Management Insights offers a complete ID Theft/Data Breach solution designed to meet the needs of your business
1. We insure greater business security with our comprehensive approach: systems, procedures, people and physical plant
2. We create a response plan, train the people and document the whole project
3. We build in a relationship with best of breed ID theft remediation service
4. We become an ongoing resource
2. A SCORE WORKSHOP
• Goals for our time together
• Help prepare you and your business to
defend against ID theft.
• Give you some useful resources you can
use to guard against ID fraud and to use Understand
when the business is attacked.
Protect the why ID
business Fraud is such
a big deal
Prepare the
business
Respond
when theft
happens
3. Many industry experts tell us it is
not if but when your small business
will be targeted by a cybercriminal
HAVING A PR O CE S S I N P L ACE TO AVO I D A ND / O R MI T I G AT E
CY B E R CR I ME S I S PA R A MO U NT
4. Crooks love small businesses
• Small Businesses don’t believe they are at risk – this makes them an
easy target
• They don’t have staff dedicated to keeping the company safe
• They often don’t have policies, processes and procedures to safeguard
the business
• They often don’t have a culture that creates an awareness of the
danger
• They don’t know what to do if a data breach or id theft happens
6. "Small businesses feel like they're immune from
cybercrime, and they're wrong. They are absolutely on
the list of potential targets of cybercriminals," said Larry
Ponemon, chairman of the Ponemon Institute.
A recent survey of executives at 500 U.S. companies of
varying sizes found that 76% had had a cyber security
You are at risk incident within the past 12 months resulting in the loss
of money, data, intellectual property or the ability to
conduct day-to-day business, according to the
Computing Technology Industry Association. About half
of those cases were described by the businesses as
"serious."
7. Most companies experience opportunity costs
associated with a breach indecent, which results
from diminished trust or confidence by present
and future customers. … the negative publicity
associated with a data breach incident can often
damage companies’ reputations… and [slow]
new customer acquisitions. (Ponemon Institute
Study, 2010)
The estimated cost of a data breach is $214
You have a per record. It could cost an organization
with 1,000 customers $214,000 and
months to recover. This can strain the
responsibility resources of even large organizations. For
a small company the result could be
devastating.
8. An Identity Theft happens when a
crook steals YOUR information
A Data Breach happens when a
crook steals your CUSTOMERS’
information
9. • Accidents
Identity theft • Losing equipment
and data • Hitting the send all button on an email with sensitive
information
breaches are
• Malicious attack
types of ID
• Hackers or Thieves
Fraud • Viruses
• System Failures
Both can happen for many reasons
• Actual computer failures that lead to loss of data
• Poor policy and lack of preparedness by the
organization
10. An ID thief can • Drivers licenses
be anybody from • Credit cards
your trash
• Social Security numbers
collector to an
• Passport
employee to a
cyber criminal • Medical records
• Customer records
Your car
• Utility bills Your office
Your trash
• Intellectual property Your mailbox
Your phone
Your computers
Your network
Your people
11. • Banking/Financial
• Business/Corporate
• Educational
• Government
• Medical/Healthcare
Hackers can enter your computer
systems from the internet and
steal information.
Employees could lose a laptop with
company records on it.
Anybody with a thumb drive can
Data Breaches steal information.
Thieves could break into your
offices and steal records.
