NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
•Download as PPTX, PDF•
2 likes•112 views
It’s no longer a question of whether you will be breached or not. It’s pretty much guaranteed you will be. Brian Chertok, EVP Strategy & Marketing, CyberScout, presented on the topic of cyber threats at NEDMA18, and what businesses and professionals can do to make it tougher on cyber criminals.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
Similar to NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do (20)
Recently uploaded
Recently uploaded (20)
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
- 2. Cyber Security What you need to know, what you need to do.”
- 3. Overview • Introductions • FUD • Understanding Privacy • Fighting Back • Marketing & Privacy 3© CyberScout, LLC. All Rights Reserved — Confidential
- 5. Brian S Chertok | EVP CyberScout Our Mission As trusted partners, we help your customers minimize, monitor and manage identity theft, fraud and cyber risk.
- 6. Company History 2004 Retainer-based identity theft education and resolution services to credit unions Founded Identity Theft 911 2003 Retainer-based identity theft resolution services to large insurance carriers 2005 2006 Continuing education course in identity management for insurance professionals LifeStages 2007 2008 DataRiskStages 2011 eLearning Platform for insurance companies, agents, and policyholders FraudScout 2010 2013 10th anniversary, Privacy XChange Forum and IDT911 Consulting Expands to U.K. and EU 2014 Expands to Montreal, Canada 2012 2017 CyberScout New company name created to meet the needs of growing business Expands into Employee Benefits and Financial Institutions
- 7. Providence, RI New York, NY Montreal, CanadaGalway, Ireland Headquarters Scottsdale, AZ 17.5 Million Households 45 Million Individuals 770,000 Breach Services Customers 660+ Institutions Current Reach
- 8. Enough about me, Who are you? 8© CyberScout, LLC. All Rights Reserved — Confidential C Head in the Sand Gambler Cyber Super Hero
- 9. FUD: Fear Uncertainty and Doubt What is Cyber Crime?
- 10. What is CyberCrime? 10© CyberScout, LLC. All Rights Reserved — Confidential Damages caused by cyber crime from 2001 to 2016. • Attacks on computer systems • Cyber-bullying • Email spam and phishing • Identity theft • Prohibited offensive and illegal content • Online child sexual abuse material • Online scams or fraud • Online trading issues
- 11. What is Cyber Crime? Think you can avoid it? 46% Email account hacked 42% PII used to purchase stuff 36% Social Media Hacked 27% PII Stolen 20% ID Fraud 1 2 3 4 5 49% 29% 15% 5% 2% How many data breaches have you been a victim of? % of SPAM with Ransomware Attachments ©2018 Insurance Post
- 12. What is Cyber Crime? Think you can avoid it? $15 billion in total fraud losses 13.1 million consumers experienced identity fraud Mean fraud cost to consumers $1,147 2016 Javelin Identity Fraud Identity Theft Facts Roughly 1 in 5 breach victims experience fraud
- 13. What is CyberCrime? • Attacks on computer systems • unauthorized access or hacking • Malware • denial of service attacks • Cyber-bullying • posting hurtful messages, images or videos online • repeatedly sending unwanted messages online • sending abusive texts and emails • excluding or intimidating others online • creating fake social networking profiles or websites that are hurtful • nasty online gossip and chat, and • any other form of digital communication which is discriminatory, intimidating, intended to cause hurt or make someone fear for their safety. • Email spam and phishing • Identity theft • Prohibited offensive and illegal content • Online child sexual abuse material • Online trading issues • Online scams or fraud • Unexpected prize scams, • Unexpected money scams, • Dating or romance scams, • Threats and extortion scams, • Jobs and investment scams, and • Identity theft. © CyberScout, LLC. All Rights Reserved — Confidential
- 14. What is Cyber Crime some vocabulary • Phishing: Infected files/malicious links sent through email • Spoofing: Email messages with a forged sender address • Smishing: Infected files/malicious links sent through SMS message • Masquerading: Attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification 14© CyberScout, LLC. All Rights Reserved — Confidential
- 15. Phishing Generic Greeting The IRS would never ask for this kind of information via email Hovering over the link shows non-IRS site
- 16. Spear phishing From: Help Desk Sent: Monday, August 4, 2016 8:00 a.m. To: Joe@mycompany.com Subject: System Access Update Dear Joe, Our records indicate you have not changed your password in the last 90 days. If you do not change your password within the next 24 hours, your access to Human Systems will be suspended. To access Human Systems, follow the link below: HTTPS://human-systems-access.mycompany.com/password- update As a reminder: • use complex passwords • Change passwords every 90 days • Do not use passwords that you use on other sites Sincerely, Help Desk Human Systems Login From: Daniel Rais Sent: Wednesday, January 25, 2017 8:00 a.m. To: francesca.spidalieri@salve.edu Subject: Great conference speech! Hi Francesca, I very much enjoyed your recent presentation at the cybersecurity conference and wanted to share with you an interesting article on the same subject, http://www.fordes.com/sites/2017/01/02/cybersecuri ty&riskmanagement/#1e797d807d27 I look forward to meeting you again in the future. Best Regards, Daniel Rais
- 17. If you receive a phishing email • Be aware – Be wary of any urgent or confidential requests. • Think before replying – Never “reply” to the email containing a suspicious request. • Authenticate the sender of the message by contacting him/her by an alternative method (call or walk over their desk). • Get two okays – Contact a different person at the company with whom you have a relationship before authorizing transactions. • Check your sent mail, junk mail, and email account settings regularly for anomalies – Hackers often break into an email account and modify the “email forwarding” settings to forward emails to their own account. • Don’t email sensitive or confidential information – Consider using a secure document sharing or transaction management platform. • Regularly purge your email of unneeded or outdated information – Save any important emails securely. • Alert your bank of any potentially fraudulent transaction. • Educate your family members and your employees about the potential impact of online scams. • Create a process for employees to report phishing incidents. • Remove or quarantine infected machines.
