Data Breaches and Cyber Risks

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Data Breaches and Cyber Risks"

Transcription

1 Data Breaches and Cyber Risks Carolinas Credit Union League Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2014 CUNA Mutual Group, All Rights Reserved.

2 Data Breaches How do they Happen? Network hackers and malware Employee negligence / theft Lost / stolen laptops, backup tapes / disks and other data-bearing mobile devices Vendor leaks/mistakes 2

3 Data Breaches Financial risk Compliance / Legal risk Reputation risk A data breach can result in more than lost data. It can damage the credit union s reputation, shake member trust, and cost tens of thousands to repair. 3

4 Agenda Data breach studies by the Ponemon Institute, Verizon, Mandiant and PricewaterhouseCoopers (PwC) Data breach insurance claims study NetDiligence Best practices for securing members confidential data Mobile devices Federal Financial Institutions Examination Council s (FFIEC) Cybersecurity Framework Tool 4

5 Ponemon Institute Is Your Company Ready for a Big Data Breach? The Good 73% of the organizations have an incident response plan in place compared to 61% in last year s study The Bad 78% of the organizations say they either don t review and update their incident response plan or have no set timeframe for doing so Only 30% of the respondents say their organizations are effective or very effective in developing and executing their incident response plan 56% of the organizations do not perform a risk assessment on their information systems to identify vulnerabilities Only 54% of the organizations have training and security awareness programs Only 34% of the organizations train customer service representatives on how to respond to questions in the event a breach occurs Source: Ponemon Institute s 2014 study, Is Your Company Ready for a Big Data Breach? 5

6 Ponemon Institute Is Your Company Ready for a Big Data Breach? The Ugly 43% of the organizations experienced a data breach involving a theft of more than 1,000 records 60% of the organizations experienced more than one data breach during the last two years Only 41% provide for either continuous monitoring (20%) or daily monitoring (21%) of their information systems for suspicious/anomalous traffic 44% say they either never monitor their information systems (28%) or are unsure if monitoring takes place (16%) 6

7 Verizon 2015 Data Breach Investigations Report External threats far exceed internal threats and partner threats. Source: Verizon 2015 Data Breach Investigations Report 7

8 Mandiant s 2015 M-Trends Report Early Detection is Critical Source: Mandiant 2015 M-Trends Report 8

9 PwC s Global State of Information Security Survey 2015 Total number of security incidents reported by respondents climbed to 42.8 million. The equivalent to 117,339 incoming attacks per day Security incident: The National Institute of Standards and Technology (NIST) defines security incident as a violation of computer security policies, acceptable use policies, or standard practices. These include, but are not limited to: Attempts (failed or successful) to gain unauthorized access to a system or its data Unwanted disruption or denial of service Unauthorized use of a system for the processing or storage of data Unauthorized changes to system hardware or software million million million Source: PwC Global State of Information Security Survey

10 Malware s Role in Data Breaches Data breaches are frequently the result of credential-stealing malware Distributed in spear phishing attacks Tool of choice in Advance Persistent Threat (APT) attacks What s an Advanced Persistent Threat (APT) attack? Malware planted on network via spear phishing attack Establishes communication with command & control server Moves slowly about the network searching for sensitive data to steal and the credentials necessary to access that data Sensitive data is extracted using encryption and other techniques to disguise it Intelligence Gathering Point of Entry Establish Communication with C&C Lateral Movement through Network Data Discovery Data Exfiltration 10

11 NetDiligence 2015 Cyber Liability & Data Breach Insurance Claims Per breach costs Average payout: $673,767 Median payout: $76,984 Per record costs Average cost per record: $ Median cost per record: $13.00 Average records lost: 3.16 million Median records lost: 2,300 Crisis service costs Average cost of crisis services: $499,710 Median cost of crisis services: $60,563 Crisis services include the cost of forensics, legal counsel guidance, notification and credit monitoring Legal costs Average cost of legal defense: $434,354 Median cost of legal defense: $73,600 Average cost of settlement: $880,839 Median cost of settlement: $50,000 Source: NetDiligence 2015 Cyber Liability & Data Breach Claims Study 11

