Parsons Behle & Latimer Employment Law Seminar - Boise, Idaho - October 19, 2017

1. Annual Idaho Parsons Behle & Latimer Employment Law Seminar
HR’S CRITICAL ROLE IN
PROTECTING COMPANY DATA
Tammy B. Georgelas
801.536.6873
tgeorgelas@parsonsbehle.com
parsonsbehle.com
THURSDAY OCTOBER 19, 2017 | BOISE CENTER EAST

2. 2
Ransomware
Biggest Threats of 2017

3. 3
 What is it?
 Ransomware is a sophisticated malware that blocks the
victim’s access to her files, and the only way to regain
access to the files is to pay a ransom.
Ransomware

4. 4
Two Types of Ransomware
 Encryptors: Use advanced encryption algorithms to block
system files. Examples: CryptoLocker and WannaCry.
 Lockers: Lock the victim out of the operating system,
making it impossible to access the desktop and files.
Not encrypted, just locked out. Example: Winlocker.
Ransomware

5. 5
Ransomware

6. 6
Ransomware

7. 7
 2012: 1 (Rannoh)
 2013: 8 (Cryptolocker)
 2014: 13 (Cryptowall)
 2015: 34 (Coinvault)
Ransomware

8. 8
Ransomware

9. 9
 2016: 196 (Apocalypse)
Increase of 2,450% in 3 years
Ransomware

10. 10
Key Characteristics
 Encrypts all kinds of files: documents, pictures, videos…
 Scrambles file names, so you don’t know which data was
affected. Smart social engineering trick to confuse and
coerce victims into paying the ransom.
Ransomware

11. 11
Key Characteristics
 Unbreakable encryption—you can’t decrypt the files on
your own.
 Displays an image or a message that says your data has
been encrypted and you must pay ransom to get it back.
Ransomware

12. 12
Ransomware

13. 13
Key Characteristics
 Payment in Bitcoins--extremely difficult for law
enforcement to track the crypto currency.
 Payments have a time-limit. Passing the deadline often
means increased ransom or losing the data forever.
 Complex evasion techniques go undetected by traditional
antivirus.
Ransomware

14. 14
Key Characteristics
 Spreads to other PCs connected to a local network,
creating further damage..
 Recruits the infected PCs into botnets, so cyber criminals
can expand their infrastructure and fuel future attacks.
Ransomware

15. 15
Key Characteristics
 Can extract data from the affected computer (usernames,
passwords, email addresses, etc.) and send it to a server
controlled by cyber criminals.
 Results in triggering breach notification laws.
Ransomware

16. 16
 Numerous federal laws governing different kinds of information
– SEC and DOJ Guidelines
– HIPAA
– Gramm Leach Bliley Act
– Federal Trade Commission Act
 State law Breach Notification Statutes (48 states, the District of
Columbia, Guam, Puerto Rico and the Virgin Islands)
– Based on the residence of customer, not the business
Breach Notification

17. 17
 State law definitions and duties can differ in many ways
– Notification Triggers
• What is a “breach”?
• What information is protected?
– Deadlines
– Method of Notification
– Content of Notification
– Penalties
Breach Notification

18. 18
WannaCry: What
 May 12, 2017 ransomware attack hit over 200,000
computers in 150 countries.
 Exploited a vulnerability in computers with Microsoft
Windows and Windows XP. Microsoft issued a patch for
newer Windows versions in March 2017, but not for
Windows XP.
Ransomware

19. 19
WannaCry: How
 The vulnerability– EternalBlue – was discovered by the
NSA, which had developed it as an exploit to enable
surveillance.
 This NSA hacking “tool” was stolen and released publicly
on WikiLeaks in March 2017.
Ransomware

20. 20
WannaCry: Attack Vector
 First thought that hackers embedded the WannaCry virus
in .zip files sent in phishing email.
 Security experts now think the malware spread through
the Windows Server Message Block SMB protocol, a
system used to share files between computers.
 Typically used for inter-office communications, some
connect to the public internet, making them vulnerable.
Ransomware

