cybersecurity dental convention sept 6 2018 amw (003) [read …€¦ · cybersecurity how to...

12/19/2018

1

DEMYSTIFYINGCYBERSECURITY

How to Prepare and Respond

Presentation by:

Amy M. WilliamsBusiness ConsultantWarren Averett Technology Group

Today’s Main Goal:Help you to understand why Cybersecurity

is a Concern in Today’s Society

And more importantly…what to do about it!

12/19/2018

2

12/19/2018

3

12/19/2018

4

12/19/2018

5

12/19/2018

6

FACT:

Businesses will lose $3 Trillion to Cybercrime

by 2020.

Will yours be one of them?

Compiling Results…

Is the Wifi on your Smartphone Turned on?

Why is Technology a Risk?

12/19/2018

7


Software shows, in the last 24 hours….

• 5 people searched the Weather through an app

• 4 people have checked your team in fantasy football

• 2 people made dinner reservations

• 3 people logged into a financial institution app

• 1 person searched and downloaded The Notebook

If the Wifi on your Smartphone was turned on….

DO I HAVE YOUR ATTENTION???

Cyber attacks evolve every day as attackers become more inventive. It’s critical to properly define cybersecurity and take steps to protect your business.

14

Agenda:

Today we will discuss 4 main topics:1. Why you must be concerned about cybersecurity2. The current threats to you and your business3. Why you MUST be proactive, not reactive4. How to mitigate your risk and protect your information

12/19/2018

8

Why you must be concerned about cybersecurity

“We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.”

16


Carl Sagan, a well known scientist and astronomer,

may have said it best…

Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

I happen to prefer this statement by Albert Einstein…

12/19/2018

9

Tell me something:

Do you wait for the heart attack before you exercise? No.

Do you crash the car before you buckle up the kids? Of course not.

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

So why would you wait to protect the data that defines who you are? Until AFTER the damage is done???

‐‐‐John Sileo, Cyber Security expert and award‐winning author

1. Cyber Threats

2. Other Threats (ex: China uses Cyber to enable espionage and attack capabilities to support its national security and economic priorities)

3. Terrorism

Top Risks for the United States

http://www.defense.gov/News/Special‐Reports/0415_Cyber‐Strategy

(per the U.S. Department of Defense)

12/19/2018

10

Source: map.norsecorp.com

The Struggle is Real

Real life Cyber Security Attack Map Date: April 3, 2018

Motivations and Incentives

12/19/2018

11

21

Where Attacks Can Come From

22


12/19/2018

12

23


How does Cyber Security Really Affect My Practice?

12/19/2018

13

In a digital economy, like we live in now…

the person who controls your datacontrols your destiny.

Source: John Sileo, Cyber Security Expert

• Lost laptops• Improper disposal of backup tapes

• Accidental release• Broken business

practices• Un‐shredded documents

• Hacking• Virus / Malware

• Phishing• Spear phishing

• Network intrusion

Negligent release

64% of breaches are accidental

26

Know where your risk comes from:

CAUSES OF DATA LOSS

12/19/2018

14

Top 5 Impacts of a Cyber Security Breach

• Reputational damage

• Theft ‐ While a cyber‐raid on a big‐name bank may net the attacker a sizeable haul, smaller

businesses defenses are typically less sophisticated and easier to penetrate, making them a softertarget.

• Financial losses

• Fines

• Below‐the‐surface (intangible) costsSource: Sungard

What are the current threats

12/19/2018

15

(Lack of) Business Continuity:

There is a difference between having “backups” and having a true disaster recovery plan. A few things to keep in mind:

‐ Recovery procedure development and documentation is key. If it’s not in writing…IT DOESN’T COUNT.

‐ Has your recovery procedure been tested?• Recovery time during the disaster• Post‐testing reporting and review• Regular status reporting

‐ Have your Applications & Data been ranked according to business criticality?

‐ Do you know what your contractually‐guaranteed recovery time and recovery point objectives are?

The Human Factor

12/19/2018

16

Let’s look a little closer…

Email, IM, Comment, or Text Message that appears to come from a legitimate, popular company, bank, school, or institution – “spoofed”

Bottom line: They are designed to fool (or scare) you into giving valuable information.

Email Methods:• Deceptive Subject Line• Forged Sender’s Address• Genuine Looking Content• Disguised Hyperlinks

Website Methods:• Genuine Looking Content• Form – Collection of Information• Incorrect URL, not disguised

Phishing attempts

12/19/2018

17

Keep on Phishing

And why exactly would a trucking company be delivering my wireless bill???