13. • Viruses
• SPAM
• Phishing
• Systems
• Lack of policies
• Lack of preparedness
• Lack of knowledge
Where your • Your trash
company is • The phone
vulnerable… • Social Media
…and the list grows all the time as • The Cloud
technology pushes forward
• Your People
14. We are vulnerable on the Internet
File Infectors: Attach themselves to
programs and spread when you run the
program
Viruses and
malware are Boot Sector: Write themselves into the
computer’s memory when you start it
computer programs
- sometimes called Trojan Horses: Act like legitimate programs
malicious code -
Macro Virus: Attach themselves to
that are created to
documents, email, websites, pictures and
cause harm! anything else you might open on the
internet
15. What to Expect if Infected…
• Delete files
• Wipe your hard drive clean
Viruses and their • Email confidential information to crooks
relatives • Cause your computer to attack other
computers
can and do: • Make it impossible for you to use the
machine
16. Viruses have lots of names
DoS attack - denial of service
RootKit
Drive by download
Key logger
Malware
Adware
Trojan
Botnet
Spyware
17. • Denial of service attacks are
designed to crash your website,
your server or your network
• Crooks flood the website with
so many requests for pages that
the server can’t respond and
crashes
DoS Attack
Denial of Service and
DDoS distributed denial of service
attacks
18. • A rootkit gives the crook access to all your
folders and files, things like your address book,
and your customer records
• It runs with administer privileges
• Rootkits hide from your antivirus software on
the operating system
• They also hide other programs like malware,
bots and worms
• They can be hard to remove
RootKit
• They can be hard to detect
A rootkit commands and controls
the computer without your
knowledge
• They can create logs about your computer
usage
19. • Key loggers are really good at stealing user
names and passwords
• Common sources of key loggers are file sharing
networks, online gaming sites, fake greeting
cards sent via email
• A key logger a may also install root kits or
other programs on your computer
• There are hardware key loggers that can be
Key Logger installed on a computer
Key loggers can record all of your
keystrokes or even respond when
you visit a banking website and
enter your user name and password
20. • Adware can download automatically and
without your knowledge by some websites or
free programs
• Adware can redirect your browser to another
site - more often than not, one you don’t want
to visit
• Adware crooks can take advantage of
misspelled URL’s to take you to a drive by
website
Adware
Adware are programs that launch
pop ups and other advertisements
21. • Back up your data
• Purchase an antivirus software package
How to protect
• Be sure you have a firewall in place
your company
• Update your software
from viruses
• Use secure passwords with the ability to
change them periodically
• Don’t respond to emails unless you know who
sent them
Having processes and standard
procedures – that are understood and
• Don’t click on links
adopted by all staff relating to all of
these activities - is a critical first step • Do a full anti-virus scan on all of your
– these are great place to start! computers on a regular basis
22. • All you have to do is visit the site
• It is not just “those websites”
• Legitimate websites can be infected. Celebrity
sites that down loaded malicious code were in
the news recently
• There are ways to trace your steps
Hackers/Drive by
Downloads
Hackers install software that
downloads automatically when you
visit an infected website
23. You may be amazed at who gets notified
when you visit a website
24. Collusion is a browser add
on that graphs what
happens when you visit a
website
25. • Be sure your firewall is on
• Consider a third party firewall
• Never click on links where people other than
the owner have posted them – blogs, chat
rooms
How to protect
yourself from • Use latest NON Beta browsers
drive by • Don’t install plug ins or add-ons that you don’t
know
downloads
• Be careful about downloading software.
26. • SPAM is all that junk e-mail you get
• It is sent out in mass and spammers make
money from the small percentage of people
who respond
• SPAM can - and sometimes does - spread
malicious code
SPAM
You really can thank Monty Python
27. • They buy them
• 30 million Hotmail addresses go for $450
• 5 million Gmail addresses go for $350
• If your Internet service provider won’t let you
send 5 million emails at once, crooks can buy
that service too
How do crooks
get my email in
the first place?
Or phone number, etc.
28. • You provide them yourself
• Sign up for newsletters
• Facebook, google+
• AMAZON
• LinkedIn
• Online banking
• Go paperless
How do crooks • Your Internet service provider
get my email in • All of those countless people and companies that ask
the first place? you for your address
Or phone number, etc.
29. • Use multiple email addresses
• One for your business: jhisey@management-
insights.com
• One for your personal mail: hiseyii@gmail.com
• You could have a “subscriber” email and use it to
register in public forums, chat rooms, mailing lists etc.
• Don’t click un-subscribe links or respond to
How to protect spam. When you do the spammer knows you
are a real person and you will get even more.
your company
from SPAM • Use an ISP that provides SPAM filters – most do
now days.
Don’t ever click on links or
attachments included in e-mail unless • If your private address is discovered – change it
you know for certain who sent them.