21. 21
WannaCry: How
 Hackers scanned the internet for vulnerable servers after
Eternal Blue was dumped online in March 2017.
 Once on a computer, the SMB “worm” could spread
through other computers on the network, and to other
internet-connected computers as well.
Ransomware

22. 22
WannaCry: Cost and Danger
 Ransom demand of $300-$600 in Bitcoin per computer to
unlock the files.
 Contains additional malware (DoublePulsar), which allows
hackers a “backdoor” to later gain further access to
infected systems.
Ransomware

23. 23
WannaCry: The Battle vs. the War
 The same day, a security researcher in London identified
and purchased the domain of the web address where the
first WannaCry strain was attempting to communicate.
 This stopped the first attack, but hackers developed
additional strains over the weekend and are openly
planning to attack Windows XP again.
Ransomware

24. 24
WannaCry: Organizations Hacked:
 Iberdrola: Spanish electric utility forced to shut down
some systems to respond to the attack.
 PetroChina gas stations: Customers forced to pay cash at
Chinese gas stations after payment systems went down.
 MegaFon: Largest Russian telecommunications firm.
 Telefonica: The largest Spanish telecommunications firm.
Ransomware

25. 25
WannaCry: Organizations Hacked:
 FedEx: packages delayed.
 Renault: French automobile maker forced to halt
production at sites in France and its factory in Slovenia.
 Deutsche Bahn: German train operator. Hijacked signs
showed ransom demand instead of train times.
 Bank of China: ATMs across China malfunctioned,
displaying the ransom demand on machines.
Ransomware

26. 26
WannaCry: Organizations Hacked:
 NHS: United Kingdom’s National Health Service.
Hundreds of clinics and hospitals across UK were forced
to cancel or delay surgeries and X-rays, and medical
services were reduced following a massive outage from
the attacks.
Ransomware

27. 27
WannaCry: Why didn’t NHS patch its systems?
 Relies on specialized legacy software that simply won’t
work with newer Windows releases.
 Microsoft first introduced Windows XP in 2001 and hasn’t
supported it since 2014.
 Wide open castle to hackers.
 Spiceworks survey found > 50% of businesses worldwide
have at least one machine running Windows XP.
Ransomware

28. 28
DDoS Attacks
Biggest Threats of 2017

29. 29
DoS = Denial of Service
DDoS = Distributed Denial of Service
DDoS

30. 30
 What is it?
 Denial of Service:
– Hacker sends a large number of requests to a specific server
– When server is overloaded it stops responding
– When legitimate users send requests, server times out
– Shuts down websites. Think if Amazon went down for an hour.
Lost revenue? One hour of downtime today would cost the
company some $3.4 million in lost sales
– Ponemon Institute $154k/hour average
DDoS

31. 31
 What is it?
 Distributed Denial of Service:
– Hacker hijacks devices connected to the internet, and injects
them with malware used to control it from a remote location
without the knowledge of the owner.
– The group of hijacked devices is called a botnet, or zombie
army.
– Hacker gives a command for all to lie in wait, then attack the
target server at a set time—swiftly overloads the server.
DDoS

32. 32
October 2016 Attack:
 Amazon, Twitter, Netflix, Etsy, and Spotify went down
 Dyn, one of the biggest DNS companies, suffered a
DDoS.
 Domain Name Servers translate what you type into your
browser —www.amazon.com— into IP addresses that
computers can understand.
 A core part of the internet's backbone.
DDoS

33. 33
Dyn DDoS Attack:
 Well planned and executed, coming from tens of millions
of IP addresses at the same time.
 One of the sources of the attack is internet-connected
products like printers, DVRs, and appliances, often called
the "internet of things."
DDoS