- 18. Ransomware Ransomware is a type of malware that restricts access to an infected computer system • Demands ransom to remove the restrictions • Some forms systematically encrypt files on the system's hard drive • Difficult or impossible to decrypt without paying the ransom for the decryption key, some may simply lock the system and display messages to coax the user into paying • Most ransomware enters the system through attachments to an email message For consideration • Don’t click on unknown links • Keep you anti-virus software up to date • Back up all sensitive information • Employee education
- 19. How to Prevent Ransomware BACK UP YOUR DATA!!
- 20. Understanding Our Vulnerability “Cyber Crime has become the third certainty of life!” (After death and taxes) - Adam Levin, Founder, CyberScout 20© CyberScout, LLC. All Rights Reserved — Confidential Technology is changing what and how we value goods and services: • New innovation technologies (IoT devices, cryptocurrency) • Mobility (smart phones, virtual teams, BYOD) • Regulations & laws (new data breach regulations & privacy laws) • Business and consumer practices (outsourcing, decentralization, globalization, ecommerce)
- 21. Taking Responsibility Non Cyber Protecting Individual Property • Property Insurance • Homeowners Insurance • Automobile Insurance Protecting ourselves • Exercise • Household Maintenance • Brushing your teeth • Lawn Care • Eating well Protecting Business Property • Liability Insurance • Contacts / MSAs. SOWs • Fire Insurance • Property Insurance Protecting Business Activity • Legal Counsel • Collections • Accounting / Finance • Employee Benefits
- 22. Technology is changing the value UPSIDE • Over 3.2 billion Internet users – 60% of world population • Over 87% of Americans are connected to the Internet today • Today, we all have between 4-5 connected devices, but this number will grow to 15-20 devices associate with each one of us by 2020 (over 50 billion worldwide) DOWNSIDE • It takes an average of ~146 days for a hacker to be detected • Last year, cyber attacks cost businesses more than $400 billion and are expected to surpass $2 trillion/year by the end of the decade • Hackers release a new malware variant every 200ms; 27K during this class • The average cost of a lost or stolen record containing sensitive and confidential information is now $158/record (average cost of a data breach $4 million) • A merchant can be fined monthly, up to $100K, for PCI DSS compliance violations
- 23. What is the value proposition for these companies? • Single medium of exchange • Single medium of communication • Single medium of transfer 23© CyberScout, LLC. All Rights Reserved — Confidential Uber AirBNB Doesn’t own any taxis Owns no Content Has no Real Estate Has no Products DATA Facebook Alibaba
- 24. What is CyberCrime It’s a data acquisition business $$$ Goods & Services The Business Finance Sales&Marketing Operations Manufacturing $$$ Goods & Services $$$ Goods & Services $$$ Goods & Services The Business Finance Sales&Marketing Operations Manufacturing The Business Finance Sales&Marketing Operations Manufacturing The Business Finance Sales&Marketing Operations Manufacturing $$$ Ransomware Phishing ID Theft The Aggregator Finance Sales&Marketing Operations Manufacturing BII Finance Sales&Marketing Operations Manufacturing PII Finance Sales&Marketing Operations Manufacturing Finance Sales&Marketing Operations Manufacturing CODE
- 25. …and it’s global • Over 100 countries have the capabilities to conduct disruptive and destructive attacks • Non-state actors are becoming an increasingly dangerous player in cyberspace • Criminal organizations are becoming increasingly sophisticated • Lower technical barriers to entry and low risk of being caught • Objectives Vary: • Organized Crime • Hacktivism • Industrial espionage • Cyber disruption 25© CyberScout, LLC. All Rights Reserved — Confidential
- 26. Your Data for Sale 26© CyberScout, LLC. All Rights Reserved — Confidential Parent Citizen Employee Consumer Investor Patient Internet User Hobbyist Volunteer Social Security No. Government Issued ID Drivers License Passport Birth Certificate Library Card Account Numbers Banks Investment Accounts Credit Cards Birth Date Birth Place Online Information Social ID Passwords Geolocation Mobile Phone GPS Camera Address Physical Email Telephone / Mobile Verification Info Mother’s Maiden Name, High School, Pet’s Name, Kids Medical Records Prescriptions Events Images Roles Certificates Physical Attributes History
- 27. Your Business Data for Sale 27© CyberScout, LLC. All Rights Reserved — Confidential Patents Plans Designs Processes Board of Directors Executives Employees Client Names & Records Accounts Receivables Accounts Payables Financial Statements Bank Accounts LOCs & Credit Cards M&A activity / data Intellectual Property Personnel Financials Partner web sites eCommerce Supply Chain Patient Medical Records Customer Data (see previous slide) Accounts Receivables Accounts Payables Financial Statements Bank Accounts LOCs & Credit Cards M&A activity / data Ecosystem Customers Financials
- 28. The definition of VALUE is changing HOW DO WE PROTECT OUR PRIVACY WHEN WE ARE PAYING WITH DATA? 28© CyberScout, LLC. All Rights Reserved — Confidential
- 29. Changing the Cyber Landscape What can we do to protect ourselves? 29© CyberScout, LLC. All Rights Reserved — Confidential
- 30. Time for a better strategy 30© CyberScout, LLC. All Rights Reserved — Confidential CMINIMIZE the risks of an attack MONITOR for dangers MANAGE the damage