Even if you know the person be wary
and find out if they actually sent the • Make sure your web browser is up to date
email before you reply or click
30. • Phishing tricks you into giving away your
personal information by creating a fake replica
of a real company website
• Phishers are all those people who want to send
you $1 million from their uncle in Nicaragua
• Phishers are the friends of yours who send an
email from the far east saying they are
stranded and need you to send them money
Phishing • Phishers are not all on the internet. Those
phone calls from the “credit information”
Phishing tricks you into giving away service are phishing too
your personal or company
information. Sometimes it is called
social engineering
31. This is a real
example of a
phishing
expedition
So when
The crook’s you click
website is no your are
longer there taken here
32. This is the
real CitiBank
website
Notice the real
address is in
bold
And that the
lock sign is
there
33. Here is a Phishing
attempt my wife
received
Looks real until you
check the return
address and the foreign
alphabet after the ID
summary
34. • Look for the lock symbol in the address
• Report anything suspicious to your bank
• Don’t complete a form in an email message
that asks for personal information
• Be sure the HTTPS:// is in the internet address
How to protect • Don’t use an email message to load the web
yourself from page. Type in the address yourself
Phishing • Check your accounts regularly
This is especially important if
someone is asking you for bank
information
35. • Facebook, LinkedIn, YouTube, Twitter
and more are all important ways to
Social Media network and grow your business
• As we put more and more information
Secure Passwords are a major online it makes it easier for our
way to protect your identity on customers and potential customers to
social media sights find us
• Our information also opens
You want customers and those
you don’t know are customers opportunities for theft
to find you
You DON’T want people to
change your profile
36. Social Media - Meet my “friend” JoergR
JeorgR sent me this email
I didn’t think I knew him but he
looked sort of familiar and I was
curious
Clicking on the link was a BAD idea
Fortunately my virus protection
software caught the virus before any
harm was done
38. • Drop Box
• ICloud
• Google
• Microsoft
• Amazon
The Cloud
More and more companies are
offering to keep your information
on their servers
39. • Drop Box
• ICloud • Cloud computing is the wave of the future
• Google • The question is do you want to have someone else
have all of your important business information on
• Microsoft
their computer
• Amazon • Actually you probably have a lot of information in the
cloud already
• Email, music, on line backups
• You need to know how your data is being secured
and what measures the service provider takes to
The Cloud ensure the integrity and availability of that data
Safety and privacy is a concern
should the unexpected occur
• Use secure passwords
•
40. Systems Security
T HE R E IS A LOT YO U CA N D O TO P R OT E CT YO U R CO MP U T ER S Y S T E MS
42. • Add ins
• Plug Ins
• Security Settings
• InPrivate
Secure your web
browser
43. Pop Up Blockers
Control those unwanted ads and
websites that “Pop UP” when you
visit the main site. Even MSNBC
uses pop ups
Privacy settings control which pop
ups are allowed
44. Plug Ins and Add
Ins their
relatives
This is software that increases
the functionality of a larger
program. For example, a plug in
allows your web browser to play
videos
Some are gateways for malware
There are ways to disable plug
ins and add ins
45. • Make passwords you can remember but are hard to
guess. Not your kids names, not your birthday, not
a real word
• Mix upper and lowercase letters, numbers and
punctuation marks
• Don’t use the same password on all of your
accounts. If a hacker cracks one they have them all
• Use a phrase – !amcO1dt@day
How to create a • Use Padding – C@t$$$$$$$$$$$$$$$
secure password • Change your passwords often, but don’t recycle
Size does matter them East1port, West2port, South3port
A 6 letter alpha numeric password can • Don’t tell anyone your password! If you have to give
be cracked in 0.0000224 seconds
it out, change it right away
A 10 letter alpha numeric password
can take weeks to crack
46. • So you have all of these fancy secure passwords
but if you are like me I can’t remember them
when I need them.
• A Password Manager remembers them all for
you and signs you in automatically.
• They will generate secure passwords
• All you have to do is remember 1 password.
Password
• PC magazine rates some of the best -
Managers
• Dashlane 1.1
Password Managers keep track of
all of your passwords... • Kaspersky Password Manager
You may find them useful • Last Pass 2.0
47. • Your computer starts behaving strangely
• Unexpected sounds or messages
• Programs that start all by themselves
• You get a firewall warning
How do you • System errors
know if your • Computer won’t start
computer is • Blue screen of death
infected • The hard drive access light keeps running
It is not always easy to tell
• Web browser won’t let you close a window
• Programs or controls no longer work
48. • Disconnect from the internet
• Try loading the operating system in “safe mode”
• Boot from a rescue CD
• If the computer starts do a complete scan using
your antivirus software. If the virus scan finds
nothing you may not have a virus
What to do with
• Remove any unlicensed/trial software
a computer that
• Remove all of those junk files you have
has a virus
It is not always easy to tell
• Be sure you have the latest software updates
installed
• If the computer was compromised and data was
breached don’t turn it off
49. We are vulnerable – Dumpsters and more
Don’t forget that
the internet is not
the only place your
