party vendors credentials to gain access to Home Depot’s network • Target – breach of supply chain vendor/HVAC subcontractor connected to Target’s network • Cyber attacks are inevitable - attackers are already inside an organization's network resulting in: • Drawn out litigation • System operational disruptions • Regulatory actions • Inability to fulfill corporate strategies • 61% of breaches worldwide occurred in companies with less than 1,000 employees
Definitions-Personally Identifiable Information* • Personally Identifiable Information (PII) – as used in information security and data privacy laws, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The types of information normally associated with PII include: (at least three of the following combined) • Name and Address (NAA) • Date of Birth (DOB) (not confidential in MA) • Social Security Number (SSN) • Credit Card Number • Account Number/PIN or other Financial Account Information • Zip Codes? New precedent set by Song-Beverly Act • Emails • Telephone numbers *Source: Identity Theft Resource Center Data Breach Report 2009
Definitions-Protected Health Information* • Protected Health Information (PHI) – HIPAA, HHS/OCR regulations define health information as “any information, whether oral or recorded in any form or medium” that: • “is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and (Medical Info. Bureau-Quincy) • “relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.” • Most valuable-PHI never dies-Highest value on Black Market-$100+/record • Can be used for: • Medical treatment (you pay for it) • Obtain prescription drugs (personal use or sell on street) • Co-mingle health info.-misdiagnosis or death • Obtain mortgage, credit, other type loans *Source: Identity Theft Resource Center Data Breach Report 2009
Definitions – Confidential Business Customer Data • Trade secret information • Confidential financial data (business customers) • Other non-public confidential data of business customers • employee personal data (benefit providers, 401k info. and other Plan info.) • payroll data (Example-ADP or other payroll service providers) • billing information (medical billing services, utility companies) • Any customer confidential business data subject to a signed Non-Disclosure Agreement (NDA) • Intellectual property-i.e. manufacturing processes; marketing strategies
Social Engineering Fraud • Hackers are motivated by "greed". • They want your money-basically "cold hard cash". • They rely on the weakest link in your organization-your employees. • Hackers try to get an employee to think they are a customer, senior management or a vendor. • They gain access to your system through a phishing attack via email-containing embedded malware, Trojan Horse, Spyware • Their goal is to get funds transferred out of the country to places like China, Russia, Nigeria, etc. • They are experts at setting up false domain names and email addresses that look like a customer's, vendor's or senior management's email. • They use social media to unleash their fraud: • spoof senior management • through social media accounts, Outlook calendars and emails they know comings and goings of senior management-sometimes called business email compromise • send email to an unsuspecting employee posing as executive of company requesting funds to be transferred right away for a secret business deal-email looks legitimate and funds are transferred never to be seen again • Every organization is a target regardless of size or industry. • Federal law enforcement is overwhelmed by these crimes and cannot keep up (1300% increase since 1/2015)
Social Engineering Fraud 3 Basic Components to Social Engineering Fraudulent Email* Authority: emphasized positional rank of sender to convince employee Sense of Urgency (Time Pressure): stresses matter is urgent and could result in lost opportunity if delayed Secrecy: emphasizes the transaction must remain confidential for legal or strategic reasons Spear Phishing** Targetedattack against specific person, group or organization Main purpose is to gain unauthorized access to confidential/sensitive data or to entice recipient to take a specific action, i.e. transfer money or share confidential data Email is personalized to recipient Uses identities that are known to the recipient, i.e. individual or brand Spoofs actual email addresses with "look alike" email addresses Attacker spends a great deal of time researching their victims They use legitimate cloud services to send out their messages * dcameragroup.com/the-fake-president-fraud **breachexchange-bounces@lists-riskbasedsecurity.com on behalf of Audrey McNeil
BYOD – Bring Your Own Device Employees using their own devices for daily work: PROS: May make employees happier. May make employees more comfortable and more productive. Savings to employer not having to purchase these devices for employee use. Less training of employees on how to use these devices. May improve flexibility, productivity and ROI with “anytime, anywhere” access CONS: Increased exposures to a breach of customer and employee confidential data. Employees make take down firewall protection on their devices Devices may not be encrypted. Employees may lend devices to other non-employees to use. Employer is responsible for actions of employees while they use personal devices for business purposes. Devices can be lost or stolen if left unattended. Difficulty in data retrieval upon employee termination Utilization of unsecure networks with remote access (free WiFi, hotel business centers) Irregular updates-putting off implementing updates