- 31. MINIMIZE the risks of an attack For the Individual • Take a digital inventory and capture who owns what • Phones, computers, tablets, video games • IoT: Alexa, Siri, the Fridge, the Stereo… • Online financial accounts, passwords and who has them • Adopt a flexible AND manageable password scheme • Always accept dual authorization when it is available • Password Keepers/Protectors – they’re cheap and effective • Adopt a new identity – LIE! • Add a variable factor • Back up your data 31© CyberScout, LLC. All Rights Reserved — Confidential
- 32. MINIMIZE the risks of an attack For the Business • Create a Cyber Security Function (dedicated, if possible) • Include IT and Human Resources • Training and Testing • Run Phishing Scams • Post Breach Implementation Plan • Customers • Press / Analysts • Leadership and employees 32© CyberScout, LLC. All Rights Reserved — Confidential
- 33. MONITORING for Businesses and Individuals • Engage in a 3-bureau monitoring service with alerts • Thru your insurance carrier or bank • Through your employee benefits provider • Through a third party vendor • Check bank and credit accounts regularly • Where possible, employ double authentication 33© CyberScout, LLC. All Rights Reserved — Confidential
- 34. MANAGING the Damage • Check with your insurer, your employer or engage the services of a qualified cyber security firm. • Calling you lawyer is rarely the best first line of defense. For businesses • Make a Breach Response Plan BEFORE a breach happens For Individuals • Back up your drives and • Make a call plan BEFORE a breach happens 34© CyberScout, LLC. All Rights Reserved — Confidential
- 35. Let’s Fight Back! For Business 35© CyberScout, LLC. All Rights Reserved — Confidential
- 36. Set the Tone from the Top Organizations must align business objectives with security needs. • Integrate cybersecurity front and center into daily activities, andhor decision-making processes in a holistic and comprehensive manner. • Create a culture of security that starts from the top. • Know where the “crown jewels” are stored, who has access to them, and how they’re being protected. • Understand how security fits into business, and business into security. • Adopt a risk-based approach. 36© CyberScout, LLC. All Rights Reserved — Confidential
- 37. Risk Assessment Ensure that business objectives are balanced against the risks Assets Costs ICT/Internet Enabled Essential Services Fragile (less Resilient) Critical Services E-Banking / E-Commerce E-Crime Mobile & Virtualized Business Environment Intellectual Property Theft Collaborative Platforms Loss of sensitive employee and customer information Social Media Marketing Disruption of Service Broad Supply Chain Manipulated Supply Chain 37© CyberScout, LLC. All Rights Reserved — Confidential Business objectives should be balanced with security activities in order to drive business success with risk mitigation.
- 38. Your Risk Management To-Do List 38 Cybersecurity Awareness and Education across the entire organization – Cybersecurity is a shared responsibility! • Don’t collect data unless you need it and get rid of data as soon as of no use • Configure your system appropriately • Encrypt private personal data • Back up, back up, back up Conduct a risk analysis to determine weaknesses • Know where your “crown jewels” are and prioritize most important assets • Monitoring and early detection • Exercises and red teaming Develop a comprehensive Enterprise Risk Management (ERM) Plan that includes cyber risks • Build a framework for Incident Response and resilience • Develop a Business Continuity Plan (BCP) • Data/Document Retention and Destruction Plan • Data Security and Privacy Awareness Program MINIMIZE Reduce Risk/Exposure (proactive measures) MONITOR Risk Assessment MANAGE Documentation/ Programs
- 39. Develop a Framework for Incident Response • Preparation: Define roles & responsibilities • Identification / Detection / Notification:: Know how to identify/verify that an incident has occurred and what data has been compromised • Containment & Eradication: Mitigate damages and remove the threat • Activate Business Continuity Plan (BCP) • Implement Disaster Recovery Plan (DRP) • Determine legal implications (notification) • Follow-up & lessons-learned • Documentation & Reporting • Review & update incident response plan
- 40. Stay Current with Best Practices Applicable frameworks, benchmarks, assessment tools, reference guides • NIST Cybersecurity Framework • NIST Special Publication 800 series • Center for Internet Security (CIS) Controls for Effective Cyber Defense • International Organization for Standardization (ISO) standards • Control Objectives for Information Technology (CoBIT) standards • DHS Cybersecurity Evaluation Toolkits • Health Trust Alliance (HITRUST) Common Security Framework (CSF) • Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool • ISACA • SANS
- 41. Stay Informed and Plan Your Defenses • Widening gap between compromise and discovery times • Growing number of healthcare breaches • Rise of collateral damages • Growing number of corporate extortion • Increase of third party risks
- 42. Let’s Fight Back! For Individuals 42© CyberScout, LLC. All Rights Reserved — Confidential
- 43. Set the Tone from the Top Parents and Caregivers must explain the risks to justify “digital rules” and required behaviors. • Discuss cybersecurity early and often - weave into daily activities. • Create a sense of responsibility leading by example and demanding adherence. • Know where the “crown jewels” are stored, who has access to them, and how they’re being protected. • Understand how security fits into daily life, and daily life into security. 43© CyberScout, LLC. All Rights Reserved — Confidential