34. 34
IoT
(Internet of Things)
Biggest Threats of 2017

35. 35
What is it?
 Any device with an on and off switch that is connected to
the Internet and/or each other.
 Everything from cellphones and lightbulbs to medical
devices like insulin pumps.
 US hospitals currently average 10 to 15 connected
devices per bed. Large hospitals have 5,000 beds.
 Analyst firm Gartner says that by 2020 there will be over
26 billion connected devices (others est. 100B).
IoT

36. 36
 A Cyber-Disaster in the Making?
 Individual attacks: fatal dose administered to an
individual’s insulin pump.
 Group attacks: Hackers used a drone to target a set of
Philips light bulbs in an office tower, infecting the bulbs
with a virus that let the attackers turn the lights on and off,
and flash an "SOS" message in Morse code.
 Could plunge a whole city into darkness.
IoT

37. 37
IoT DDoS Attacks:
 University hit with IoT malware strain that connected to its
smart devices, changed its default password, then
launched brute-force attacks to guess the admin
credentials of nearby devices.
 The hacked devices then started flooding the university's
DNS server, resulting in the server dropping legitimate
student traffic.
 Over 5,000 smart devices taken over during the incident.
IoT

38. 38
IoT DDoS Attacks:
 Hackers broke into a water treatment facility and modified
water treatment parameters without even knowing what
they were doing.
 Sea pirates hired hackers to break into the systems of sea
shipping companies, gather information on ships and their
cargos, and then attack only vessels with high-value
merchandise.
IoT

39. 39
 Cyber warfare
 Work for a government to disrupt or compromise target
governments, organizations, or individuals to gain access
to valuable data or intelligence, and can create incidents
of international significance.
 License to hack
Nation State Attacks

40. 40
 Russian agencies using cyber attacks to extract
information to influence the U.S. presidential election.
 Russian government hackers penetrated the computer
network of the Democratic National Committee and
gained access to the entire database of opposition
research on GOP presidential candidate Donald Trump.
 Tried to penetrate the computer networks of the
Republican National Committee, using the same
techniques.
Nation State Attacks

41. 41
 2015 CrowdStrike documented seven Chinese
cyberattacks against U.S. technology and
pharmaceuticals companies in a 3 week time period
"where the primary benefit of the intrusions seems clearly
aligned to facilitate theft of intellectual property and trade
secrets, rather than to conduct traditional national
security-related intelligence collection.”
 Largest offenders are China and Russia.
Nation State Attacks

42. 42
 Knock Knock
 The FBI tells you you’ve been hacked
 Call your attorney
 Work with them to stop the bleeding
 Work with them to get immunity and help them defend
against future threats
Nation State Attacks

43. 43
Humans
(aka Employees)
Biggest Threats of 2017

44. 44

45. 45
Employees
2015 Data Breach Incident Report by Verizon.
59%
Employees and
Negligence

46. 46
28%
Employee Misconduct
PWC: US Cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey. Survey co-sponsored
by PWC, CSO Magazine, US Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University

47. 47
Caused by insiders such as current and former
employees, service providers, and contractors
Employee Misconduct
.

48. 48
 The most expensive kind of breach.
 Among the hardest types of attacks to detect and defend
against.
 Take the longest to resolve.
 Because insiders already have legitimate access to data
and systems, determining what insider activity may be a
threat and being able to stop that activity requires
dynamic capabilities for both monitoring and control.
Malicious Insiders
Ponemon Institute “2015 Cost of Cybercrime Study”

49. 49
$144,542
$126,545
$96,424
$85,959
$81,500
$33,565
$7,378
$1,900
$1,075
$0 $20,000 $40,000 $60,000 $80,000 $100,000 $120,000 $140,000 $160,000
MALICIOUS INSIDERS
MALICIOUS CODE
WEB-BASED ATTACKS
PHISHING
DENIAL OF SERVICE
STOLEN DEVICES
MALWARE
VIRUSES, WORMS, TROJANS
BOTNETS
Average Annualized Cost Weighted by
Attack Frequency
Ponemon Institute “2015 Cost of Cybercrime Study”