data can be
breached
50. • Use a shredder
• Keep files locked
• Secure your mail boxes
• Use passwords on your computers’ screensaver
Protect physical
records and
prying eyes
52. If a breach occurs there is a lot to do these are the things you need to consider across your business
• Leadership to provide direction and resources
• Secure the computer systems
• Familiarity with changing state and federal notification
requirements
• Notifying the media and keeping track of how a breach
It takes a whole may affect on the business
company to • Training employees and making them aware of how to
protect themselves and the organization
protect the • Notifying and engaging law enforcement should a
business theft occur
In a small organization managing • Working with a theft and data breach resolution
all of these functions may rest on provider to handle escalation, tracking, notification
just one or two people and call center services for those affected by the
breach
53. • Have data security and mobile device policies and keep
them current
• Communicate those policies to everyone
• Limit the type of data and employee can assess based
on job requirements
• Review the plan annually
Make fraud
preparedness a
priority
Make sure everyone in the company
knows what to do
54. • Choose an Incident leader
• Manages the company’s overall response and team
• Is the intermediary between executives and the team
• Reports problems and progress
Make fraud • Identifies key tasks, timelines, documents and reports the
theft and its solution
preparedness a • Proposes the ID Fraud budget required to remedy
priority •
•
Summarizes required steps
Updates contact lists
Put your team together • Assures key personnel are trained
Train everybody • Reviews the organization’s response to make the next
time function better
Practice – just like a fire drill
55. • Internet access
• Email
• Preparedness is a priority
• Restricted use of thumb drives
• Laptops are encrypted
• Mobile devices
• Data access limited to those who need to know
Are you ready? • Best practices followed by the entire
organization
• Regular bank and credit card account
monitoring
56. • Work with your attorney to be sure you meet your
industry reporting obligations for the type of data
that was stolen
• Review who needs to be contacted
• Customers
• Employees
• Media
Are you Ready – • Regulators
Look at your • Agencies
legal obligations • If notification is required be sure they are sent
within the required time line
• Never send Social Security Numbers or other
sensitive information to vendors supporting your
breach rectification efforts
57. 1. Update the data breach response team
contact list
2. Review your response plan to be sure it
is comprehensive
3. Review notification requirements
4. Evaluate your Information Technology
Security
5. Be sure third parties that have access to
Are you ready? your data use best practices
Quarterly 6. Review your vendor contracts to assure
they continue to match your
requirements
59. 1. Note the date and time the theft occurred or
you found out about it
2. Engage the response team
3. Preserve evidence by securing the place
where the theft occurred
4. Take affected machines offline to stop
additional harm but DON’T turn them off
5. Document, document, document
What to do first 6. Determine what the risk is overall and
prioritize next steps
The breach or theft is “discovered”
7. Notify your vendors
8. Bring in the police
60. • What counter measures were in place when the
theft occurred
• Was the data encrypted
• Review backups and other information that was
preserved to find out as best you can what was
Work with your taken
team to find out • Begin the process to determine who was
more about affected and the extent of it
what happened • Put together names and address so they can be
notified
61. • Find and delete the virus or other tools the
hacker used to get the data
• Clean the affected machines before you put
them back on line
• Find and fix security gaps or other risks
• Do the best you can to ensure that the type of
Fix the cause of breach does not happen again
the problem • Document the who, what, when, how and why
of the breach or theft
62. • Microsoft malicious software removal tool
• Microsoft Safety and Security Center
• Your computer manufacturer
• Your soft ware manufacturer
• Your ISP
• Google
Resources • Virus definition directory
There are tons of information out • Build a list of trusted sites
there about ID Fraud
• ID theft resource center
63. • Credit Monitoring
• Credit Reports
• Credit Scores
ID Theft
• Internet Monitoring
Protection
• Alerts
Services
• Public Records Monitoring
NXG Strategies
• Software
Lifelock
ProtectMY ID • Lost Wallet
Trusted ID • Insurance / Guarantee
• Call Center
• Guidance and advice
65. Protecting the business against theft
requires all of these things
• Knowledge
I asked someone once what is the
• Systems most important thing you need to
have a successful business. He said
• People “You need it all.”
• Policies ID theft protection is part of the
requirement.
There is a lot to learn but you are not
• Plans
alone
• Partners SCORE
Management Insights
66. At the end of the day it is the right thing to do!
• Knowledge • Your computers and your business will run better
• Your business will be more secure
• Systems • You will have more time to do the important things
• You will save money
• People • You are fighting evil
• You will sleep at night
• Policies • You are being a proactive business owner
• You will know enough to finally understand what the IT people are
• Plans talking about a little better
• You will have more power over your enemies
• Partners • You will have done all you can to protect your business against a real
and present danger
• You will meet some really cool people who have your back
• Power