12 Why the Problem? Intrusion detection and network monitoring is weak Lack of encryption Malware Websites are porous and need constant care Hardening and patching Cyber thieves take advantage of human error Unchanged default settings Failing to install patches Failing to protect laptops Improper disposal of paper records Weak passwords 12

13 Best Practices Protect data wherever it is located At rest In motion In use Encryption Data residing on the network (servers, workstation hard drives and laptops) Data residing on mobile devices Backup tapes/disks Data transmitted over the Internet and in s Endpoint security Protects the endpoints (devices) connected to credit union network Includes typical protections such as a firewall and antivirus/antimalware Block access to personal accounts Spam and web filters Intrusion detection system (IDS)/intrusion prevention system (IPS) Install operating system patches when made available 13

14 Best Practices Protect data wherever it is located At rest In motion In use Vulnerability assessments Penetration testing Monitor system logs Disable / lockdown workstation USB ports and CD Rom drives Helps prevent insider theft of confidential member data Data loss prevention (DLP) solution Identifies, monitors, and protects data at rest, in motion, and in use DLP tools allow credit unions to see which databases, file servers, desktops and laptops hold sensitive data Identifies when someone is transmitting data via or downloading to external storage devices Third-party reviews of network security Secure paper records 14

15 Best Practices Protect data wherever it is located At rest In motion In use Accessing network/systems remotely Telecommuters working from home Third-party vendors Remote Access Best Practices Prohibit remote employees from using home computers to access network Establish a virtual private network (VPN) A VPN is a network that uses the Internet to provide remote employees with secure access to the credit union s network Prohibit employees from using unsecure wireless networks (public Wi-Fi) Require multifactor authentication not just usernames and passwords One-time-password tokens Plug-in tokens 15

16 Mobile Devices: Tablets / Smartphones Credit union issued versus employee use of personal devices (BYOD) Both should be secured Secure the business side of the device (sandboxing) Good Technology MaaS360 Adopt acceptable use policy Mobile Devices Used for Business Purposes Antivirus software Password protect the device/time-out feature to lock the device Remote wipe capability Prohibit employees from storing confidential member data to the device If it is necessary to store such data on the device, the data should be encrypted Encrypt confidential member data transmitted in s 16

17 Data Breaches Employee Negligence Credit union discovered malware on least 24 workstation pc s Malware captures screen shots Social Security numbers, account information and transaction records for 115,000 accountholders (members) may have been compromised Credit union employee accidentally published a file on the credit union s public-facing website File contained member names, addresses, Social Security numbers, account numbers and account passwords Credit union employee accidently ed a spreadsheet to a member Spreadsheet contained member names and account numbers Credit union employee s laptop stolen from vehicle Contained unencrypted sensitive data (names, addresses, SSN s and account numbers) on 45,000 members Source: CUMIS Insurance Society, Inc.. 17

18 Data Breaches Vendor Negligence Credit union uses third-party vendor to mail monthly account statements Members received their correct statements plus a portion of statements belonging to other members Credit union downloaded confidential member data to a thumb drive for their outside auditor - Auditor lost the thumb drive in a public park while watching son s football game - 14,500 members impacted Source: CUMIS Insurance Society, Inc.. 18

19 Security Awareness Training Must be addressed in the credit union s information security program All employees should receive training on at least an annual basis The goal is to change employee behavior to reinforce good data security practices 19

20 Malware Beyond Theft of Data Carbanak Malware Targeted 100 financial institutions in 30 countries, including U.S. Losses per institution ranged from $2.5M to $10M Funds stolen from institutions not from depositor accounts Distributed via phishing attacks Sought out employees with administrative rights Performed reconnaissance (video) to learn details of the 3 rd party EFT systems used Logged into 3 rd party EFT systems to transfer funds to other institutions Source: Kaspersky Lab, The Great Bank Robbery: The Carbanak APT 20

