It’s no longer a question of whether you will be breached or not. It’s pretty much guaranteed you will be. Brian Chertok, EVP Strategy & Marketing, CyberScout, presented on the topic of cyber threats at NEDMA18, and what businesses and professionals can do to make it tougher on cyber criminals.
5. Brian S Chertok | EVP CyberScout
Our Mission
As trusted partners, we help your customers
minimize, monitor and manage identity theft,
fraud and cyber risk.
6. Company History
2004
Retainer-based
identity theft
education and
resolution services
to credit unions
Founded
Identity Theft 911
2003
Retainer-based identity
theft resolution
services to large
insurance carriers
2005
2006
Continuing education
course in identity
management for
insurance professionals
LifeStages
2007
2008
DataRiskStages
2011
eLearning Platform
for insurance
companies, agents,
and policyholders
FraudScout
2010
2013
10th anniversary,
Privacy XChange Forum
and IDT911 Consulting
Expands to U.K. and EU
2014
Expands to Montreal,
Canada
2012
2017
CyberScout
New company name
created to meet the needs
of growing business
Expands into Employee
Benefits and Financial
Institutions
7. Providence, RI New York, NY Montreal, CanadaGalway, Ireland
Headquarters
Scottsdale, AZ
17.5
Million Households
45
Million Individuals
770,000
Breach Services Customers
660+
Institutions
Current Reach
12. What is Cyber Crime?
Think you can avoid it?
$15 billion in
total fraud losses
13.1 million consumers
experienced identity fraud
Mean fraud cost to
consumers $1,147
2016 Javelin Identity Fraud
Identity Theft Facts
Roughly 1 in 5
breach victims
experience fraud
16. Spear phishing
From: Help Desk
Sent: Monday, August 4, 2016 8:00 a.m.
To: Joe@mycompany.com
Subject: System Access Update
Dear Joe,
Our records indicate you have not changed your password in the
last 90 days. If you do not change your password within the next
24 hours, your access to Human Systems will be suspended.
To access Human Systems, follow the link below:
HTTPS://human-systems-access.mycompany.com/password-
update
As a reminder:
• use complex passwords
• Change passwords every
90 days
• Do not use passwords that
you use on other sites
Sincerely,
Help Desk
Human Systems Login
From: Daniel Rais
Sent: Wednesday, January 25, 2017 8:00 a.m.
To: francesca.spidalieri@salve.edu
Subject: Great conference speech!
Hi Francesca,
I very much enjoyed your recent presentation at the
cybersecurity conference and wanted to share with
you an interesting article on the same subject,
http://www.fordes.com/sites/2017/01/02/cybersecuri
ty&riskmanagement/#1e797d807d27
I look forward to meeting you again in the future.
Best Regards,
Daniel Rais
17. If you receive a phishing email
• Be aware – Be wary of any urgent or confidential requests.
• Think before replying – Never “reply” to the email containing a suspicious request.
• Authenticate the sender of the message by contacting him/her by an alternative method (call or walk over their desk).
• Get two okays – Contact a different person at the company with whom you have a relationship before authorizing
transactions.
• Check your sent mail, junk mail, and email account settings regularly for anomalies – Hackers often break into
an email account and modify the “email forwarding” settings to forward emails to their own account.
• Don’t email sensitive or confidential information – Consider using a secure document sharing or transaction
management platform.
• Regularly purge your email of unneeded or outdated information – Save any important emails securely.
• Alert your bank of any potentially fraudulent transaction.
• Educate your family members and your employees about the potential impact of online scams.
• Create a process for employees to report phishing incidents.
• Remove or quarantine infected machines.