50. 50
54.4
47.5
27.7
21.9
19.3
12.3
5.8
2.4
2.2
0 10 20 30 40 50 60
MALICIOUS INSIDERS
MALICIOUS CODE
WEB-BASED ATTACKS
PHISHING
DENIAL OF SERVICE
STOLEN DEVICES
MALWARE
VIRUSES, WORMS, TROJANS
BOTNETS
Average Number of Days to Resolve an
Attack
Ponemon Institute “2015 Cost of Cybercrime Study”

51. 51
25%
Employee Mistakes
Ponemon Institute “2015 Cost of Data Breach Study: Global Analysis”

52. 52
 Lost assets (cell phones, thumb drives)
 Improper disposal
 Phishing emails
 Leaving a machine on unattended
 Poor password protection
Employee Mistakes
Price Waterhouse Coopers: US Cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey. Survey
co-sponsored by PWC, CSO Magazine, US Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University.

53. 53
Why Should You Care?

54. 54
 Company
 Board of Directors
 President, CEO, CISO
 Anyone who had a fiduciary duty to keep the
information safe
Who Can Be Sued for a Data Breach?

55. 55
 Remediation
– Forensic Experts cost $15,000+/week
– New hardware and software
 Business Disruption
– FCC study says average 400 hours resolving identity theft
– Key employees dealing with crisis instead of normal jobs
Costs of a Data Breach

56. 56
 Network Downtime for Goods and Services
– 2014 Avaya study says average $150k-$540k/hour in lost
revenue
 Employee Productivity
– Distractions, worrying, fear of losing their jobs
Costs of a Data Breach

57. 57
 Regulatory Fines and Penalties
– HIPAA
• $5.55M against Advocate Healthcare Network
• Fines range from $110 to $55,000 per violation
• A violation is losing one record, not having one breach
– FTC
• $25M against AT&T
• Recently raised penalty from $16,000 to $40,000 per violation
Costs of a Data Breach

58. 58
 Loss of Reputation
 Loss of Customers
 Public Relations
 Credit Monitoring/Identity Theft Repair
 Lawsuits and Settlements
Costs of a Data Breach

59. 59
$158/stolen record
10,000 records = $1,580,000
* IBM/Ponemon 2016 Cost of Data Breach Study
Costs of a Data Breach

60. 60
-$10
-$13
-$17
-$21
-$25
-$20
-$15
-$10
-$5
$0
Ways to Lower the Cost of a Breach
Ponemon Institute 2014 Cost of Data Breach Study: United States

61. 61
Strong security posture includes:
Training Employees
Decrease costs by 13%-100%
Lower the Cost of a Breach

62. 62
If you know neither the enemy nor yourself, you will
succumb in every battle.
--Sun Tzu, The Art of War
Key Policies and Procedures

63. 63
 Top down mentality.
 Analyze what sensitive data you have:
– client information like PII, PHI, and financial information
– company IP, correspondence, HR information
 Conduct a risk assessment to assess internal system
vulnerabilities and gain an understanding of your
company’s use, storage, and location of sensitive data.
 Care as if it were your own bank account information.
Maintain a Culture of Security

64. 64
 Keep software, firewalls, virus protection systems, and
operating systems up to date.
 Engage outside professionals who can perform the work
for a fraction of the price.
 Conduct periodic audits to ensure you are secure.
 Follow up on recommendations from the audits, or be
prepared to explain why they were not followed.
Update and Audit

65. 65
 The best defense to ransomware is to not care.
 Cloud is a good option.
 Perpetual Storage for physical information.
 Determine timing: hourly, daily, weekly.
Back Up All Important Data

66. 66
 Limit access to sensitive data only to employees
with a true need to know.
 Ask employees to make a list of what they actually
access and use on a regular basis, then restrict
whenever possible.
 The less an employee has access to, the less a
potential hacker has access to.
Limit Access to Sensitive Information