Example #1

Example #2

Example #3

If you don’t know me…

…I don’t know you.

Passwords

• Do not physically store them in obvious places. Or preferably in writing at all.

• Create strong passwords.• Make them long• Include a special mix of characters, numbers, upper and lowercase letters. • Make your password reminders something only you know

• Change your passwords regularly. • This should be done as a first step if you believe your information has been

stolen or compromised.

• Do not reuse old passwords or phrases. This makes it easy tofor hacker to guess based on your password history.

In 2017, Yahoo revealed that all of it’s approximately 3 billion user accounts were affected by a previously disclosed data breach that took place in 2013. The data that was compromised may have included phone numbers, email addresses, passwords, and birthdates.

12/19/2018

18

Passwords

• Use a password manager

• Set up two‐factor authentication.

Taking the steps described above may not completely prevent someone with malicious intent from gaining access to your information, but it can help to mitigate the potential damage.

Computer viruses are small programs or scripts that can negatively affect the health of your computer.

Keylogging is the practice of using a software program or hardware device to record all keystrokes on a computer keyboard.

Viruses / Keylogging

Example:InsuranceCompany

12/19/2018

19

What to know:

Often begins with Phishing email

Triggered with clicking a link or opening an attachment

Encrypts all files

Usually want payment in cryptocurrency

What to understand:

It can cripple your business until / while remediation occurs

It can cause MAJOR problems even after resolution

Things to think about:

How much does prevention save you? (Play it into the future)

Ransomware

“We have cyber already covered by our IT department. They say we are fine.”

“We do an annual penetrationtest. We’re covered.”

“We don’t have a budget for this.”“We have a robust intrusion detection and effective cyber

program we put in place years ago.”

“We don’t have sensitive data so we don’t need a cyber risk managementprogram.”

“Our management and board don’t fully understand or support a cybersecurity program.”

Excuses, Excuses…

12/19/2018

20

Why you MUST be proactive…

NOT reactive!

Personal Identifiable Information of Clients/Donors/Supporters/Consumers

– Credit cards, debit cards, payment info

– Social Security #s, ITIN’s (Individual Tax Identification Numbers), taxpayer records

– Bank and investment account information

– Protected Healthcare Information (PHI), e.g. medical records, test results

– Drivers License / passport details

– Non‐PII, like email addresses, phone lists, address

Employee Information

– Employers have at least some of the above information on all of their employees

Corporate Confidential Information

– Sub‐contractors and Independent Contractors

– Information received from commercial clients as a part of commercial transactions or services

– B2B exposures like projections, forecasts, M&A activity, trade secrets, financial statements

Many people think that without credit cards or PHI, they don’t have a data breach risk. However…

Can you think of any business without any of the above kinds of information?

PII(Personal Identifiable Information)

PHI(Protected Health Information)

40

Information at Risk:

12/19/2018

21

Fact #1: An entity that operates in cyberspace is likely to experienceone or more security events or breaches at some point in time,regardless of the effectiveness of the entity's cybersecurity controls.

Point: Understanding this tenet is essential to dispelling usermisconceptions that an effective cybersecurity risk managementprogram will prevent all security events from occurring.

In other words… It’s not IF. It’s WHEN and HOW BAD?!

41

AICPA SOC for Cybersecurity

Fundamental Tenets of Cybersecurity:

Fact #2: There ARE inherent limitations in a cybersecurity riskmanagement program. An entity may achieve reasonable, but notabsolute, assurance that security events are prevented. For those notprevented, it helps to proactively make sure events are detected,responded to, mitigated against, and recovered from on a timely basis.

Point: An effective cybersecurity risk management program is one that:

1. enables the entity to detect security events on a timely basis and

2. allows the organization to respond to and recover from such events with minimal disruption to the entity's operations.

42

AICPA SOC for Cybersecurity

Fundamental Tenets of Cybersecurity:(continued)

12/19/2018

22

How to mitigate your risk and protect your information.

1. Don’t be tricked into giving away confidential information

a) Don’t respond to emails or phone calls requesting confidentialcompany information

b) Always keep in mind that bad guys are successful because they areconvincing.

c) Recent news stories out of Canada reported scammers were trickingpeople into giving away information with fake tech support callsclaiming to help.

d) Keep on guard and report any suspicious activity to IT.