18. Ransomware
Ransomware is a type of malware that restricts access to an
infected computer system
• Demands ransom to remove the restrictions
• Some forms systematically encrypt files on the system's hard drive
• Difficult or impossible to decrypt without paying the ransom for the decryption
key, some may simply lock the system and display messages to coax the user
into paying
• Most ransomware enters the system through attachments to an email
message
For consideration
• Don’t click on unknown links
• Keep you anti-virus software up to date
• Back up all sensitive information
• Employee education
21. Taking Responsibility
Non Cyber
Protecting Individual Property
• Property Insurance
• Homeowners Insurance
• Automobile Insurance
Protecting ourselves
• Exercise
• Household Maintenance
• Brushing your teeth
• Lawn Care
• Eating well
Protecting Business Property
• Liability Insurance
• Contacts / MSAs. SOWs
• Fire Insurance
• Property Insurance
Protecting Business Activity
• Legal Counsel
• Collections
• Accounting / Finance
• Employee Benefits
22. Technology is changing the value
UPSIDE
• Over 3.2 billion Internet users – 60% of world
population
• Over 87% of Americans are connected to the
Internet today
• Today, we all have between 4-5 connected
devices, but this number will grow to 15-20
devices associate with each one of us by 2020
(over 50 billion worldwide)
DOWNSIDE
• It takes an average of ~146 days for a hacker to
be detected
• Last year, cyber attacks cost businesses more
than $400 billion and are expected to surpass
$2 trillion/year by the end of the decade
• Hackers release a new malware variant every
200ms; 27K during this class
• The average cost of a lost or stolen record
containing sensitive and confidential information
is now $158/record (average cost of a data
breach $4 million)
• A merchant can be fined monthly, up to $100K,
for PCI DSS compliance violations
24. What is CyberCrime
It’s a data acquisition business
$$$
Goods & Services The Business
Finance
Sales&Marketing
Operations
Manufacturing
$$$
Goods & Services
$$$
Goods & Services
$$$
Goods & Services
The Business
Finance
Sales&Marketing
Operations
Manufacturing
The Business
Finance
Sales&Marketing
Operations
Manufacturing
The Business
Finance
Sales&Marketing
Operations
Manufacturing
$$$
Ransomware
Phishing
ID Theft
The
Aggregator
Finance
Sales&Marketing
Operations
Manufacturing
BII
Finance
Sales&Marketing
Operations
Manufacturing
PII
Finance
Sales&Marketing
Operations
Manufacturing
Finance
Sales&Marketing
Operations
Manufacturing
CODE
38. Your Risk Management To-Do List
38
Cybersecurity Awareness and Education across the entire organization – Cybersecurity is
a shared responsibility!
• Don’t collect data unless you need it and get rid of data as soon as of no use
• Configure your system appropriately
• Encrypt private personal data
• Back up, back up, back up
Conduct a risk analysis to determine weaknesses
• Know where your “crown jewels” are and prioritize most important assets
• Monitoring and early detection
• Exercises and red teaming
Develop a comprehensive Enterprise Risk Management (ERM) Plan that includes
cyber risks
• Build a framework for Incident Response and resilience
• Develop a Business Continuity Plan (BCP)
• Data/Document Retention and Destruction Plan
• Data Security and Privacy Awareness Program
MINIMIZE
Reduce Risk/Exposure
(proactive measures)
MONITOR
Risk Assessment
MANAGE
Documentation/ Programs
39. Develop a Framework for Incident Response
• Preparation: Define roles & responsibilities
• Identification / Detection / Notification:: Know how to identify/verify that an incident has occurred and
what data has been compromised
• Containment & Eradication: Mitigate damages and remove the threat
• Activate Business Continuity Plan (BCP)
• Implement Disaster Recovery Plan (DRP)
• Determine legal implications (notification)
• Follow-up & lessons-learned
• Documentation & Reporting
• Review & update incident response plan
40. Stay Current with Best Practices
Applicable frameworks, benchmarks, assessment tools, reference guides
• NIST Cybersecurity Framework
• NIST Special Publication 800 series
• Center for Internet Security (CIS) Controls for Effective Cyber Defense
• International Organization for Standardization (ISO) standards
• Control Objectives for Information Technology (CoBIT) standards
• DHS Cybersecurity Evaluation Toolkits
• Health Trust Alliance (HITRUST) Common Security Framework (CSF)
• Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool
• ISACA
• SANS
41. Stay Informed and Plan Your Defenses
• Widening gap between compromise and discovery times
• Growing number of healthcare breaches
• Rise of collateral damages
• Growing number of corporate extortion
• Increase of third party risks
44. Your Risk Management To-Do List
44
Cybersecurity Awareness and Education across the entire family – Cybersecurity is a
shared responsibility!