21 Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool 21

22 Cybersecurity Assessment Tool Launched by the FFIEC on June 30, Assists credit unions in identifying their risks and determining their cybersecurity preparedness Developed specifically for financial institutions based on the results of the cybersecurity assessments conducted by FFIEC member agencies piloted in 2014 A better option for credit unions than NIST s Cybersecurity Framework Designed to provide a measurable and repeatable process to assess a credit union s level of cybersecurity risk and preparedness CUNA Mutual Group highly recommends using the Cybersecurity Assessment Tool 22

23 Cybersecurity Assessment Tool Completing the Cybersecurity Assessment Tool is a three-step process Step 1: Determine Inherent Risk Profile Step 2: Determine Cybersecurity Maturity Level Step 3: Analyze Results 23

24 Step 1: Inherent Risk Profile The Inherent Risk Profile (IRP) identifies a credit union s inherent risk before implementing controls IRP identifies the amount of risk posed to a credit union based on the types of products, services and activities; and the volume and complexity of the credit union s operations in five categories: Technologies and connections Delivery channels Online/mobile products/services Organizational characteristics External threats Includes five risk levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk 24

25 Step 1: Inherent Risk Profile The FFIEC provided pre-defined parameters for each risk level for determining the Inherent Risk Level for the products, services and activities under each category. Credit unions determine their overall Inherent Risk Level by counting the number of applicable parameters under each risk level. Products, services and activities Source: FFIEC 25

26 Step 2: Cybersecurity Maturity Determine the credit union s Cybersecurity Maturity level across five domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Five levels of Cybersecurity Maturity Baseline (lowest level) Evolving Intermediate Advanced Innovative (highest level Within each domain are assessment factors and contributing components Within each component are declarative statements 26

27 Step 2: Cybersecurity Maturity Components and Declarative Statements Within each component are declarative statements Declarative statements are the minimum regulatory guidelines that must be attained and sustained for that level of maturity Credit unions must satisfy all declarative statements for each maturity level, and previous levels, to achieve that domain s maturity level Indicate whether credit union satisfies each declarative statement Source: FFIEC 27

28 Step 2: Cybersecurity Maturity The controls needed to achieve the Baseline maturity level are consistent with the minimum guidelines contained in the FFIEC s IT Examination Handbook Credit unions must meet the minimum guidelines to be placed in the Baseline maturity level The effects are cumulative in that all declarative statements in each maturity level, and previous maturity levels, must be attained and sustained to achieve that domain s maturity level. 28

29 Step 3: Analyzing Results As inherent risk rises, so too should maturity levels If a credit union s maturity levels are not aligned with the inherent risk profile: Management should consider reducing inherent risk, or Develop a strategy to improve the maturity levels by adopting controls needed to meet the declarative statements required to achieve a higher maturity level Over-investment in cybersecurity preparedness Be in the blue Danger zone policies, procedures and controls are not sufficient given the Inherent Risk Profile Source: FFIEC 29

30 Additional Thoughts and Comments Piggybacking on FFIEC joint statements: Cyber Attacks Compromising Credentials and Destructive Malware (March 30, 2015) Cybersecurity Assessment General Observations and Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (November 3, 2014) Domain 3, Cybersecurity Controls, could be the most important domain and the most difficult for some credit unions to achieve even the Baseline maturity level Domain 3 is the largest part of the Assessment Examples (declarative statements for Baseline maturity level): Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (FFIEC Information Security Booklet, page 51) Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (FFIEC Information Security Booklet, page 45) Domain 2, Threat Intelligence and Collaboration, is a short but major part of the Assessment Organizations participating in FS-ISAC are in a much better position to defend against cyber attacks 30

31 CUNA Mutual Group s Collaboration with FS-ISAC Credit unions that have or purchase a cyber liability insurance policy through CUNA Mutual Group may be eligible for a discount on the basic membership (new memberships and renewals) Visit CUNA Mutual Group s dedicated web page to learn more 31

