These are the slides I presented at the 2019 South Carolina Bar Convention and addressing the role of human error, inattention, impatience, and greed in data security incidents. These actions an inaction which often lead to the loss of sensitive information, client funds, and access to networks and files.
4. Setting the Context
• Putting technology TOOLS in context
• Why You Employ the Tools: Proper
Management of Confidential and Sensitive
Information
• Security is Not the Default Setting in a
Connected World
5. Overview
• Skeptical is Not the Default Setting for Humans,
Particularly Now
• Trust, belief, impatience/urgency, greed, (and
lust) are the Default Settings for Humans
• Machines accelerate and encourage those
Defaults
• Changing those defaults and creating aware
people are a crucial part of any security program
6.
7. Introduction- Technology as a Tool
• "Technology is a very human activity, and
so is the history of technology." - Melvin
Kranzberg
• "If you think security is a technology
problem, then you don't understand the
problem, and you don't understand
security."-Bruce Schneier
8.
9. Crucial Security Points
• Security is NOT the Default in a Connected
World
• Security is a Process, Not a Product
(Security is not “Done”)
• Tension between security and human
defaults
10. Unique Challenges of a
Connected World
• Computer networks default to open
• Access to many more powerful machines
• On the Internet, No One Knows You Are a
Dog.
50. Wire Transfer Fraud
• Fraudster sends an email that appears
to be from a legitimate source
(jack.pringle@arlav.com)
• Informs the recipient of a change in
wiring instructions
• Recipient wires funds to the fraudster’s
bank
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61. Ransomware: The Wages of Clicking
Malware that encrypts (locks up) files so you
can’t use them (and then demands a ransom).
73. Takeaways
• Don’t Click on attachments and links in
emails from senders you don’t recognize;
• Verify (in person or on the phone) messages
from people you THINK you know
BEFORE YOU CLICK;
• Pause and don’t get conned.
• Don’t store documents on your work station
78. Resources
SANS, Securing the Human https://www.sans.org/security-awareness-training
SEC Report of Cyber-Related Frauds, SECURITIES EXCHANGE ACT OF 1934 Release No. 84429 /
October 16, 2018 https://www.sec.gov/litigation/investreport/34-84429.pdf
American Bar Association, Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach
or Cyberattack,” Issued October 17, 2018
https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op
_483.pdf
ALTA Title Insurance and Settlement Company Best Practices
https://www.alta.org/bestpractices/start.cfm
Ransomware Victims Urged to Report Infections to Federal Law Enforcement
https://www.ic3.gov/media/2016/160915.aspx
“BofA Denies Liability for Wire Transfer After Law Firm ‘Took the Bait’ in Phishing Scam”
https://www.law.com/thelegalintelligencer/2018/06/29/bofa-denies-liability-for-wire-transfer-after-law-
firm-took-the-bait-in-phishing-scam/
79. More Resources
Cybersecurity for Small Business
https://www.ftc.gov/tips-advice/business-
center/small-businesses/cybersecurity
NIST Small Business Corner
https://www.nist.gov/programs-projects/small-
business-corner-sbc
Editor's Notes
“If you think security is a technology problem, then you don’t understand the problem, and you don’t understand technology.”
Tension Between Security and Convenience (and Collaboration)
Our Extended Mind-
Information outside your head, between and among people but also between ideas, news, types of data,
So much, so fast, to so many
Which is smarter, the lawyer or the computer. Neither. It’s the two together, working side by side. Security is that way, electronic discovery is that way.
Confidence Game:
Creates trust; plays on greed, lust, impatience, inattention.
This is universal. This has taken place forever.
Do you think you have gotten smarter?
https://www.sec.gov/litigation/investreport/34-84429.pdf
As noted above, these frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.
The firm has very sophisticated tolls to detect and block bad stuff. But no tool is perfect, because the bad actors are always evolving. So all of us, the human layer of security, play a very important role in our security program. And that means pausing before you click.
(Why Launch a Missile When the Screen Door is Left Open)
Out-of-band
about not sending financial information via unsecure email. Looking at email addresses.
Out-of-band
about not sending financial information via unsecure email. Looking at email addresses.
Example. Very profitable.
You are Going to Get paid
Doing something for your boss
Review their privacy and information security procedures to detect the potential for improper disclosure of confidential information.
Audit and Oversight
Post your privacy and information security program on your website or provide program information directly to customers.
Inform customers and law enforcement as required by law.