• Don’t collect data unless you need it and get rid of data as soon as of no use
• Configure your systems appropriately – change default settings
• Encrypt private personal data
• Back up, back up, back up
Conduct a risk analysis to determine weaknesses
• Know where your “crown jewels” are and prioritize most important assets
• Monitoring and early detection
• Exercises and red teaming
Develop a comprehensive household Plan that includes cyber risks
• Know who to call in the event of a breach
• Back up all vital information
• Data Security and Privacy Awareness Program
MINIMIZE
Reduce Risk/Exposure
(proactive measures)
MONITOR
Risk Assessment
MANAGE
Documentation/ Programs
49. Other laws influencing information security
in the U.S.
• Electronic monitoring of employees
• Intellectual Property Law
• Corporate proprietary information, such as trade secrets, copyrights, branding, trademarks, patents, etc.
• Payment Card Industry Data Security
• not a law
• Family Educational Rights and Privacy Act
• Children's Internet Protection Act
• Sarbanes-Oxley Act
54. QUESTIONS?
• Brian S Chertok | EVP Strategy & Marketing
• bchertok@cyberscout.com
• 401.680.4070
Editor's Notes
Good afternoon and thank you for having me. Thank you NEDMA and, in particular, Pat and Beth.
We’re here to talk about Cyber Crime and, of course, Cyber Security.
As we head down the path of cyber crime, will talk about the risks to both individuals such as you and me and to businesses. Likewise, we’ll look at the steps we can take to make it harder on Cyber Criminals and to lessen the likelihood that our families and businesses will be impacted.
In addition, we’ll talk about the changing regulatory environment specifically from a marketing point of view. As anxiety over customer privacy intensifies, how will this effect demand generation. As we’ll see, there are no simple answers.
So let’s begin…
Who am I?
My name is Brian Chertok and I am a 25 year, global B2B marketer for technology companies that included Avid Technology, Cognos, Kronos and now CyberScout I have degrees in communications and business from Pratt Institute and Columbia University respectively. On the lighter side, I collect toy taxis from all over the world (some 125 and counting) and enjoy jazz in most of its forms.
For three years, I have been the EVP of Strategy and Marketing for CyberScout.
For 15 years, we have been helping companies protect their customers and employees MINIMIZE, MONITOR and MANAGE identity theft, fraud and Cyber risks.
We help Minimize their exposure to cyber risk, providing you with education and cost-effective technology solutions,
Enable you to Monitor personal information with a flexible platform providing fraud-focused defense services;
And finally, Manage the damage to your identity, privacy, and security in the event of a breach, with personal advocacy from CyberScout’s award-winning team.
Today, CyberScout remains at the forefront of the industry, employing new technologies and practices to ensure clients and their customers have the latest tools to protect the privacy and security of their most valuable assets.
We provide data risk prevention and remediation services to more than 770,000 businesses, including:
Insurance carriers, financial institutions, credit unions, healthcare, and employee benefit providers
Many Fortune 500, as well as small to midsize companies
Our expert fraud resolution team provides service to more than 17.5 million households nationwide, covering:
Nearly 45 million Americans
15% of U.S. households
45% of the P&C insurance marketplace
Now, let’s talk about you!
When I talk to friends, customers and conferences like these, I find the vast majority of us fall into 2 of three categories and this is understandable.
With all the noise about data breaches, identity theft and related frauds, along with systems that are clearly lagging in their ability to offer protection, it’s no wonder that we either choose to put our heads in the sand or simply take our chances.
Oh, and that guy in the middle, he really doesn’t exist! But hopefully, by the end of this presentation, you will all have more in common with him than with the other two.
Let’s talk about Mr. Head in the Sand. When people discover I’m in Cyber Security, many will sluff off the risks saying, “ they’re too small to be noticed” or “haven’t got enough assets to be worth anyone's wile.” For those of you out there, I hope, by the end of this presentation that you understand there is no such thing as too small or insignificant.