67. 67
 Must be tailored to your organization’s needs.
 What information do you collect and how do you use it?
 How can you maintain a profitable business?
 Outsource when you can, but require all third parties and
affiliates to maintain the same security requirements.
 Get everything in writing: employee contracts and vendor
contracts.
Draft Viable Information Security Policies

68. 68
Acceptable Use Policy
 Defines what are and are not an allowed activities on
company premises, with company equipment, and when
using company resources.
 Outlines consequences when violated.
 Goal is to guide employees toward working productively
without burning out or putting the organization at risk due
to risky or non-business behaviors.
Draft Viable Information Security Policies

69. 69
Privacy Policy
 Defines what is and is not private when working on
company equipment or when on company property.
– What information is collected
– What information is not collected
– What can or cannot be disclosed
– To whom information may be disclosed
– For what purposes the data was collected.
Draft Viable Information Security Policies

70. 70
Retention and Destruction Policy
 Defines what to store, for how long, and how to get rid of
it.
 Assume everything thrown out is obtained by your
competitors, your enemies, and the government.
 Store only what you need and safely and securely
dispose of the rest.
Draft Viable Information Security Policies

71. 71
Incident Response Policy: Should address six key areas:
– Preparation
– Detection
– Containment
– Eradication
– Recovery
– Review
 Goal is to minimize downtime, reduce loss, and improve
availability.
Draft Viable Information Security Policies

72. 72
 Suggested 12 characters in length with mixed types of
characters.
 Use a code or phrase that means something to you so
that you will remember.
 https://howsecureismypassword.net/
 Consider using a password manager like LastPass or
Dashlane.
 Change passwords periodically, e.g. every 90 days.
Enforce Strong Passwords

73. 73
1. 123456
2. Password
3. 12345
4. 12345678
5. Football
6. Qwerty
7. 1234567890
8. 1234567
9. Princess
10.1234
Top 10 Worst Passwords of 2016
Splashdata Survey

74. 74

75. 75
 Require different passwords for work and personal
accounts.
 Using a single password across multiple sites poses
serious security risk because most sites don’t encrypt
their stored user login information. No matter how clever
the password, if someone gains access to a server where
it’s stored in plain text, it becomes a race to see how
quickly you can remember and change all the places
you’ve used that password.
Enforce Strong Passwords

76. 76
 Phishing is the #1 delivery vehicle for ransomware and
other malware.
 30% of phishing emails get opened.
 85% of organizations have suffered phishing attacks.
 250% surge in phishing detected in Q1 2016.
 $1.6 million: the average cost of a spear phishing attack.
 1 in 3 companies have been victims of CEO fraud emails.
Train for Phishing Emails

77. 77
 Lock your computer when you leave your office
 Maintain a clean desk
 Secure sensitive hard copies in locked filing cabinets
 Shred hard copies—NEVER just throw away sensitive
information
 Ask unfamiliar faces who they are
Protect Your Physical Assets

78. 78
 A breach will happen. Plan for it now.
 Identify the team to address security issues
including breaches.
 Practice!
 Reduces cost of a data breach by over 10%.
Create Incident Response Plan

79. 79
 Commercial General Liability Insurance
–Comprehensive general liability
–First-party property policies
–Employment practices liability
–Errors and omissions
–Management liability
–Fidelity or employee dishonesty
Consider Appropriate Insurance

80. 80
 Cyber Security Extensions
– Information security/privacy liability coverage
– Breach response/notification services
– Regulatory defense/penalties
– Specialized media liability
– Specialized errors and omissions
– PCI-DSS fines/expenses
– Cyber-extortion
– First-party data restoration
– Network business interruption
Consider Appropriate Insurance

81. 81
Protect Your Computer

82. 82
 Tammy B. Georgelas
801.536.6873
tgeorgelas@parsonsbehle.com
Thank You