BYOD – Prudent Steps Prudent steps employers can take to reduce the risk of a breach through BYOD practices: Have written policies in place governing the types and use of personal devices for business purposes and require every employee to sign off and accept these policies. Written policies should clearly state what these devices can access, store and transmit. If remote access is allowed it should only be through a VPN or other comparable secure network. VPN means Virtual Private Network (across public network or internet) Require devices to be encrypted at all times and subject to random spot checks to confirm encryption software is in place and utilized. Require an employee to report a stolen or lost device to company immediately Policy in place to retrieve information from employee’s device upon termination Ensure corporate data is backed-up in corporation’s network Identify and segregate your corporate “trade secret” information/data, in other words, your “crown jewels”, and limit access to this data MOST PRUDENT STEP: Your rules should be carved in stone as you ultimately bear the responsibility for the actions of your employees. By not establishing and enforcing written guidelines you run a great risk of loss of customers, revenues, reputational harm and possible ensuing litigation.
Internet of Things What does the Internet of Things (IoT) mean? Devices connected to the Internet for the purpose of information transfer and process automation Examples: Home thermostats Heating and air conditioning Refrigerators that track inventory Family car using on-board computers to regulate speed, operate rear-view cameras and "blind spot" alarms, parallel park and even tint windows, environmental sensing, manufacturing, urban planning and health monitoring It is estimated there will be 20-50 billion devices connected via the internet by 2020 Potential Problems Developers are building interactivity and data storage into hundreds of common products without any security whatever in mind. Devices are not being developed to common standards They increase the vulnerability of a system by creating more avenues for hackers to exploit Hackers will become more familiar with how loT devices work as interoperability becomes more standardized March, 2017-new malware “Bricker Bot” “Brick Bot”-renders IOT devices useless-scrambles info. –meant to destroy * Source: dataloss-bounces@datalossdb.org on behalf of Audrey McNeil, September, 2015
Steps You Can Take To Minimize Your Exposure To A Data Breach START HERE: 10 Common Sense Steps: Know where your data is, map it and know who has access to it Identify your information asset-client lists, client/customer data, business strategies, marketing information-rank from high to low Have an automated back-up process that occurs every day Perform due diligence on all out-sourced/3'' party vendors who store or service your data-be sure they have strong security protections and protocols in place equal to or greater than yours Implement a strong password management program - change passwords every 45-60 days Limit remote access to your system-Examples: supply chain vendors or other service providers (Target/HVAC contractor) Maintain a strong firewall-upgrade when necessary or prompted Perform comprehensive background checks on ALL potential hires Employ and enforce a "clean-desk" policy. Secure all "non-electronic" confidential/sensitive information in locked containers, locked file cabinets or locked rooms with restricted access Encrypt data at rest on servers
Steps You Can Take To Minimize Your Exposure To A Data Breach NEXT STEPS: Have a system vulnerability assessment done by a qualified outside 3rd party firm Have a Breach Incident Response Plan-internally who is point, privacy attorney, forensic expert, notification firm, public relations firm-test it at the very least on an annual basis Have a Disaster Recovery Plan-you've had breach-how and when do you get back to operational status Have a written Network Security Plan, Client Notification Plan and Internet Usage Plan Employ anti-virus software on ALL devices/continuously update Install intrusion detection/protection software on all devices and test it regularly Encrypt all hard drives, servers, back-up tapes and portable devices Employ two-factor authentication Employ and enforce continuous employee training in the handling of confidential data-key risk management Conduct regular scans of your network If you have a POS system ensure it complies with PCI/Data Security Standards (PCI/DSS) Ensure all credit card data is encrypted Separate encrypted data from user data on your network Before disposal, wipe data from all hardware when it is replaced Never have a "universal passcode" for all employees to use to access data Install scanners and filters for email attachments Install remote lock or kill software to shut down all mobile devices that are lost or stolen and have protected information
Steps You Can Take To Minimize Your Exposure To A Data Breach NEXT STEPS CONTINUED: 18. Purge on line records or decades old records of former customers if not needed or not legally required to retain Do not allow 3rd party storage devices to be installed on any employee work station Coordinate data breach responses with you HR Department Employ and enforce a duty for all employees to report a potential security incident and cooperate in any investigations As per former FBI Director James Comey: "There are only two kinds of companies left in the world-those that have been hacked and those that don'tknow they've been hacked. No one is safe. Unfortunately, there is no simple fix-no app for that - not evenadequate insurance."