Now the Gambler is slightly different. They acknowledge that they may be a worthy target but have given up on their ability to defend themselves arguing that they will rely on the theory of large numbers for protection instead. I’ll just feel the breeze of the bullet as it passes me by.. Like Mr Head-in0the-Sand, this, too is a failed strategy.
Before we talk about Mr. Cyber Hero here, let’s shift gears and get an operating definition of what cyber crime is in order to understand the risks we face.
As marketers, we all know what FUD is. It’s the “promise of certain danger” if you do not take a specific action such as buying a product or service. Make no mistake, what follows is FUD – a real promise of the dangers we all face out in cyber space.
Cyber Crime, as a category, is growing, both in frequency and in variations. Quite simply, we are in a game of walls and ladders. We build higher walls and the bad guys get bigger ladders. That’s important because dealing with Cyber Crime is not a static exercise.
That being said, we can currently assign various types of crime to the 8 general categories listed here. Some are obviously heinous and deplorable. Others can range from simple nuisance to serious impact to one’s livelihood and assets.
We’ll get into definitions more precisely later on.
Finding charts on the incidences of CyberCrime is honestly a slam dunk. There is no shortage and virtually all of them make the case shown here. All forms of Cyber Crime are on the rise and show no signs of tapering off.
Oh, by the way, we need to define our first acronym: PII or Personally Identifiable Information. This refers to the broad category of information that is specific to us.
Want more?
It is estimated that the Equifax Breach affected 187million people. Actually, I believe I just read that the number is short of current estimates… but let’s go with it for a minute. Equifax is one of 3 Credit Bureaus including Experian and TransUnion. These 3 companies have a monopoly on the information you need to qualify for banks, hospitals, mortgage companies and employers, etc. – this is where your credit score comes from. So, suffice it to say, they hold all of the PII in the country.
Now let’s revisit that 187million. Currently, The US boasts 325 million citizens. Approximately 75 million are children. That leaves 250. Approximately 10 million are unemployed, and another 5million have stopped looking. Add 600K homeless and the number of addressable records for employed Americans falls to 234. So, if you’re an employed American, there is an 80% chance that your PII was part of the Equifax Breach.
So, to the gamblers out there… still think you haven’t been breached? Add TJX Corporation, Sony, Sears, and on and on and you get the picture. This morning, I also read that Cambridge Analytica, the company that acquired Facebook data kept it all on unprotected servers which, experts now believe may have been breached on several occasions.
And by the way. If your data has, in fact been compromised, you have a 71% greater chance of being victimized by CyberCrime.
So, it’s probably safe to say to all you gamblers out there that the cyber bullet has actually struck it’s target as opposed to passing you by.
Back to definitions.
I’ve broken out a few so you can get a better understanding of the range of crimes out there. Malware can result in harmless popups or, as we shall see, bring your systems to a crashing halt.
CyberBullying is not just for school children although I would hasten that that is bad enough. Imagine any of this happening in the workplace.
And we’ve come a long way from the prince of Nigeria who is still anxious to receive your PII in return for money that will benefit you and save his kingdom.
Imagine a company controller getting emails from the CEO who is known to be travelling that he or she needs money wired right away or that
Failure to pay Canadian taxes will result in sharp fines. All of this is done on emails that, absent one errant character, look like the real deal.
To be clear, I am not making any of this up.
Here is some additional vocabulary that may have crossed your path. Don’t worry, there is no quiz at the end of my presentation and further, no reason to remember these terms necessarily. What matters is that your awareness gets raised and that you begin viewing all emails with greater suspicion.
To be clear, any email that:
Asks for PII
Requires clicking on a link to progress
Or comes from an “official-looking” source
Should warrant a thorough examination before taking action. Slow down and proceed with caution. It could save you hundreds of thousands of dollars, your business’ reputation and then some.
Let’s look at an example:
This official looking email has all the clues hiding in plain sight.