- 44. Your Risk Management To-Do List 44 Cybersecurity Awareness and Education across the entire family – Cybersecurity is a shared responsibility! • Don’t collect data unless you need it and get rid of data as soon as of no use • Configure your systems appropriately – change default settings • Encrypt private personal data • Back up, back up, back up Conduct a risk analysis to determine weaknesses • Know where your “crown jewels” are and prioritize most important assets • Monitoring and early detection • Exercises and red teaming Develop a comprehensive household Plan that includes cyber risks • Know who to call in the event of a breach • Back up all vital information • Data Security and Privacy Awareness Program MINIMIZE Reduce Risk/Exposure (proactive measures) MONITOR Risk Assessment MANAGE Documentation/ Programs
- 45. Your Risk Management To-Do List • LIE! Adopt an alternative identity for your Social Media Profile • Adopt a stronger password strategy • Best: Random, Encrypted, Updated, Unique to every site • Better: Random, Updated and Unique • Good: Not random but unique to every sight • Password Protect your WiFi • Change the defaults on ALL wired appliances • Use Double Authentication wherever available • Monitor ALL your accounts on a weekly basis 45© CyberScout, LLC. All Rights Reserved — Confidential
- 46. MARKETING 46© CyberScout, LLC. All Rights Reserved — Confidential
- 47. In the European Union, privacy is a right—to protect one’s decency, one’s innocence. Understanding Privacy 47© CyberScout, LLC. All Rights Reserved — Confidential In the US, Privacy is NOT a right. The 4th Amendment protects from unlawful search and seizure only. The 5th protects us from self-incrimination
- 48. Cyber Law & Cybercrime • U.S. Compliance Law • FISMA • HIPAA • Gramm-Leach-Bliley Act (GLBA) • Federal Cyber Crime Statute 18 U.S. Code 1030 • It is a crime to knowingly access a computer without authorization or to illegally access and use personally identifiable information, intellectual property, financial records, medical records. 48© CyberScout, LLC. All Rights Reserved — Confidential
- 49. Other laws influencing information security in the U.S. • Electronic monitoring of employees • Intellectual Property Law • Corporate proprietary information, such as trade secrets, copyrights, branding, trademarks, patents, etc. • Payment Card Industry Data Security • not a law • Family Educational Rights and Privacy Act • Children's Internet Protection Act • Sarbanes-Oxley Act
- 50. GDPR General Data Protection Regulation The General Data Protection Regulation (GDPR) is European Union legislation that will begin to be enforced on May 25, 2018. Its aim is to strengthen the rights of data subjects within the European Union (EU) and European Economic Area (EEA) with regard to how their personal data is used and how it’s protected. (‘Personal data’ means any information that relates to an identified or identifiable natural person). © CyberScout, LLC. All Rights Reserved — Confidential 50
- 51. GDPR Key Principles 1. Transparency on how data will be used and what it will be used for. 2. Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection. 3. Limiting the data collection to what is necessary to serve the purpose for which it is collected. 4. Ensuring the data is accurate. 5. Storing the data for only as long as necessary within its intended purpose. 6. Prevention against unauthorized use or accidental loss of the data through the deployment of appropriate security measures. © CyberScout, LLC. All Rights Reserved — Confidential 51 Source: Marketo, GDPR and the Marketer – A Practical Guide
- 52. GDPR General Data Protection Regulation Opt-in will become the “legal” basis for list acquisition • What does this mean for • New markets • Lead nurturing • Lead Management (eg: resuscitation, acceleration, disposition) • Data Management • Can Privacy Policies be used as a marketing tool • Good Housekeeping seal • Safety / Security © CyberScout, LLC. All Rights Reserved — Confidential 52
- 53. Compliance Penalties for non-compliance are significant, with large fines for those in breach of the regulation: the maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater. 53© CyberScout, LLC. All Rights Reserved — Confidential
- 54. QUESTIONS? • Brian S Chertok | EVP Strategy & Marketing • bchertok@cyberscout.com • 401.680.4070
Editor's Notes
- Good afternoon and thank you for having me. Thank you NEDMA and, in particular, Pat and Beth.
- We’re here to talk about Cyber Crime and, of course, Cyber Security. As we head down the path of cyber crime, will talk about the risks to both individuals such as you and me and to businesses. Likewise, we’ll look at the steps we can take to make it harder on Cyber Criminals and to lessen the likelihood that our families and businesses will be impacted. In addition, we’ll talk about the changing regulatory environment specifically from a marketing point of view. As anxiety over customer privacy intensifies, how will this effect demand generation. As we’ll see, there are no simple answers. So let’s begin…
- Who am I?
- My name is Brian Chertok and I am a 25 year, global B2B marketer for technology companies that included Avid Technology, Cognos, Kronos and now CyberScout I have degrees in communications and business from Pratt Institute and Columbia University respectively. On the lighter side, I collect toy taxis from all over the world (some 125 and counting) and enjoy jazz in most of its forms. For three years, I have been the EVP of Strategy and Marketing for CyberScout.