50 States Have Breach Notification Requirements Montana (MONT. CODE ANN. § 30-14-1704) Nebraska (NEB. REV. STAT. § 87-801 et seq.) Nevada (NEV. REV. STAT. 603A.010 et seq.) New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.) New Jersey (N.J. STAT. ANN. § 56:8-163) New Mexico (March 15, 2017) New York (N.Y. GEN. BUS. LAW § 899-aa) North Carolina (N.C. GEN. STAT.§ 75-60 et seq.) North Dakota (N.D. CENT. CODE § 51-30-01 et seq.) Ohio (OHIO REV. CODE ANN. § 1349.19) Oklahoma (Okla. Stat. § 74-3113.1) Oregon (S.B. 583) Pennsylvania (73 PA. CONS. STAT. ANN. § 2303) Puerto Rico (Law 111 and Regulation 7207) Rhode Island (R.I. GEN. LAWS § 11-49.2-3) South Carolina S.B. 453 South Dakota (2018 S.B. 62) Tennessee (TENN. CODE ANN. § 47-18-21) Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.) Utah (UTAH CODE ANN. § 13-44-101 et seq.) Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.) Virginia S.B. 307 Washington (WASH. REV. CODE § 19.255.010) West Virginia S.B. 340 Wisconsin (WIS. STAT. § 895.507) Wyoming (W.S. 40-12-501 through 40-12-509) Alabama (2018 S.B. 318, Act No. 396) Alaska (ALASKA STAT. § 45.48.010 et seq.) Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)) Arkansas (ARK. CODE ANN. § 4-110-101 et seq.) California (CAL. CIV. CODE § 1798.82) Colorado (COLO. REV. STAT. § 6-1-716) Connecticut (CONN. GEN. STAT. § 36a-701b) Delaware (DEL. CODE ANN. tit. 6, § 12B-101) District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851) Florida (FLA. STAT. § 817.5681) Georgia (GA. CODE ANN. § 10-1-911) Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.) Idaho (IDAHO CODE ANN. § 28-51-104 et seq.) Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10) Indiana (IND. CODE § 24-4.9) Iowa (SF 2308) Kansas (KAN. STAT. ANN. §§ 50-7a01-02) Kentucky (H.B. 232) Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.) Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.) Maryland (H.B. 208 and S.B. 194) Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.) Michigan (Michigan Compiled Laws Ann. 445.72) Minnesota (MINN. STAT. § 325E.61) Mississippi (House Bill No. 583 Missouri (HOUSE BILL NO. 62) • Personal Data Privacy & Security Act of 2007 • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Gramm-Leach-Bliley Act of 1999 (GLBA) • Fair Credit Reporting Act • Fair & Accurate Credit Transactions Act of 2003 • Electronic Communications Privacy Act of 1986 • Family Educational Rights & Privacy Act (FERPA) • State Specific Data Breach Notification Laws* • High Tech Act (enacted with Jan 2009 Federal Stimulus Package) • MA GL, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts *Guam and Virgin Islands also have security breach notification laws.