First of all, the IRS wouldn't send a notification about a potential problem or unexpected refund via email.
In fact, the IRS will never initiate contact with you via email. You won't receive an audit notice or request for additional information via email. These emails are intended to either harvest information from you in order to steal your identity or they may contain malware or spyware.
Let’s look at the warning signs:
The IRS knows who you are. A generic greeting would never be used.
The IRS does not do auto-deposit via email. They send checks.
Often, hovering over the link will reveal a location not affiliated with the government.
Spear phishing is an email that appears to be from an individual, business, or department that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your computer.
The criminal thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Francesca" instead of "Dear …." The email may make reference to a recent event or a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company/department you know asking for urgent action, you may be tempted to act before thinking.
How do you become a target of spear phishing? From the information you or your organization put on the Internet. For example, they might scan social media, find your FB page, your email address, and a recent post about your speaking engagement. Using that information, a spear phisher could pose as a friend or acquaint, send you an email, and ask you for credentials or to click on a link.
Keep Your Secrets Secret
How safe you and your information remain depends in part on you being careful. Take a look at your online presence. How much information is out there about you that could be pieced together to scam you? Your name? Email address? Friends' names? Are you on, for example, any of the popular social networking sites? Take a look at your posts. Anything there you don't want a scammer to know? Or have you posted something on a friend's page that might reveal too much?
We’ll talk about managing profiles later on.
So, what’s a guy or gal to do?
Be wary of any urgent or confidential requests. If something looks fishy to you, it probably is. No alert is considered unnecessary.
Think before replying - Never “reply” to the email containing a suspicious request. That opens the door to the fraudster. Using a slightly altered executive email address is a tactic commonly used by crooks.
Authenticate - Validate by phone any beneficiary or address changes from vendors. Or ask another person at the company to create a new email to confirm the change.
Get two okays - No matter the size of the company, dual authorization should, at a minimum, be implemented for certain transactions.
Alert your bank - It’s essential to tell banks so proper action is taken to stop the wire or prevent more wires from being sent inappropriately.
Remove the dirty PC - Once a machine is compromised, take it off the company’s network until it’s been cleaned of malware.
Another threat emerging for the business world is Ransomware - computer malware that encrypts files on your PC or Network
It is frequently deployed through attachments in emails.
And difficult or impossible to remove without the decryption key
On the top right you will see a sample message from a system infected with CryptoLocker.
You see a message with a countdown clock.
The second message shows how to pay for the keys to unlock your computer
It shows the updated timer on the countdown clock.
The ransom amount could go from several hundred dollars to a few thousand dollars.
There is evidence that the fraudsters are learning that the businesses are able to pay more than consumers.
They research the victims who have downloaded the ransomware
And have been known to charge more to businesses.
The protections needed for ransomware are the same as other Malicious software
Don’t click on unknown links
Keep you anti-virus software up to date
Employee education
BUT ABOVE ALL….
This goes for businesses and individuals alike.
Folks, for a few $100 bucks, you can buy an external drive and run a back up once a week or twice a month.
For employees, check with your IT department to make sure your systems are being backed up.. Often, backups are limited to shared servers. Get your desktop updated regularly as well.
Now, how do I say this without being combative. Of all crimes, Ransomware is the easiest to thwart and is often the most difficult to avoid paying when no backup exists.
Secure a backup protocol asap… please.
We’ve now looked at the variety of cybercrimes out there, and the rate at which variations and incidences are growing. Have I convinced you that our two strategies, head-in-the-sand and gambling will not work?
In fact, our chairman at CyberScout, Mr. Adam Levin, has coined “third certainty” in regards to CyberCrime. We know the first two certainties are death and taxes. Actuarially speaking, Cyber Crime is the third.
To understand why this is so, we need to understand how data and the use of data have changed… changed in ways that both enrich our lives while endangering us simultaneously.
Before we continue… anyone overwhelmed? Anyone questioning how we could possibly protect ourselves or how much time and expense are required?
Let’s step away form CyberCrime for a minute and look at a proxy… something similar to CyberCrime that we have already conquered.