- For 15 years, we have been helping companies protect their customers and employees MINIMIZE, MONITOR and MANAGE identity theft, fraud and Cyber risks. We help Minimize their exposure to cyber risk, providing you with education and cost-effective technology solutions, Enable you to Monitor personal information with a flexible platform providing fraud-focused defense services; And finally, Manage the damage to your identity, privacy, and security in the event of a breach, with personal advocacy from CyberScout’s award-winning team. Today, CyberScout remains at the forefront of the industry, employing new technologies and practices to ensure clients and their customers have the latest tools to protect the privacy and security of their most valuable assets.
- We provide data risk prevention and remediation services to more than 770,000 businesses, including: Insurance carriers, financial institutions, credit unions, healthcare, and employee benefit providers Many Fortune 500, as well as small to midsize companies Our expert fraud resolution team provides service to more than 17.5 million households nationwide, covering: Nearly 45 million Americans 15% of U.S. households 45% of the P&C insurance marketplace Now, let’s talk about you!
- When I talk to friends, customers and conferences like these, I find the vast majority of us fall into 2 of three categories and this is understandable. With all the noise about data breaches, identity theft and related frauds, along with systems that are clearly lagging in their ability to offer protection, it’s no wonder that we either choose to put our heads in the sand or simply take our chances. Oh, and that guy in the middle, he really doesn’t exist! But hopefully, by the end of this presentation, you will all have more in common with him than with the other two. Let’s talk about Mr. Head in the Sand. When people discover I’m in Cyber Security, many will sluff off the risks saying, “ they’re too small to be noticed” or “haven’t got enough assets to be worth anyone's wile.” For those of you out there, I hope, by the end of this presentation that you understand there is no such thing as too small or insignificant. Now the Gambler is slightly different. They acknowledge that they may be a worthy target but have given up on their ability to defend themselves arguing that they will rely on the theory of large numbers for protection instead. I’ll just feel the breeze of the bullet as it passes me by.. Like Mr Head-in0the-Sand, this, too is a failed strategy. Before we talk about Mr. Cyber Hero here, let’s shift gears and get an operating definition of what cyber crime is in order to understand the risks we face.
- As marketers, we all know what FUD is. It’s the “promise of certain danger” if you do not take a specific action such as buying a product or service. Make no mistake, what follows is FUD – a real promise of the dangers we all face out in cyber space.
- Cyber Crime, as a category, is growing, both in frequency and in variations. Quite simply, we are in a game of walls and ladders. We build higher walls and the bad guys get bigger ladders. That’s important because dealing with Cyber Crime is not a static exercise. That being said, we can currently assign various types of crime to the 8 general categories listed here. Some are obviously heinous and deplorable. Others can range from simple nuisance to serious impact to one’s livelihood and assets. We’ll get into definitions more precisely later on.
- Finding charts on the incidences of CyberCrime is honestly a slam dunk. There is no shortage and virtually all of them make the case shown here. All forms of Cyber Crime are on the rise and show no signs of tapering off. Oh, by the way, we need to define our first acronym: PII or Personally Identifiable Information. This refers to the broad category of information that is specific to us. Want more?
- It is estimated that the Equifax Breach affected 187million people. Actually, I believe I just read that the number is short of current estimates… but let’s go with it for a minute. Equifax is one of 3 Credit Bureaus including Experian and TransUnion. These 3 companies have a monopoly on the information you need to qualify for banks, hospitals, mortgage companies and employers, etc. – this is where your credit score comes from. So, suffice it to say, they hold all of the PII in the country. Now let’s revisit that 187million. Currently, The US boasts 325 million citizens. Approximately 75 million are children. That leaves 250. Approximately 10 million are unemployed, and another 5million have stopped looking. Add 600K homeless and the number of addressable records for employed Americans falls to 234. So, if you’re an employed American, there is an 80% chance that your PII was part of the Equifax Breach. So, to the gamblers out there… still think you haven’t been breached? Add TJX Corporation, Sony, Sears, and on and on and you get the picture. This morning, I also read that Cambridge Analytica, the company that acquired Facebook data kept it all on unprotected servers which, experts now believe may have been breached on several occasions. And by the way. If your data has, in fact been compromised, you have a 71% greater chance of being victimized by CyberCrime. So, it’s probably safe to say to all you gamblers out there that the cyber bullet has actually struck it’s target as opposed to passing you by.
- Back to definitions. I’ve broken out a few so you can get a better understanding of the range of crimes out there. Malware can result in harmless popups or, as we shall see, bring your systems to a crashing halt. CyberBullying is not just for school children although I would hasten that that is bad enough. Imagine any of this happening in the workplace. And we’ve come a long way from the prince of Nigeria who is still anxious to receive your PII in return for money that will benefit you and save his kingdom. Imagine a company controller getting emails from the CEO who is known to be travelling that he or she needs money wired right away or that Failure to pay Canadian taxes will result in sharp fines. All of this is done on emails that, absent one errant character, look like the real deal. To be clear, I am not making any of this up.
- Here is some additional vocabulary that may have crossed your path. Don’t worry, there is no quiz at the end of my presentation and further, no reason to remember these terms necessarily. What matters is that your awareness gets raised and that you begin viewing all emails with greater suspicion. To be clear, any email that: Asks for PII Requires clicking on a link to progress Or comes from an “official-looking” source Should warrant a thorough examination before taking action. Slow down and proceed with caution. It could save you hundreds of thousands of dollars, your business’ reputation and then some.