32 Session Summary Information theft is one of today s most common forms of fraud Given the financial, legal, and reputational risks of a data breach -- failing to prepare can be disaster Take proactive steps to prevent incidents from occurring in the first place Protection Resource 32

33 Questions & Answers Ken Otsuka, CPA Senior Consultant - Risk Management CUNA Mutual Group 33

34 Disclaimer This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Loss Scenarios Case Studies The credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers needs. For example, the Workers Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUP CUNA Mutual Group, 2015 All Rights Reserved 34

35 35

Data Breaches and Cyber Risks

Data Breaches and Cyber Risks Data Breaches and Cyber Risks MD/DC Credit Union Association 2015 Volunteer Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary

More information

DNA of Cybersecurity Risks. Credit Union Executive Leadership Symposium

DNA of Cybersecurity Risks. Credit Union Executive Leadership Symposium DNA of Risks Credit Union Executive Leadership Symposium CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights Reserved. What s in store for

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Cybersecurity. Are you prepared?

Cybersecurity. Are you prepared? Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Cybersecurity Workshop

Cybersecurity Workshop Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Online Banking Risks efraud: Hands off my Account!

Online Banking Risks efraud: Hands off my Account! Online Banking Risks efraud: Hands off my Account! 1 Assault on Authentication Online Banking Fraud Significant increase in account compromises via online banking systems Business accounts are primary

More information

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

Cyber Security. John Leek Chief Strategist

Cyber Security. John Leek Chief Strategist Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not

More information

Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool

Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool Larry Schoeberl, Supervisory Examiner National Credit Union Administration FFIEC Cybersecurity Assessment Tool Michigan CU League & Affiliates Conference February 11, 2016 Agenda Risk Trends FFIEC Cybersecurity

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

What is Management Responsible For?

What is Management Responsible For? What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional

More information

What Data? I m A Trucking Company!

What Data? I m A Trucking Company! What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Online Account Takeover. Roger Nettie

Online Account Takeover. Roger Nettie Online Account Takeover Roger Nettie CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited CUNA Mutual Group 2013 Session Outline Types of attacks Movement of funds Consumer

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

Presented by: Mike Morris and Jim Rumph

Presented by: Mike Morris and Jim Rumph Presented by: Mike Morris and Jim Rumph Introduction MICHAEL MORRIS, CISA Systems Partner JIM RUMPH, CISA Systems Manager Objectives To understand how layered security assists in securing your network

More information

Data Breach Lessons Learned. June 11, 2015

Data Breach Lessons Learned. June 11, 2015 Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin

More information

Cybersecurity Demystified: Information Technology Security Trends. Joe Oleksak, Plante Moran

Cybersecurity Demystified: Information Technology Security Trends. Joe Oleksak, Plante Moran Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims

More information

IT Security Risks & Trends

IT Security Risks & Trends IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing

More information

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness

More information

Information Security Addressing Your Advanced Threats

Information Security Addressing Your Advanced Threats Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

More information

Information Security It s Everyone s Responsibility

Information Security It s Everyone s Responsibility Information Security It s Everyone s Responsibility The University of Texas at Dallas Information Security Office (ISO) Purpose of Training Information generated, used, and/or owned by UTD has value. Because

More information

Information Security It s Everyone s Responsibility

Information Security It s Everyone s Responsibility Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO) Purpose of Training As an employee, you are often the first line of defense protecting valuable

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

BYOD. opos WHAT IS YOUR POLICY? SUMMARY

BYOD. opos WHAT IS YOUR POLICY? SUMMARY BYOD WHAT IS YOUR POLICY? opos SUMMARY The organization s employees and contractors frequently perform employment-related tasks which require connecting to the organization s networks, systems, and/or

More information

IBM Security Strategy

IBM Security Strategy IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration

More information

Information Security and Risk Management

Information Security and Risk Management Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director

Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director Been in technology for 22 years Westinghouse Senior Manager at Clifton Gunderson-7th largest CPA and consulting firm in the U. S. Partner / Director in Kenneally and Company s technology consulting practice

More information

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance Mobile Security Checklist An Easy, Achievable Plan for Security and Compliance Introduction Are mobile devices the weak link in your security defenses? Today, organizations are pouring millions of dollars

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

Keeping A Lid On Payment Fraud Joni Lovingood, CRM, CFE Corporate Property & Casualty Sales Specialist CUNA Mutual Group

Keeping A Lid On Payment Fraud Joni Lovingood, CRM, CFE Corporate Property & Casualty Sales Specialist CUNA Mutual Group Keeping A Lid On Payment Fraud Joni Lovingood, CRM, CFE Corporate Property & Casualty Sales Specialist CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA

More information

Data Security and Healthcare

Data Security and Healthcare Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

More information

Kaspersky Security for Mobile

Kaspersky Security for Mobile Kaspersky Security for Mobile See. Control. Protect. MOVING TARGETS Mobile devices play a key role in connectivity and productivity. But they also introduce new risks to the business: in the past 12 months

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background: 1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus

More information

Jort Kollerie SonicWALL

Jort Kollerie SonicWALL Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential

More information

Advanced Threats: The New World Order

Advanced Threats: The New World Order Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

KEY STEPS FOLLOWING A DATA BREACH

KEY STEPS FOLLOWING A DATA BREACH KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,

More information

CYBER SECURITY SPECIALREPORT

CYBER SECURITY SPECIALREPORT CYBER SECURITY SPECIALREPORT 32 The RMA Journal February 2015 Copyright 2015 by RMA INSURANCE IS AN IMPORTANT TOOL IN CYBER RISK MITIGATION Shutterstock, Inc. The time to prepare for a potential cyber

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015 Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated

More information

Security and Privacy

Security and Privacy Security and Privacy Matthew McCormack, CISSP, CSSLP CTO, Global Public Sector, RSA The Security Division of EMC 1 BILLIONS OF USERS MILLIONS/BILLIONS OF APPS 2010 Cloud Big Data Social Mobile Devices

More information

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014 Nikos Georgopoulos Privacy Liability & Data Breach Management wwww.privacyrisksadvisors.com October 2014

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

Cybersecurity Awareness

Cybersecurity Awareness Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management

More information

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant csturdivant@bkd.com 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls

More information

Secure Your Mobile Workplace

Secure Your Mobile Workplace Secure Your Mobile Workplace Sunny Leung Senior System Engineer Symantec 3th Dec, 2013 1 Agenda 1. The Threats 2. The Protection 3. Q&A 2 The Mobile Workplaces The Threats 4 Targeted Attacks up 42% in

More information

SURVEY RESULTS CYBER-SECURITY PRACTICES OF MINNESOTA REGISTERD INVESTMENT ADVISERS

SURVEY RESULTS CYBER-SECURITY PRACTICES OF MINNESOTA REGISTERD INVESTMENT ADVISERS SURVEY RESULTS CYBER-SECURITY PRACTICES OF MINNESOTA REGISTERD INVESTMENT ADVISERS Minnesota Department of Commerce July 2014 GENERIC FIRM INFORMATION Has your firm been the subject of a cyber-security

More information

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse

More information

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER 2015 0 CYBERSECURITY BREACHES

More information

Cyber Risk in Healthcare AOHC, 3 June 2015

Cyber Risk in Healthcare AOHC, 3 June 2015 Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan, Senior Healthcare Risk Management and Data Specialist James Penafiel, Underwriting Supervisor, Insurance Operations CFPC Conflict of Interest -

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences Health & Life sciences breach security program David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences Overview 1. Healthcare Security Research / Directions 2. Healthcare

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool 6/9/2016 Tim Segerson, Deputy Director Office of Examination & Insurance FFIEC Cybersecurity Assessment Tool LSCU Cyber Breakout June 17, 2016 Continuing saga of lost sensitive data Every event enhances

More information