Symptoms of a Data Breach in Your Business

Transcription

1 Cyber Security: What you need to know to protect your business February 2014

2 Presented by: Jon Zayicek Vice President Sera-Brynn

3 Topics: The landscape is changing What are the threats? How to protect your data and business

4 Current Environment Government Private Sector

5 Current Environment over 2,500,000 attacks on U.S. businesses every day 42% increase of data loss from last year average cost to remediate: $591,780 96% of victims subject to PCI were not compliant... it s continuing to get a lot worse

6 Current Environment Small and Medium-sized Businesses Cyber Attacks on businesses are increasing significantly They are more attractive as targets than large enterprises Lawsuits are increasing ($2,500 per plaintiff avg. in 2013) Best line of defense: Meet Industry Compliance Requirements Over half of Retail Merchants unaware of PCI requirements Non-compliant businesses suffer majority of data loss

7 Current Environment OLD: There are two types of businesses: those that have been a victim of a data breach, and those that haven t been a victim yet.

8 Current Environment NEW: There are two types of businesses: those that know they have been breached, and those that don t know they ve been breached.

9 Bottom Line: The Internet is compromised. Large businesses know this. Small businesses assume they are not targeted they are wrong.

10 The Four Largest Threats: Presence of Malware Insider Threats Social Engineering Peer-to-Peer File Sharing

11 Malware Any software that is harmful and is used to gain access to sensitive data, disrupt operations, and/or hijack systems for malicious purposes.

12 Malware types Viruses Rootkits Worms Trojans Keyloggers Adware Spyware Ransomware Rogue Security Software

13 Malware How to tell if it is present Unusual pop-ups or other messages Scary warnings from unknown security software Computer mysteriously running slowly Systems tools such as Task Manager unavailable Appearance of Ransomware s from you to people in your contacts that you never sent

14 Malware How to protect against it Anti-Virus System and software patches DO NOT click on links or open attachments that appear suspicious Block peer-to-peer (P2P) sharing Disable AutoRun Be vigilant

15 Insider Threats Rogue employees with malicious intent Oblivious employees / management Vendors and business associates that have access to sensitive information.

16 Social Engineering Psychologically-based approach to gain access to resources (buildings, computers, sensitive data, etc.) Some criminal elements use Social Engineering in conjunction with other attacks.

17 Social Engineering Protection against it Informed and vigilant workforce Gut instinct is typically first indicator that something isn t quite right Develop a policy employees can reference and do not allow it to be distributed outside of company network

18 P2P File Sharing Decentralized network used to share files directly between computers Some P2P software will automatically share everything on your computer Most P2P = illegal distribution of copyrighted material (Pirating)

19 Penalties are increasing Most states have enacted mandatory notification legislation and the federal government is moving in the same direction. If you get breached and it's obvious you didn't take any preventative action prior to the breach, you will be penalized. Yes, Virginia has mandatory notification legislation.

20 How to protect your data and business Step One: Make sure you have an Information Security Policy. It should address the following: Risk Assessments Account sharing policies and procedures Laptop / computer encryption Computer and network security testing

21 How to protect your data and business Step Two: Get Compliant. Immediately. PCI HIPAA Gramm-Leach-Bliley Act (GLBA) SOX NIST CMR 17 NEI 10CFR FISMA etc

22 How to protect your data and business Step Three: Assume you have been breached, and run a full vulnerability assessment. Then take corrective remediation actions. Penetration Tests Scans for Malware etc

23 How to protect your data and business Step Four: Check with your legal team to see if they have a Cyber Response capability. There are advantages to contacting legal counsel immediately following a suspected breach.

24 Questions?