Today, we have things… expensive things, irreplaceable things that are continually under threat—from theft, wear and tear, acts of G-d, etc. And so, we have developed steps to protect or replace both our property and ourselves. In fact, we have created systems and constructs that allow us to do this with minimal interference with our day jobs and primary responsibilities. We have processes and technologies that, in effect, allow us to “set it and forget it”. We can do the same to combat cybercrime.
So, take a breath, the official FUD section of this presentation is over and we are now going to begin to develop an understanding of how to protect our cyber-identities, just as we have our homes, our cars, our bodies, and our businesses.
Let’s talk about technology and data.
Today, we no longer drive cars, we drive computers on wheels. Seriously, wires no longer connect your headlights to a circuit. Today, they are managed by a central computer along with everything else.
We are bring interconnected Doorbells, home assistants, digital cameras and all sorts of appliances into our homes and, of course, we are taking all this computer power with us in our pockets and hand bags. All of this creates benefit and vulnerability.
In short, for all but a few, going off the grid is not an option. Here’s why.
Take a look at these 4 companies – all changing the way we do business. What do they have in common?
Well, are they what they say they are? After all, Uber is a taxi company with no cars. Facebook is a content company with no content. AirBnB is a hotel company with no real estate and Alibaba is a product company with no products. And yet, these are 4 of the most profitable companies on the planet. What is it that they possess that gives them such value?
DATA.
Data is the new value. It has supplanted currency, oil and anything else you can imagine. And it is data that enables us to reap the benefits of these and other companies that ostensibly provide us with new and improved services. But all these new benefits come with a dark side resulting from the necessary exchange of data that makes all these benefits possible. Big Data, in short, is a business.
Looking at a conventional business, we see a company exchanging goods for dollars with subcontractors on the right pursuant to making finished goods which are exchanged on the left with customers for dollars as well.
Data is no different. On the right, we have the specialists. Data thieves how focus on specific types of information that they buy and sell to aggregators. Aggregators reassemble identities and fabricate new ones which they then sell to criminal specialists who may indulge in ransomware, identity theft, mail fraud, etc.
So even if your bank account is overdrawn, your PII still has value.
And it’s global.
These same actors work in state-sponsored organizations, organized crime, terrorist organizations and alone in the basement.
What are they looking for?
These are only the most common data elements sought by would be criminals. A comprehensive system that would safeguard all this is obviously problematic but we will talk about some of the things you can do now that will pass a reasonableness test.
Keep in mind that most of the previous slide carries forward to businesses as well but there are additional data points such as those listed here.
So, can we protect ourselves to within 100% degree of certainty. The answer is obviously not. The trick is to break the effort into smaller bits. At CyberScout, we talk about:
Minimizing the risks
Monitoring for threats and
Managing the damage when a breach occurs.
OK, this is a seriously corny slide but the message is serious.
When we talk insurance, we talk about property, liability, health and life. In short, the industry serves up every possible angle to make sure we have a holistic solution to protect our assets, our families and ourselves. Dieting doesn’t work without exercise. Making money is half the battle, investing our savings is the other.
Cyber Security is no different. To be successful, we need to take a holistic approach. At CyberScout, we call that the 3m’s: minimizing the risks, monitoring for danger and managing the damage. And this applies to both individuals as well as businesses. Let’s take a look.
Today, no board or C-suite can ignore cybersecurity – they are ultimately responsible for the cybersecurity posture of their organization; they oversee risk and must now view cyber risk as a component of their overall enterprise risk management process rather than a compliance issue.
The Board of Directors should NOT insist on Cybersecurity Policies, Plans, and Procedures that are complex and deeply technical, especially if it means they would need to bring in outside consultants to be able to understand the results.
Understand the legal and liability implications of cyber risk as they apply to the company specific situation.
Discussions about cyber risk management should be given regular and adequate time at the executive level.
It is important for senior leaders to set a positive tone and communicate an organization’s values from the top and throughout the entire enterprise to employees and stakeholders, and also to business partners, vendors, and other third parties. They must understand how security fits into business, and how business fits into security.