- Let’s look at an example: This official looking email has all the clues hiding in plain sight. First of all, the IRS wouldn't send a notification about a potential problem or unexpected refund via email. In fact, the IRS will never initiate contact with you via email. You won't receive an audit notice or request for additional information via email. These emails are intended to either harvest information from you in order to steal your identity or they may contain malware or spyware. Let’s look at the warning signs: The IRS knows who you are. A generic greeting would never be used. The IRS does not do auto-deposit via email. They send checks. Often, hovering over the link will reveal a location not affiliated with the government.
- Spear phishing is an email that appears to be from an individual, business, or department that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your computer. The criminal thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Francesca" instead of "Dear …." The email may make reference to a recent event or a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company/department you know asking for urgent action, you may be tempted to act before thinking. How do you become a target of spear phishing? From the information you or your organization put on the Internet. For example, they might scan social media, find your FB page, your email address, and a recent post about your speaking engagement. Using that information, a spear phisher could pose as a friend or acquaint, send you an email, and ask you for credentials or to click on a link. Keep Your Secrets Secret How safe you and your information remain depends in part on you being careful. Take a look at your online presence. How much information is out there about you that could be pieced together to scam you? Your name? Email address? Friends' names? Are you on, for example, any of the popular social networking sites? Take a look at your posts. Anything there you don't want a scammer to know? Or have you posted something on a friend's page that might reveal too much? We’ll talk about managing profiles later on.
- So, what’s a guy or gal to do? Be wary of any urgent or confidential requests. If something looks fishy to you, it probably is. No alert is considered unnecessary. Think before replying - Never “reply” to the email containing a suspicious request. That opens the door to the fraudster. Using a slightly altered executive email address is a tactic commonly used by crooks. Authenticate - Validate by phone any beneficiary or address changes from vendors. Or ask another person at the company to create a new email to confirm the change. Get two okays - No matter the size of the company, dual authorization should, at a minimum, be implemented for certain transactions. Alert your bank - It’s essential to tell banks so proper action is taken to stop the wire or prevent more wires from being sent inappropriately. Remove the dirty PC - Once a machine is compromised, take it off the company’s network until it’s been cleaned of malware.
- Another threat emerging for the business world is Ransomware - computer malware that encrypts files on your PC or Network It is frequently deployed through attachments in emails. And difficult or impossible to remove without the decryption key On the top right you will see a sample message from a system infected with CryptoLocker. You see a message with a countdown clock. The second message shows how to pay for the keys to unlock your computer It shows the updated timer on the countdown clock. The ransom amount could go from several hundred dollars to a few thousand dollars. There is evidence that the fraudsters are learning that the businesses are able to pay more than consumers. They research the victims who have downloaded the ransomware And have been known to charge more to businesses. The protections needed for ransomware are the same as other Malicious software Don’t click on unknown links Keep you anti-virus software up to date Employee education BUT ABOVE ALL….
- This goes for businesses and individuals alike. Folks, for a few $100 bucks, you can buy an external drive and run a back up once a week or twice a month. For employees, check with your IT department to make sure your systems are being backed up.. Often, backups are limited to shared servers. Get your desktop updated regularly as well. Now, how do I say this without being combative. Of all crimes, Ransomware is the easiest to thwart and is often the most difficult to avoid paying when no backup exists. Secure a backup protocol asap… please. We’ve now looked at the variety of cybercrimes out there, and the rate at which variations and incidences are growing. Have I convinced you that our two strategies, head-in-the-sand and gambling will not work?
- In fact, our chairman at CyberScout, Mr. Adam Levin, has coined “third certainty” in regards to CyberCrime. We know the first two certainties are death and taxes. Actuarially speaking, Cyber Crime is the third. To understand why this is so, we need to understand how data and the use of data have changed… changed in ways that both enrich our lives while endangering us simultaneously. Before we continue… anyone overwhelmed? Anyone questioning how we could possibly protect ourselves or how much time and expense are required? Let’s step away form CyberCrime for a minute and look at a proxy… something similar to CyberCrime that we have already conquered.
- Today, we have things… expensive things, irreplaceable things that are continually under threat—from theft, wear and tear, acts of G-d, etc. And so, we have developed steps to protect or replace both our property and ourselves. In fact, we have created systems and constructs that allow us to do this with minimal interference with our day jobs and primary responsibilities. We have processes and technologies that, in effect, allow us to “set it and forget it”. We can do the same to combat cybercrime. So, take a breath, the official FUD section of this presentation is over and we are now going to begin to develop an understanding of how to protect our cyber-identities, just as we have our homes, our cars, our bodies, and our businesses.
- Let’s talk about technology and data. Today, we no longer drive cars, we drive computers on wheels. Seriously, wires no longer connect your headlights to a circuit. Today, they are managed by a central computer along with everything else. We are bring interconnected Doorbells, home assistants, digital cameras and all sorts of appliances into our homes and, of course, we are taking all this computer power with us in our pockets and hand bags. All of this creates benefit and vulnerability. In short, for all but a few, going off the grid is not an option. Here’s why.
