These are the slides I presented at the 2019 South Carolina Bar Convention and addressing the role of human error, inattention, impatience, and greed in data security incidents. These actions an inaction which often lead to the loss of sensitive information, client funds, and access to networks and files.

1. The Role of the "Human Factor" in Protecting
Information

2. Jack Pringle
Adams and Reese LLP
(803) 343-1270
jack.pringle@arlaw.com
@jjpringlesc
https://www.linkedin.com/in/jack-pringle-5834554
http://www.slideshare.net/jjpringle317

3. A Word on Redaction

4. Setting the Context
• Putting technology TOOLS in context
• Why You Employ the Tools: Proper
Management of Confidential and Sensitive
Information
• Security is Not the Default Setting in a
Connected World

5. Overview
• Skeptical is Not the Default Setting for Humans,
Particularly Now
• Trust, belief, impatience/urgency, greed, (and
lust) are the Default Settings for Humans
• Machines accelerate and encourage those
Defaults
• Changing those defaults and creating aware
people are a crucial part of any security program

7. Introduction- Technology as a Tool
• "Technology is a very human activity, and
so is the history of technology." - Melvin
Kranzberg
• "If you think security is a technology
problem, then you don't understand the
problem, and you don't understand
security."-Bruce Schneier

9. Crucial Security Points
• Security is NOT the Default in a Connected
World
• Security is a Process, Not a Product
(Security is not “Done”)
• Tension between security and human
defaults

10. Unique Challenges of a
Connected World
• Computer networks default to open
• Access to many more powerful machines
• On the Internet, No One Knows You Are a
Dog.

12. What We Do

13. Ethical Obligations
• Provide competent representation (1.1)
• Keep information confidential (1.6)
• Keep property safe (1.15)
• Manage and supervise (5.1 and 5.3)

14. Legal Obligations
• SC Breach Notification Law
• HIPAA
• GLBA
• Confidentiality Agreements and Protective
Orders

15. Why Protect It?
• What is confidential?
• What is sensitive?
• Why does it matter?

16. Thought Experiment

17. That Era’s Con Man

18. So What Has Changed?

19. Bits, Not Atoms

20. The Network Has Extended

21. Tools More Powerful

22. Networks Have Blurred

23. The Dogs Have Access to Your Networks

24. Not Much Time to Adapt to These Tools

25. Don’t Blink

26. Changing Our Practices

28. Our New Defaults . . .

29. Human Defaults Have Not Changed

32. Why is This Our Default?

34. The Con Sits in Your Office, and
Plays on Your Default

35. “Everything that I did is so much
simpler now.”- Frank Abdingdale

38. The Consequences of the Default

39. More …

40. Tools To Reset the Defaults

41. Processes to Change the Defaults

42. Change to the Human Default

43. Access Control- Change the Default
from “Everyone Welcome”

44. Manage Insider Threats
• Access Control
• Dual Control
• Segment

45. Layered Security

46. No Technology Tool Can
Keep All the Bad Stuff Out
of Your Inbox

47. Why is the Human Layer So Important?
Because Everybody Clicks By Default

48. Pausing Through the Default

49. Avoiding Wire Transfer Fraud

50. Wire Transfer Fraud
• Fraudster sends an email that appears
to be from a legitimate source
(jack.pringle@arlav.com)
• Informs the recipient of a change in
wiring instructions
• Recipient wires funds to the fraudster’s
bank

61. Ransomware: The Wages of Clicking
Malware that encrypts (locks up) files so you
can’t use them (and then demands a ransom).

65. Not a Drive-By Download

66. Don’t Get Excited About Getting Paid

67. Verify Authority

68. Hover (Without Clicking)

69. Jack.pringle@arlaw.com
Jack.pringle@arlaw.com
Jack.pringle@arlav.com

70. No Person’s-Land

71. Is this Backup?

72. Encourage Rapid Reporting

73. Takeaways
• Don’t Click on attachments and links in
emails from senders you don’t recognize;
• Verify (in person or on the phone) messages
from people you THINK you know
BEFORE YOU CLICK;
• Pause and don’t get conned.
• Don’t store documents on your work station

74. Manage and Train

75. More Questions
• Your Service Providers (What
Are They Handling?)
• Security Breaches (Got a Plan?)
• Disaster Recovery? (Got a Plan?)

76. Conclusion (Part One)

77. Conclusion (Part Two)

78. Resources
SANS, Securing the Human https://www.sans.org/security-awareness-training
SEC Report of Cyber-Related Frauds, SECURITIES EXCHANGE ACT OF 1934 Release No. 84429 /
October 16, 2018 https://www.sec.gov/litigation/investreport/34-84429.pdf
American Bar Association, Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach
or Cyberattack,” Issued October 17, 2018
https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op
_483.pdf
ALTA Title Insurance and Settlement Company Best Practices
https://www.alta.org/bestpractices/start.cfm
Ransomware Victims Urged to Report Infections to Federal Law Enforcement
https://www.ic3.gov/media/2016/160915.aspx
“BofA Denies Liability for Wire Transfer After Law Firm ‘Took the Bait’ in Phishing Scam”
https://www.law.com/thelegalintelligencer/2018/06/29/bofa-denies-liability-for-wire-transfer-after-law-
firm-took-the-bait-in-phishing-scam/

79. More Resources
Cybersecurity for Small Business
https://www.ftc.gov/tips-advice/business-
center/small-businesses/cybersecurity
NIST Small Business Corner
https://www.nist.gov/programs-projects/small-
business-corner-sbc