While cybersecurity is a shared responsibilities, creating a culture of security that prioritizes addressing cyber risks across the entire organization must start from the top. If management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values.
Know where all the sensitive data (“crown jewels”) are stored, who has access to them, and how they’re being protected.
3. Adopt a risk-based approach—shift the focus to proactively identify risks audits are not sufficient.
4. Conduct a cost-benefit analysis of the potential direct and indirect costs of cyber incidents to the organizations--this may help justify increased financial and human resources dedicated to managing specific cyber risks.
For all these reasons, cybersecurity has to be considered one of the most important aspects of managing organizations of all sizes in all sectors, with duties and responsibilities extending throughout every level of the workforce.
Risk management is the process of identifying, assessing, prioritizing, and addressing risks BEFORE a negative event occurs.
Any organization that is serious about security will view cyber risk management as an integral component of its ongoing risk management process.
Risk Management is not something you do just once! Organizations that align security with their business objectives can drive business success with risk mitigation.
Achieving cybersecurity is a complex and never-ending task. While there is no silver bullet solution to protect every organization from all cyber risks, staying informed, educating all employees about cybersecurity, and promoting best cybersecurity practices are probably the most effective solutions any organization can adopt.
One of the first things all organization need to do is aligning their business objectives with their security needs, measure the losses due to cyber insecurity, and make cybersecurity part of the overall corporate planning process. Security controls should be in place to enable the business, and to make sure they are not slowing down production or countering efficiency.
As we continue to promote broadband and innovation strategies in the name of innovation, efficiency, productivity, convenience, and GDP growth; we MUST also measure the losses due to cyber insecurity. Cyber insecurity is a “tax on growth.”
No company, regardless of its size or sector, is immune to cyber incidents that can hurt their brand, customer confidence, reputation and, ultimately, their business.
Whether they are the victims of a data breach or a larger cyber-attack that causes disruption of service or destruction of property, it is imperative organizations stay proactive and have a clear, detailed, and well-exercised incident response plan before a breach happens.
Incident response is the process of responding and analyzing incidents and mitigating an incident’s effect on an organization. Every organization should implement and establish an Incident Response Plan (IRP) to be carried out mainly by an Incident Response Team and overseen by senior management.
It is important that organizations create policies, plans, and procedures related to incident response with management buy-in and that integrate cybersecurity front and center in an organization's overall strategy.
While cyber risks, as with all risks, cannot be completely eliminated, they can be managed through informed decision-making processes, careful planning, and appropriate allocation of resources.
The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, creates information security standards and guidelines. .
While one size doesn’t fit all, there are plenty of independently-validated best practices, security controls, assessment tools, reference guides, benchmarks, and other resources available to help you defend your organization and be prepared to respond to significant data breaches and other cyber attacks.
Consider the following fundational references and select the ones that best apply to your needs.
Other cybersecurity standards are evolving and being develped by different industries.
Understanding the threat landscape and staying abreast of the latest techniques and vulnerabilities can help organizations better prepare their defenses and better allocate human and financial resources to minimize cyber risks.
Multiple organizations publish regular reports and studies on cyber threats and emerging trends in cyberspace, specific industry patters, new techniques, tools, and tactics used by attackers to breach systems, and offer valuable recommendations and lessons learned from the field.
Ponemon Institute 2016 study found that the average total cost of a data breach grew from $6.5 million to $7 million; $221 per stolen record.
By 2020, the average cost of a data breach will amount to $150 million.
A 2016 PwC survey found that more than half of US companies have experienced some type of cyber incident – and I am guessing that the other half has been compromised too but just doesn’t know it.
67% of victim organizations are notified by external entities (customers, security bloggers, law enforcement)
Hackers release a new malware variant every 200ms; 27K during this Webinar.
Let’s go through similar steps for individuals.
Like it or not, we are each the CIO, CISO and CEO of our own households. While this slide references families, cybersecurity starts by adopting these action items for ourselves.
Appreciate that cyber security is constantly evolving. Just as we re-evaluate insurance needs, so too should we be looking at cyber. Every time we bring a new, wired appliance into the house, add an account of any kind, extend access to anyone…all these are triggers for re-evaluation.