- Take a look at these 4 companies – all changing the way we do business. What do they have in common? Well, are they what they say they are? After all, Uber is a taxi company with no cars. Facebook is a content company with no content. AirBnB is a hotel company with no real estate and Alibaba is a product company with no products. And yet, these are 4 of the most profitable companies on the planet. What is it that they possess that gives them such value? DATA. Data is the new value. It has supplanted currency, oil and anything else you can imagine. And it is data that enables us to reap the benefits of these and other companies that ostensibly provide us with new and improved services. But all these new benefits come with a dark side resulting from the necessary exchange of data that makes all these benefits possible. Big Data, in short, is a business.
- Looking at a conventional business, we see a company exchanging goods for dollars with subcontractors on the right pursuant to making finished goods which are exchanged on the left with customers for dollars as well. Data is no different. On the right, we have the specialists. Data thieves how focus on specific types of information that they buy and sell to aggregators. Aggregators reassemble identities and fabricate new ones which they then sell to criminal specialists who may indulge in ransomware, identity theft, mail fraud, etc. So even if your bank account is overdrawn, your PII still has value.
- And it’s global. These same actors work in state-sponsored organizations, organized crime, terrorist organizations and alone in the basement. What are they looking for?
- These are only the most common data elements sought by would be criminals. A comprehensive system that would safeguard all this is obviously problematic but we will talk about some of the things you can do now that will pass a reasonableness test.
- Keep in mind that most of the previous slide carries forward to businesses as well but there are additional data points such as those listed here.
- So, can we protect ourselves to within 100% degree of certainty. The answer is obviously not. The trick is to break the effort into smaller bits. At CyberScout, we talk about: Minimizing the risks Monitoring for threats and Managing the damage when a breach occurs.
- OK, this is a seriously corny slide but the message is serious. When we talk insurance, we talk about property, liability, health and life. In short, the industry serves up every possible angle to make sure we have a holistic solution to protect our assets, our families and ourselves. Dieting doesn’t work without exercise. Making money is half the battle, investing our savings is the other. Cyber Security is no different. To be successful, we need to take a holistic approach. At CyberScout, we call that the 3m’s: minimizing the risks, monitoring for danger and managing the damage. And this applies to both individuals as well as businesses. Let’s take a look.
- Today, no board or C-suite can ignore cybersecurity – they are ultimately responsible for the cybersecurity posture of their organization; they oversee risk and must now view cyber risk as a component of their overall enterprise risk management process rather than a compliance issue. The Board of Directors should NOT insist on Cybersecurity Policies, Plans, and Procedures that are complex and deeply technical, especially if it means they would need to bring in outside consultants to be able to understand the results. Understand the legal and liability implications of cyber risk as they apply to the company specific situation. Discussions about cyber risk management should be given regular and adequate time at the executive level. It is important for senior leaders to set a positive tone and communicate an organization’s values from the top and throughout the entire enterprise to employees and stakeholders, and also to business partners, vendors, and other third parties. They must understand how security fits into business, and how business fits into security. While cybersecurity is a shared responsibilities, creating a culture of security that prioritizes addressing cyber risks across the entire organization must start from the top. If management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values. Know where all the sensitive data (“crown jewels”) are stored, who has access to them, and how they’re being protected. 3. Adopt a risk-based approach—shift the focus to proactively identify risks audits are not sufficient. 4. Conduct a cost-benefit analysis of the potential direct and indirect costs of cyber incidents to the organizations--this may help justify increased financial and human resources dedicated to managing specific cyber risks.
- For all these reasons, cybersecurity has to be considered one of the most important aspects of managing organizations of all sizes in all sectors, with duties and responsibilities extending throughout every level of the workforce. Risk management is the process of identifying, assessing, prioritizing, and addressing risks BEFORE a negative event occurs. Any organization that is serious about security will view cyber risk management as an integral component of its ongoing risk management process. Risk Management is not something you do just once! Organizations that align security with their business objectives can drive business success with risk mitigation. Achieving cybersecurity is a complex and never-ending task. While there is no silver bullet solution to protect every organization from all cyber risks, staying informed, educating all employees about cybersecurity, and promoting best cybersecurity practices are probably the most effective solutions any organization can adopt. One of the first things all organization need to do is aligning their business objectives with their security needs, measure the losses due to cyber insecurity, and make cybersecurity part of the overall corporate planning process. Security controls should be in place to enable the business, and to make sure they are not slowing down production or countering efficiency. As we continue to promote broadband and innovation strategies in the name of innovation, efficiency, productivity, convenience, and GDP growth; we MUST also measure the losses due to cyber insecurity. Cyber insecurity is a “tax on growth.”
- No company, regardless of its size or sector, is immune to cyber incidents that can hurt their brand, customer confidence, reputation and, ultimately, their business. Whether they are the victims of a data breach or a larger cyber-attack that causes disruption of service or destruction of property, it is imperative organizations stay proactive and have a clear, detailed, and well-exercised incident response plan before a breach happens. Incident response is the process of responding and analyzing incidents and mitigating an incident’s effect on an organization. Every organization should implement and establish an Incident Response Plan (IRP) to be carried out mainly by an Incident Response Team and overseen by senior management. It is important that organizations create policies, plans, and procedures related to incident response with management buy-in and that integrate cybersecurity front and center in an organization's overall strategy.
- While cyber risks, as with all risks, cannot be completely eliminated, they can be managed through informed decision-making processes, careful planning, and appropriate allocation of resources. The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, creates information security standards and guidelines. . While one size doesn’t fit all, there are plenty of independently-validated best practices, security controls, assessment tools, reference guides, benchmarks, and other resources available to help you defend your organization and be prepared to respond to significant data breaches and other cyber attacks. Consider the following fundational references and select the ones that best apply to your needs. Other cybersecurity standards are evolving and being develped by different industries.