Massachusetts Data Breach/Security Laws** 3 General Laws: G.L.c. 93H-Data Breach Notice Law-requires notification of state agencies and affected individuals of a data breach MA GL 201 CMR 17.00-Standards for The Protection of Personal Information (Pl) of Residents of the Commonwealth of Massachusetts G.L.c. 931-Data Destruction Law-establishes minimum requirements for securely destroying or deleting Personal Identifiable Information of MA residents ENFORCEMENT OF THE MASSACHUSEITS DATA BREACH/SECURITY LAWS IS BY THE CONSUMER PROTECTION DIVISION OF THE ATTORNEY GENERAL'S OFFICE PERSONAL IDENTIFIABLE INFORMATION (ELECTRONIC OR PAPER FORM) Defined as the first name or initial and last name of a MA resident plus one or more of the following: 1. SSN 2. Driver's license number or other state-issued identification card or number; and/or 3. Financial account number or a debit/credit card number (with or without a security code) Information legally obtained from publicly available sources is not considered confidential Personal Identifiable Information
Massachusetts Data Breach/Security Laws** G.L.c. 93H- Data Breach Notification Law Breach of Security-unauthorized acquisition of or use of confidential data whether unencrypted or encrypted with decryption key that can possibly compromise the security, confidentiality or the integrity of the Pll held by the entity that creates a risk of ID theft ID Theft/Fraud-the PII was used or acquired by an unauthorized party for an unauthorized purpose-(CC, loans) Who Must Be Notified : Attorney General's Office Office of Consumer Affairs and Business Regulation Each affected MA resident Owner or licensor of the Pl (must be notified by 3rd party vendor or out-sourced vendor) **THE OWNER OR LICENSOR OF THE Pl IS THE REQUIRED PARTY THAT NEEDS TO NOTIFY Notice to the Attorney General's Office or Office of Consumer Affairs & Business Regulation must include the following: Nature of the breach Number of residents affected Steps entity has/will take relating to the breach Include a sample copy of the consumer notice What must the Notice to MA residents disclose: Individual's right to obtain a police report How an individual can request a security freeze Information an individual needs to provide to request a security freeze Complete disclosure of fees for placing, lifting or removing a security freeze
Massachusetts Data Breach/Security Laws** • The Notice cannot disclose: • The nature of the breach, unauthorized access or use • Number of individuals affected • What is the timing of the Notice: • "as soon as reasonably practicable and without unreasonable delay" when the entity "knows or has reason to know" of the breach • The Notice may be delayed "if a law enforcement agency determines that provision of such notice may impede a criminal investigation and has notified the attorney general in writing thereof and informs the entity of such determination" • Information and sample notices can be found at: • http://www.mass.gov/ago/consumer-resources/consumer-information/scams-and-identity-theft/security-breaches.html
Massachusetts Data Breach/Security Laws** 201 CMR 17.00-Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts Some Key Requirements: Develop, implement, maintain and monitor a comprehensive Written Information Security Program (WISP) establishing safeguards against a data breach Maintain minimum computer security systems such as password management protocols, firewalls, updated virus definitions and patches Encrypt ail records containing Pl transmitted across public networks or wirelessly or stored on laptops or other portable devices Identify and assess reasonably foreseeable internal and external risks to security, confidentiality as well as the integrity of Pl in any physical form Monitor service providers and require them by written contract to implement and maintain safeguards to protect and secure Pl-you warrant to the State service providers meet the MA privacy law requirements G.L. c. 931 -Data Disposal and Destruction Law Minimum Requirements: Paper records are to burned, redacted, pulverized or shredded so the Pl cannot be read or reconstructed Electronic records and other non-disposable media shall be destroyed or erased so the Pl cannot be read or reconstructed
Massachusetts Data Breach/Security Laws** PENALTIES FOR VIOLATING MA DATA BREACH NOTICE LAW/SECURITY REGULATIONS Civil penalties of $5,000 per violation Restitution to harmed individuals PENALTIES FOR VIOLATING DATA DESTRUCTION AND DISPOSAL LAW Civil fine of up to $100 per data subject affected Up to $50,000 for each instance of improper disposal **Overview of Massachusetts Data Breach/Security Laws, Tom Ralph, Asst. AG, Cyber Crime Division, Office of MA AG Maura Healey
Speaker Contact Information Ed McGuire Main: 508-824-8666 Direct: 508-659-8185 Mobile: 978-844-7720 Email: emcguire@fbinsure.com