Top 10 IT Security Item “TO DO” List

12/19/2018

23

2. Don’t use an unprotected computer

a) When you access sensitive information – especially from a non‐securecomputer – you put the information you’re viewing at risk.

b) Malicious software exists that allows people to easily snoop on whatyou are doing online when accessing unprotected sites.

c) If you’re unsure if the computer you are using is safe, don’t use it toaccess corporate or sensitive data.

Top 10 IT Security Items

3. Don’t leave sensitive information lying around the office

a) Don’t leave printouts containing private information on your desk orin an unsecured area. It’s easy for a visitor to glance at your desk andsee sensitive documents. (example: mortgage company)

b) Keep your desk tidy and documents locked away. Shred them whenno longer needed.

c) Do not write out your passwords and “hide” them under yourkeyboard or put them on a sticky note stuck to your monitor.


12/19/2018

24

4. Lock your computer and mobile when not in use.

a) Always lock your computer ( +L) when you step away and / ormake sure your company has auto‐lockouts for user devices.

b) Always lock your mobile phone when you’re not using it.

c) Don’t leave either type of device sitting anywhere they could gettaken.

Best practice recommendation: put Endpoint Device Management (EDM)and Mobile Device Management (MDM) on any devices that havecompany information.


5. Stay alert and report suspicious activity

a) Keep in mind, suspicious activity isn’t always obviously suspicious.(Example: Vendor onsite to “fix” something. Check credentials.)

b) Train your employees on what to look for and create a culture wherethey can feel free to voice concerns.

c) A recent news story reported that a supermarket manager, who wasrandomly befriended by a mysterious woman on Facebook, ended upon a “date” with two men who overpowered him and robbed hisstore.

d) Always report any suspicious activity to IT. If something goes wrong,the faster it is addressed, the more quickly it can be resolved.


12/19/2018

25

6. Password‐protect and “Provision” sensitive files & devices.

a) Always password‐protect sensitive files on your computer, USB, flashdrive, smartphone, laptop, etc.

b) Use an encryption for email, devices, and phones. Have remote wipecapabilities in place.

c) Grant access to sensitive files and information only to needed parties.


7. Always have stringent password requirements.

a) Many people use obvious passwords like “password” or their petnames or obvious character sequences on the qwerty keyboard like“asdfg”.

b) Implement complex user‐password requirements that make it difficultfor someone to break in and steal data. Create complexity byincluding different letter cases, numbers and even punctuation.

c) Try to use different passwords for different websites and computers.That way if one gets hacked, your other accounts aren’t compromised.

d) Have password expiration dates and limit the ability to recyclepasswords.


12/19/2018

26

7.1 Password Suggestions (continued)

1. Make it something you can visualize

MyF@v0r!T350nG (myfavoritesong)

2. DO NOT share it with coworkers

3. DO NOT store it locally or on the internet

4. Change it often (according to written company policy)

5. Do not have shared or “admin” accounts with shared password credentials


8. Be cautious of suspicious emails and links.

a) Company emails are valuable to attackers. They allow them to fakeemails from “real” people. Do not publish email addresses on yourwebsite or make them readily available.

b) Always delete suspicious emails and be wary of emails from peopleyou don’t know. Never click the links before verifying the sender.

c) Opening these emails or clicking on links in them can compromiseyour computer without you even knowing. Hackers can “sit” in yoursystem for YEARS prior to ever instigating an event.

d) Always hover over the sender’s name to verify the address lookscorrect prior to opening and / or responding.


12/19/2018

27

9. Don’t plug in personal devices withoutthe ok from IT.

a) Don’t plug in personal devices such as USBsand smartphones without permission from IT.Even a brand new device can be infected witha nasty virus.

b) Devices can be compromised with codewaiting to launch as soon as you plug theminto a computer.

c) Talk to your IT resource about your devicesand let them make the call.


10. Don’t install unauthorized programs on your workcomputer.

a) Malicious applications often pose as legitimate programs, tools, oreven antivirus software.

b) They aim to fool you into infecting your computer or network.

c) If you like an application or think it will aid your productivity, have ITlook into it for you first.


12/19/2018

28

Assessment of Risk

Risk Management is a process, not a destination!

‐ A process, ongoing and flowing through an entity

‐ Affected by people at every level of an organization

‐ Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

‐ Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

‐ Able to provide reasonable assurance to an entity’s management and board of directors

QUESTIONS?

Amy M. Williams

[email protected]

205-460-3983

Demystifying Cybersecurity

cybersecurity dental convention sept 6 2018 amw (003) [read …€¦ · cybersecurity how to...

Documents