- Understanding the threat landscape and staying abreast of the latest techniques and vulnerabilities can help organizations better prepare their defenses and better allocate human and financial resources to minimize cyber risks. Multiple organizations publish regular reports and studies on cyber threats and emerging trends in cyberspace, specific industry patters, new techniques, tools, and tactics used by attackers to breach systems, and offer valuable recommendations and lessons learned from the field. Ponemon Institute 2016 study found that the average total cost of a data breach grew from $6.5 million to $7 million; $221 per stolen record. By 2020, the average cost of a data breach will amount to $150 million. A 2016 PwC survey found that more than half of US companies have experienced some type of cyber incident – and I am guessing that the other half has been compromised too but just doesn’t know it. 67% of victim organizations are notified by external entities (customers, security bloggers, law enforcement) Hackers release a new malware variant every 200ms; 27K during this Webinar.
- Let’s go through similar steps for individuals.
- Like it or not, we are each the CIO, CISO and CEO of our own households. While this slide references families, cybersecurity starts by adopting these action items for ourselves. Appreciate that cyber security is constantly evolving. Just as we re-evaluate insurance needs, so too should we be looking at cyber. Every time we bring a new, wired appliance into the house, add an account of any kind, extend access to anyone…all these are triggers for re-evaluation. Get preachy! Tell you friends and loved ones what you are doing to be more secure. Why? Well, it’s a nice thing to do but it’s also self defense. A link on facebook, LinkedIn or any other social network adds to your vulnerability. Should you stop? No. Should you take precautions… yes.
- So, think about the three Ms and start down the path. You can’t guarantee protection anymore than you can protect a home from the weather, but you han make it harder for damage to occur.
- So, here are some immediate action items you can do now.
- What’s the difference? In the US, privacy is sort of a negative right… the constitution offers redress in the event you are compromised. In Europe, it’s a positive right… violators of your privacy can be prosecuted even if you haven’t suffered any damages. …and that is especially significant for marketers.
- In the absence of a “right to privacy”, the US has, over time, created a patchwork quilt of federal and state laws to close the gaps. These are just a few.
- Here are more regulations relating to business and privacy but again, it’s worth noting that these are designed to give us redress when we believe we have been damaged. Some of the key employment law related to security and policies: Intellectual property law Need for written policies to properly care and handle IP, commensurate with its value (based on the type and sensitivity) Sign non-disclosure agreements Protect from industrial espionage, electronic surveillance, spying Electronic monitoring of employees to increase security Virtual workers work away from the office almost always using some sort of technology and media. This type of work has major implications for security. Ensuring confidentiality of work products, from customer data to trade secrets, residing on laptops or smartphones that can be easily lost or stolen. Employees may post information or comments in newsgroups, blogs or social media that may affect the company. They may use these means inappropriately by disseminating harmful information, infringing on copyrights or patents, harass others, conduct corporate espionage or insider trading If an employee violates the law, it may open a company to either civil (compensation for injuries to individuals or corporations) or criminal liabilities (punishment for inflicting injuries on others), or both. Ability of management to monitor and control employees’ security behavior monitoring files and emails, web access, voice mail in the work place and remotely. The US Constitution does not contain specific provisions that explicitly define privacy rights in terms of personal information or data. Managers should know what is permissible regarding employee monitoring
- Europe, effective May 25th, has taken a much more pro-active and different approach. The GDPR affirms that your PII is yours and therefore, you are the only one that can authorize it’s use. Consequently, any unauthorized use is a violation of law regardless of the consequences or lack of consequences to you. What does this mean for demand creators?
- To comply, we must meet the requirements listed here. That means driving a data management strategy with your IT counterparts who, more than likely, have been more concerned with protecting the data than it’s actual use. Who, within your corporation, owns these responsibilities? Marketing or IT? …and what forms of governance must be undertaken to make sure we are in continual compliance? Europe is way ahead of the US on these issues but nowhere near completion, despite the May deadline. US countries, doing business in the EU are NOT exempt. I repeat, if you’re doing business in the EU, than you, too, must comply with GDPR. Do the rest of us have to comply. I think we will have to eventually given globalization and our increasing preoccupation with privacy. In other words, do I as a consumer want to engage with a business that does not demonstrate that they have taken steps to protect my data? As a business, do I want to cede an advantage to my competitors who can demonstrate their commitment to my privacy? These are compelling drivers. So, as marketers, we are in a unique position to drive these cultural changes within our organization. Leading the charge will help preserve Demand Generation imperatives and avoid restrictions delivered on high from lawyers and technocrats.
- For example, what is the future of the opt-in/opt-out debate? List acquisition is arguably on the ropes. What strategies do we need to devise to get strangers to give us their data? How do we reach them in advance of contact information? What is the potential marketing effect of good governance? As a referenced in the last slide, will I gain points for my company by demonstrating concern for your privacy and your data?
- …and in case you don’t appreciate the “right to privacy”, GDPR also comes with some pretty hefty enforcement tools. I predict we should be seeing some pretty impressive scapegoats by early fall if only to send a compliance message to the rest of us. So, get ready because this is coming.
- Thank you again for having me and I hope this has been informative. Happy to take questions.