data-driven marketing mayhem: how to avoid unexpected ... · data-driven marketing mayhem: how to...
TRANSCRIPT
Data-Driven Marketing Mayhem:
How to Avoid Unexpected
Cyber Crimes that
Compromise Your Brand
Roger LewisCEO, CMIT Solutions
2
Cyber Attacks make headlines
3
• Data breaches have existed for as long as individuals and
companies have maintained records and stored private
information
• Data breaches began to increase in the 1980s.
– 1984: TRW (now called Experian) was hacked and 90 million records
were stolen
History
4
• 1990s and early 2000s: Public awareness of data breaches
increased
– News media covered more “cyberthefts”
• Lawmakers began to pay attention
• July 2003: California enacted Senate Bill 1386
– First U.S. law protecting the privacy of an individual’s personal
information—especially if it is stolen from a vendor’s database
History…
5
Malware
Types of Attacks
Ransomware Phishing
6
Big Boom Age
• Privacy Rights Clearinghouse begins its chronology of data breaches
• The first data breach to compromise more than 1 million records (DSW Shoe Warehouse;
March 2005; 1.4 million credit card numbers and names on those accounts)
• June 2005: Hackers exposed some 40 million credit card accounts from payment card
processor CardSystems Solutions
Timeline of Attacks
2005
DSW Shoe WarehouseExposure: 1.4 million customers
7
Timeline of Attacks
2013
YahooExposure: 3 billion
user accounts
2014 2015 2016 2017
JP Morgan
ChaseExposure: 76 million
households;
7 million small businesses
Target StoresExposure: 110 million
people’s payment
card info and/or contact info
AnthemExposure: 78.8
million customers
EquifaxExposure: 145.5 million accounts
8
MYSPACEExposure: 360 million users
The Impact of Cyber Attacks on Your Business
• Revenue Loss: Studies show that 29% of businesses that face a data breach end
up losing revenue; 38% experienced a loss of 20% or more
• Damage to Brand Reputation: A security breach can impact much more than just
your short-term revenue. The long-term reputation of your brand is at stake.
• Loss of Intellectual Property: Loss of revenue and damaged reputation can be
catastrophic; 60% of hacks target small businesses
• Hidden Costs: Legal fees, regulatory fines, PR and investigations, insurance
premium hikes
9
Why are franchise brands and their
data attractive to cyber criminals?
10
• A study of companies across 79 countries surveyed 726
organizations in sectors including financial, insurance and retail
revealed number one issue for executives is the threat from hackers,
with 88% of companies included in the survey saying they are “extremely concerned” or “concerned” about the risk
• Franchises are a large and lucrative target for hackers
Why Are Franchise Brands and Their Data Attractive to Cyber Criminals?
11
• Dairy Queen, Marriott, UPS,
Goodwill, Wendy’s and Supervalu
– Hackers infiltrated the point of sale
(POS) system
– Customer information stolen
– Millions of dollars were lost
– Reputation was damaged
• 2016 Noodles & Company breach
resulted in $11 million in costs
Why Are Franchise Brands and their Data Attractive to Cyber Criminals?
12
• Whether a franchise has all of their locations on the same
network, or each store runs their own private network, a
breach is a breach in the eyes of a consumer
– Try explaining to a customer of a breached franchise that their card
data is safe in certain locations, while others it is not
• The company is now questionable in the minds of
consumers
Uniqueness of Franchising
13
• Multiple locations with large amounts of customers racking up multiple
transactions and personal history records
• Massive amounts of customer information stored within the
network creating an attractive target for data thieves
• Discoveries are not made quickly enough - months after breaches
actually occur, giving hackers more time to steal cardholder data while
organizations stumble to clean up the mess
Why Franchises?
14
• After a forensic investigation, Wendy’s reported that
300 of its 5,800 locations were affected by the breach
• By July 2016, the number of impacted stores reached
1,025
• Wendy’s placed the blame for the breach on an
unnamed third-party “service provider” that had
remote access to the POS
• Remote administration tools are used to access and
manage the systems over the Internet
• The damages of the Wendy’s breach reportedly
surpassed the Home Depot and Target breaches,
which were $263 million and $291 million respectively
Wendy’s Breach – May 2016
15
Where have you left your
brand open?
16
• All franchise companies, regardless of their size, are at risk
• Older security solutions are based on technologies that rely on
knowing something about the attack, such as the vulnerability
targeted, the malware used, or the reputation of the email sender
• These tools are incapable of identifying today's dynamic, multi-vector,
multi-stage attacks
Vulnerabilities
17
• 76 percent of breaches on corporate
networks are due to a weak employee
password
• Because most people reuse passwords,
cyber criminals can gain entrance to
email, websites, bank accounts, and
other sources of PII or financial
information
Password Management
18
• Private encryption key resides with the user and encryption occurs at
the device level (your phone, tablet, computer, etc.)
– Only the user is able to decrypt and access their data
• Traditional cloud storage technologies do not practice zero-knowledge
security
• The provider can often access the user's encryption key and
theoretically, decrypt and view information being stored in the cloud
Zero-Knowledge Architecture
19
• Two-Factor authentication in addition to
the use of strong passwords are
important steps to take in prevention
• Implementing 2FA ensures that a user
can confirm access through two
methods, typically something the user
knows (e.g. a password) and something
in their possession (a smartphone)
Two-Factor Authentication
20
• Monitor a variety of intelligence sources to detect and prevent fraud
(such as spam lists, password lists, attack signatures, malware/anti-
virus intelligence feeds, ISP reports)
• A good anti-fraud service should be both preventative and reactive
• Costs can start at less than a few hundred dollars per month and
range into thousands of dollars per month
Anti-Fraud Services
21
How to protect your customer
data and what to do when it is
attacked:
22
• All sensitive data is encrypted
• Proper controls are in place to permit access to that data
• Policy is consistently tested and audited – Review of adherence to set access controls, encryption and password protocols,
software updates, employee training, and the documentation of any security anomalies or
incidents
– Noncompliance (or the failure to cure any defects within a reasonable time) should
prompt severe sanctions, including possible franchise agreement termination
Data Protection Strategy
23
• Franchise organizational centralization and standardization through
each franchisee’s practices and POS systems – Ensures they’re operating securely
– Enforcing the Payment Card Industry Data Security Standard (PCI DSS)
– Use secure payment applications, like encryption, that devalue the card data
Data Protection Strategy
24
THANK YOU!
22
Roger LewisCEO, CMIT Solutions
/roglewis
@cmitsolutions
/cmitsolutions
/cmit-solutions-inc