Get preachy! Tell you friends and loved ones what you are doing to be more secure. Why? Well, it’s a nice thing to do but it’s also self defense. A link on facebook, LinkedIn or any other social network adds to your vulnerability. Should you stop? No. Should you take precautions… yes.
So, think about the three Ms and start down the path. You can’t guarantee protection anymore than you can protect a home from the weather, but you han make it harder for damage to occur.
So, here are some immediate action items you can do now.
What’s the difference?
In the US, privacy is sort of a negative right… the constitution offers redress in the event you are compromised.
In Europe, it’s a positive right… violators of your privacy can be prosecuted even if you haven’t suffered any damages.
…and that is especially significant for marketers.
In the absence of a “right to privacy”, the US has, over time, created a patchwork quilt of federal and state laws to close the gaps. These are just a few.
Here are more regulations relating to business and privacy but again, it’s worth noting that these are designed to give us redress when we believe we have been damaged.
Some of the key employment law related to security and policies:
Intellectual property law
Need for written policies to properly care and handle IP, commensurate with its value (based on the type and sensitivity)
Sign non-disclosure agreements
Protect from industrial espionage, electronic surveillance, spying
Electronic monitoring of employees to increase security
Virtual workers work away from the office almost always using some sort of technology and media. This type of work has major implications for security.
Ensuring confidentiality of work products, from customer data to trade secrets, residing on laptops or smartphones that can be easily lost or stolen.
Employees may post information or comments in newsgroups, blogs or social media that may affect the company. They may use these means inappropriately by disseminating harmful information, infringing on copyrights or patents, harass others, conduct corporate espionage or insider trading
If an employee violates the law, it may open a company to either civil (compensation for injuries to individuals or corporations) or criminal liabilities (punishment for inflicting injuries on others), or both.
Ability of management to monitor and control employees’ security behavior monitoring files and emails, web access, voice mail in the work place and remotely.
The US Constitution does not contain specific provisions that explicitly define privacy rights in terms of personal information or data.
Managers should know what is permissible regarding employee monitoring
Europe, effective May 25th, has taken a much more pro-active and different approach. The GDPR affirms that your PII is yours and therefore, you are the only one that can authorize it’s use. Consequently, any unauthorized use is a violation of law regardless of the consequences or lack of consequences to you.
What does this mean for demand creators?
To comply, we must meet the requirements listed here. That means driving a data management strategy with your IT counterparts who, more than likely, have been more concerned with protecting the data than it’s actual use. Who, within your corporation, owns these responsibilities? Marketing or IT?
…and what forms of governance must be undertaken to make sure we are in continual compliance?
Europe is way ahead of the US on these issues but nowhere near completion, despite the May deadline.
US countries, doing business in the EU are NOT exempt. I repeat, if you’re doing business in the EU, than you, too, must comply with GDPR.
Do the rest of us have to comply. I think we will have to eventually given globalization and our increasing preoccupation with privacy. In other words, do I as a consumer want to engage with a business that does not demonstrate that they have taken steps to protect my data? As a business, do I want to cede an advantage to my competitors who can demonstrate their commitment to my privacy? These are compelling drivers.
So, as marketers, we are in a unique position to drive these cultural changes within our organization. Leading the charge will help preserve Demand Generation imperatives and avoid restrictions delivered on high from lawyers and technocrats.
For example, what is the future of the opt-in/opt-out debate?
List acquisition is arguably on the ropes. What strategies do we need to devise to get strangers to give us their data? How do we reach them in advance of contact information?
What is the potential marketing effect of good governance? As a referenced in the last slide, will I gain points for my company by demonstrating concern for your privacy and your data?
…and in case you don’t appreciate the “right to privacy”, GDPR also comes with some pretty hefty enforcement tools.
I predict we should be seeing some pretty impressive scapegoats by early fall if only to send a compliance message to the rest of us.
So, get ready because this is coming.
Thank you again for having me and I hope this has been informative. Happy to take questions.