Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined?

Transcription

1 Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined? PRESENTED BY RICK SHAW, AWAREITY Webinar Objectives Employees (and third parties) are the weakest links Learn the best ways to ensure awareness of changing threats and responsibilities for protecting personal information Just having the best recipe (policy, procedure, plan, strategy, law, guideline, checklist, etc.) is not enough How you can effectively enable and motivate your employees and customers to identify and report suspicious activities and possible information breaches The 6 Essential Steps to Proactive Prevention Individual Level Awareness, Collecting Data, Assessing Data, Connecting Data, Intervention and Monitoring, and Prevention (Spoiler Alert! Most Organizations Are Only Addressing 2 or 3 Steps!) 1

2 Quick background information on me 30+ years performing assessments of many types (risk, compliance, threat, physical, cyber security, etc.) The cyber security assessments were by far the most interesting The cyber security assessments provided most value Compliance Failures and Liabilities Why do so many organizations keep getting hacked, sued and fined? 2

3 Did you see the headlines for these hacks? Office of Personnel & Management Centura Regional Medical Center in Colorado Anthem Target Office Depot RSA And lots of others? Did you see the FTC can now sue/fine organizations getting hacked? The law has always imposed responsibility on companies for the care of their customers. When you re in the restaurant you have to be protected against slips and falls or food borne illness Data is just something new that companies have to protect if they want to bear the benefits of collecting it. Chris Hoofnagle, Berkeley Law professor This a huge victory for the FTC, but also for American consumers We see services and companies being hacked on an almost daily basis now. Having the FTC out there, bringing actions against companies that fail to protect consumers data is a critical tool. Alan Butler, Electronic Privacy Information Center attorney Read the full article at says ftccan slap companies getting hacked/ 3

4 Would you rather prevent hacking or react to hacking? Would you rather prevent headlines, lawsuits, fines or react to them? The first step to PREVENTING Do you know how these organizations got hacked? Headlines and articles would have you think the hacks are the result of sophisticated new hacking techniques but are they really? Not exactly employees and third parties were PHISHED and/or SPEAR PHISHED 4

5 Employees and Third Parties Are Your Weakest Link Old Days: Some bad guys knew to target Employees and Third Parties (Service providers, contractors, etc.), so they social engineered (phone, , etc.) your people into giving out sensitive information. Today: Professional hacking groups (criminal groups and groups funded by a country) are taking advantage of the same weakest link (employees) with Phishing and Spear Phishing attacks. Employees and Third Parties Are Your Weakest Link A recent information security report from FireEye revealed cyber attackers have free rein in a victim s systems for a median of 205 days before being detected. How can this be? Firewalls and security devices are very reactive and very predictable and they do not stop Phishing and Spear Phishing attacks! 5

6 How do hackers get passed Firewalls and security devices? What is Phishing? Cyber criminals use e mails as "bait" to fish (phish) for information login IDs, passwords, financial data, credit card numbers, social security numbers, etc. What is Spear Phishing? Phishing attack targeting a specific employee or group of employees within an organization or a group of individuals with common interests. Most attacks arrive as a customized e mail that appears to be from a trusted person (senior official or executive) within your organization. Do your employees know your organization will never ask them for sensitive or confidential information via e mail? How do hackers get passed Firewalls and security devices? And the attacks continue evolve with technology: Vishing: request individuals to place a phone call to verify account information, only the phone number doesn't go to the real organization. Instead the victim is calling a VoIP (voice over IP) phone that can recognize and capture telephone keystrokes and voice messages to steal an individual's personal information as they provide it via phone. Smishing: SMS or text messages attempting to trick customers into divulging their personal account information when they respond to a text or click on a link that takes them to a fraudulent web site that can place malware on their mobile device. 6

7 Myth of it will not happen here? How many of you are thinking, This will never happen to my organization.? How many of you are thinking, We have annual information training, so we are covered.? How many of you are thinking, We have a policy on usage, so we are covered.? How many of you are thinking, Oh my we have lots of employees that would click on a link or open an attachment?? How do you ensure awareness of changing threats and responsibilities for protecting personal information? 7

8 Once a year information security awareness training is not enough Why? Policies (recipes) are not enough Why? 8

9 New Carbanak Gang Threat Operating from Russia, Ukraine and China Between , stole around $1B from 100 banks in 30 countries Temporarily hindered but now changing their tactics, upgrading malware "From our analysis, it becomes clear that Carbanak has returned and has been confirmed [to be] targeting large corporations in Europe and in the USA. Attack methods are spear phishing... Peter Kruse, electronic crime specialist at CSIS Read the full article at banking malware returns upgrades a 8523 Einstein s Definition of Insanity Doing the same things over and over and expecting different results. Bottom line: Organizations wanting different results need different solutions for Employees and Third Parties 9

10 Six Essential Steps to Proactive Prevention Step 1: Individual Level Awareness Organizations must ensure situational and ongoing awareness at the individual level Annual or ongoing training as needed (Safety, Health, etc.) for all employees, based on location, job title, security level, etc., including tests for comprehension Distribution of updated situational information across departments Acknowledging ongoing updates shared across locations, depts. (e.g. restricted visitors, restricted sites, new threats, etc.) 10

