View
223
Download
5
Category
Preview:
Citation preview
Cybersecurity and Privacy Law
The Importance of Employee TrainingGerald Ferguson, Partner, BakerHostetler
Paul Horn, Chief Information Security OfficerHD Vest Financial Services
Where are the threats?
External Threats• Hackers
– Malware– Ransomware– Phishing / Spear Phishing
• Social Engineering• Corporate Espionage• Vendors• Political “Hacktivists”
Where are the threats?
Internal Threats• Employee Negligence
– Security failures– Lost mobile devices
• Employee Ignorance– Improper disposal of
personal information (dumpsters)
– Lack of education and awareness
• Malicious Employees
Causes of Data Security Incidents Across All Industries
BakerHostetler Data Security Incident Response Report 2016
Detection, Containment, Notification
BakerHostetler Data Security Incident Response Report 2016
Year of the Phish?
-
http://phishme.com/phishing-social-media-infographic
Social Engineering Trends
Source: Proofpoint, The Human Factor 2016, A Proofpoint Research Project (2016), www.proofpoint.com/threat-insight
Phishing Emails
What Messages Are Users Clicking?
Source: Proofpoint, The Human Factor 2015, A Proofpoint Research Project (2015), www.proofpoint.com/threat-insight
W-2 & wire transfer incidents• Scammers use emails from a target organization’s CEO, asking
human resources and accounting departments for employee W-2 information.
• Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.
Become “compromise–ready”
• Deploy prevention and detection tools;• Use threat intelligence services;• Train managers and employees;• Conduct risk assessments focused on
identifying and protecting sensitive data;
11
Become “compromise–ready” (cont’d)
• Manage the security of vendors;• Understand regulators’ “hot buttons”;• Develop, update, and practice incident
response plans; and• Evaluate your cyber liability insurance.
12
What are the Costs
• Disruption of business operations• Loss of confidential information• Forensic Investigations• Notification Costs• Regulatory Investigations• Class Actions• Harm to Commercial Relationships
What is the Legal Obligation
• Massachusetts Security Standards• FDIC Regulations and Guidance• HIPAA• Banking Regulations• FINRA Guidance• NAIC Guidance
Train managers and employees
• Recognize threats to different services and technologies, e.g., ACH transfers and mobile devices;
• Regularly discuss cybersecurity at Board and senior management meetings; and
• Regularly provide employee cybersecurity awareness and training.
15
Train managers and employees
Train (or hire) staff to provide continuous network security monitoring
– to respond to alerts from IDS/IPS, analytics, and endpoint protection tools; and
– to prevent exfiltration of data at one of the points on the “kill chain” when malware is found on the network.
16
Train managers and employees
• Initial Training at Time of Hiring– Spotting security problems– Avoiding inadvertent disclosures through mistaken
emails, faxes, and paper records mishandling– Reporting procedures– Supervisors trained to handle reports
• Regular and Continued Training– Formal online training vs. in person– Staff meetings– Newsletters– PhishMe or other anti-phishing training
17
Train managers and employeesHi, Sir/Madam,
For the company's network security, we have upgraded the Citrix Virtual Workplace System. Please login to the Citrix Virtual Workplace System to activate your Account. You should install the Citrix Secure Input IE ActiveX Control before you type in your password.
Citrix Login: https://poccitrix.[companyname].com/vpn/index.html
For more information, please contact me.
Best regards,
[Actual name][Correct title] Systems Administration Phone: [correct phone number]Email: [correct email address] Local Address: [correct address][Company name][Company address]
18
Train managers and employees
19
Proofpoint, The Human Factor 2015, 10
Train managers and employees
20
(Advanced Persistent Threats, i.e., sophisticated network attacks)
Source: Dept. of Homeland Security
Creating an Incident Response Plan
• Flexible, succinct, living plan• Defines the IR team and roles• Defines methodology of IR
- Prepare, Detect, Contain, Assess, Communicate, Remediate, Improve
• May contain protocols for types of incidents• Resources (e.g., contacts, templates)• Consider how it works with business
continuity plan
Practice incident response plans
Response Program Supervisory Guidance
• An incident response program should provide that the entity will: – Assess the nature and scope of the incident and what member
information is involved;– Notify applicable supervisory authority as soon as possible
after discovery of unauthorized access to or use of sensitive member information;
– Notify law enforcement and file a SAR if warranted;– Contain the incident; and– Notify affected individuals when warranted.
22
Practice incident response plans
Review your incident response plan and conduct tabletop exercises with the team that will respond to an incident, including your
– Forensic investigator;– Counsel; and– Crisis management firm.
23
Director and Officer Training
• Duties owed by Directors and Officers– Duty of oversight– Duty to protect organizational assets Extended to “digital assets”
• Known consequences– Easy to calculate?– Impact on stock price?– Direct costs: notification, litigation, regulatory
actions, remediation– Indirect costs: reputational harm, diminished
sales
AtlantaChicagoCincinnatiClevelandColumbusCosta MesaDenverHoustonLos AngelesNew YorkOrlandoPhiladelphiaSeattleWashington, DC
www.bakerlaw.com
These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation.
Recommended