11 Step 1: Individual Level Awareness Organizations must ensure situational and ongoing awareness at the individual level Tracked acknowledgment and understanding of: Policies, work practices and administrative procedures Legal regulations and mandates Assigned tasks, responsibilities and obligations What needs to be reported When, where and how to submit a report Pre incident indicators, suspicious activities and concerning behaviors Incidents considered near misses Updates on new and viral risks Emergency and crisis response plans Contingency plans Prevention strategy On going updates Step 2: Collecting Data Organizations must empower and equip all appropriate individuals to recognize and report (i.e. See Something, Say Something ): Empower all individuals with up to date awareness and training on prevention strategies, policies, what pre incident indicators and concerning behaviors look like Organizations must provide tools to empower and equip all appropriate individuals to anonymously and/or confidentially: Submit observations, concerns and reports Upload/share evidence (e.g., documents, pictures, videos, social media screen shots, phishing s, etc.) 11

12 Step 2: Collecting Data Organizations must collect information into a central secure records management platform: Not Silo systems or Employee Records System (ANSI WVPI) Restricted access to privileged information Feeds information into system from all origins (Paper Forms/Reporting Box, E mail/online Forms, Phone Line/Hotline, Verbal reports, Texts/Apps, etc.) Provides tools to ensure right information gets to the right people in time to take right actions Step 2: Collecting Data Organizations must collect ALL relevant information in their central records management platform: Tracked employee, customer and vendor accountability and compliance with awareness topics Records of all training programs, attendees, and qualifications of trainers. Information from Interviews, Investigations, Interventions, Follow ups, etc. Surveys from employees, customers and vendors and feedback from reviews and new changes Reports of cyber security concerns (new icons, locked accounts, unauthorized site changes, data changes, timestamps, etc.) 12

13 Step 2: Collecting Data Organizations must collect ALL relevant information in their central records management platform: Reports of physical security concerns/facilities management (broken glass, faulty camera, unlocked door, burned out bulbs, etc.) Shift reports and incident/near miss logs for all departments/units, work areas, job titles, locations etc. Documentation of minutes of security meetings, records of security assessments and corrective actions recommended and taken. Records of injuries, illnesses, incidents, hazards, corrective actions, employment histories Step 3: Assessing Data Organizations must be equipped with the right tools to evaluate, investigate, collaborate and intervene on threatening situations: Assess the situation to determine if an immediate or urgent threat exists Conduct initial investigation, interviews and gathering of information from resources (activity logs, personnel files, etc.) Conduct a preliminary risk screening of threat, escalation potential, etc. Develop early intervention and prevention actions Monitor intervention and prevention efforts 13

14 Step 3: Assessing Data Organizations must be equipped with the right tools to evaluate, investigate, collaborate and intervene on threatening situations: If concern increases and/or additional incident reports develop, conduct a formal risk assessment to determine if situation is escalating Develop additional intervention and prevention responses, involve external threat assessment professional(s), p.r.n. Continue to monitor behaviors and intervention and prevention efforts Assess current procedures and protocols for efficiency, effectiveness, compliance to legal standards, etc. Assess how are issues being or will be addressed Step 4: Connecting Data Organizations must be equipped with the right tools to securely connect with internal and external resources for further prevention efforts: Review all related incident reports for previous actions taken Review the outcomes of actions taken to determine if an updated plan of action for intervention, prevention and monitoring is needed Re assess any new information, update plan of action for intervention, prevention and monitoring accordingly Gather and utilize lessons learned from similar incidents, lawsuits or tragedies to ensure appropriate intervention and prevention actions are being taken 14

15 Step 4: Connecting Data Organizations must be equipped with the right tools to securely connect with internal and external resources for further prevention efforts: Develop additional intervention and prevention responses involving external threat assessment professional(s) as needed If certain criteria is met, organization should be equipped to securely connect with law enforcement, legal, homeland security, compliance and other appropriate resources Involve crisis management to ensure crisis containment efforts have been updated, communicated and implemented Step 5: Intervention and Monitoring Organizations must be equipped with the right tools to efficiently track and monitor intervention efforts and outcomes, ongoing: Review how intervention efforts are working with all individuals, across departments, locations, etc. Review outcomes of intervention strategy and alternative options: Interviews Surveys Personnel actions Legal considerations 15

16 Step 5: Intervention and Monitoring Organizations must be equipped with the right tools to efficiently track and monitor intervention efforts and outcomes, ongoing: Review individual specific control strategies Monitoring warning signs, triggers, etc. Supervision, surveillance and activity/access restrictions Security planning and other risk mitigation options Analyzing trends and rates relative to initial or baseline rates; Identify patterns of incidents to develop preventative controls Measure improvement in incident rates based on lowered the frequency and severity Step 6: Prevention Organizations must be equipped with the right tools to proactively manage prevention efforts: Review how prevention efforts are working across departments, locations, settings, etc. Keep up to date records of policy and procedural changes put in place to prevent risks and continuously evaluate how well they are working Keep track of new strategies available to prevent and respond to general and field specific risks as they develop Review protocols for cyber security, physical security, asset preservation, etc. 16

17 Step 6: Prevention Organizations must be equipped with the right tools to proactively manage prevention efforts: Prepare post incident efforts for restoration and recovery of business operations, should incident occur Prevent future timely and costly tasks and eliminate mounting liabilities: Record all actions and reasoning so sound decisions are understood and upheld as warranted Transmit essential information to decision makers and reviewers immediately Update records immediately so current circumstances are considered in evaluation process and action plans Questions? Rick Shaw CEO/Founder, Awareity