Upload
management-insights-llc
View
287
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Management Insights offers a complete ID Theft/Data Breach solution designed to meet the needs of your business 1. We insure greater business security with our comprehensive approach: systems, procedures, people and physical plant 2. We create a response plan, train the people and document the whole project 3. We build in a relationship with best of breed ID theft remediation service 4. We become an ongoing resource
Citation preview
Protecting Your Business Against ID FraudPRESENTED BY JAMES HISEY IIPRESIDENTMANAGEMENT INSIGHTS
Respond when theft
happens
Prepare the
business
Protect the
business
Understand why ID Fraud is
such a big deal
A SCORE WORKSHOP
• Goals for our time together• Help prepare you and your business
to defend against ID theft.
• Give you some useful resources you can use to guard against ID fraud and to use when the business is attacked.
Many industry experts tell us it is not if but when your small business will be targeted by a cybercriminal
HAVING A PROCESS IN PLACE TO AVOID AND/OR MITIGATE CYBER CRIMES IS PARAMOUNT
Crooks love small businesses• Small Businesses don’t believe they are at risk – this
makes them an easy target
• They don’t have staff dedicated to keeping the company safe
• They often don’t have policies, processes and procedures to safeguard the business
• They often don’t have a culture that creates an awareness of the danger
• They don’t know what to do if a data breach or id theft happens
Are you a target?
"Small businesses feel like they're immune from cybercrime, and they're wrong. They are absolutely on the list of potential targets of cybercriminals," said Larry Ponemon, chairman of the Ponemon Institute.
A recent survey of executives at 500 U.S. companies of varying sizes found that 76% had had a cyber security incident within the past 12 months resulting in the loss of money, data, intellectual property or the ability to conduct day-to-day business, according to the Computing Technology Industry Association. About half of those cases were described by the businesses as "serious."
You are at risk
You have a responsibility
Most companies experience opportunity costs associated with a breach indecent, which results from diminished trust or confidence by present and future customers. … the negative publicity associated with a data breach incident can often damage companies’ reputations… and [slow] new customer acquisitions. (Ponemon Institute Study, 2010)
The estimated cost of a data breach is $214 per record. It could cost an organization with 1,000 customers $214,000 and months to recover. This can strain the resources of even large organizations. For a small company the result could be devastating.
An Identity Theft happens when a crook steals YOUR information
A Data Breach happens when a crook steals your CUSTOMERS’ information
Identity theft and data breaches are types of ID Fraud
• Accidents• Losing equipment
• Hitting the send all button on an email with sensitive information
• Malicious attack • Hackers or Thieves
• Viruses
• System Failures• Actual computer failures that lead to loss of
data
• Poor policy and lack of preparedness by the organization
Both can happen for many reasons
An ID thief can be anybody from your trash collector to an employee to a cyber criminal
• Drivers licenses
• Credit cards
• Social Security numbers
• Passport
• Medical records
• Customer records
• Utility bills
• Intellectual property
Your car
Your office
Your trash
Your mailbox
Your phone
Your computers
Your network
Your people
Data Breaches
• Banking/Financial
• Business/Corporate
• Educational
• Government
• Medical/Healthcare
Hackers can enter your computer systems from the internet and steal information.
Employees could lose a laptop with company records on it.
Anybody with a thumb drive can steal information.
Thieves could break into your offices and steal records.
Thieves steal from us using the very things we need to be in business today
Where your company is vulnerable…
• Viruses
• SPAM
• Phishing
• Systems
• Lack of policies
• Lack of preparedness
• Lack of knowledge
• Your trash
• The phone
• Social Media
• The Cloud
• Your People
…and the list grows all the time as technology pushes forward
We are vulnerable on the InternetFile Infectors: Attach themselves to programs and spread when you run the program
Boot Sector: Write themselves into the computer’s memory when you start it
Trojan Horses: Act like legitimate programs
Macro Virus: Attach themselves to documents, email, websites, pictures and anything else you might open on the internet
Viruses and malware are computer programs - sometimes called malicious code - that are created to cause harm!
What to Expect if Infected…
• Delete files• Wipe your hard drive clean• Email confidential information to
crooks• Cause your computer to attack
other computers• Make it impossible for you to use
the machine
Viruses and their relatives can and do:
Viruses have lots of names
DoS attack - denial of serviceRootKitDrive by downloadKey loggerMalwareAdwareTrojanBotnetSpyware
DoS Attack
• Denial of service attacks are designed to crash your website, your server or your network
• Crooks flood the website with so many requests for pages that the server can’t respond and crashes
Denial of Service and
DDoS distributed denial of service attacks
RootKit
• A rootkit gives the crook access to all your folders and files, things like your address book, and your customer records
• It runs with administer privileges
• Rootkits hide from your antivirus software on the operating system
• They also hide other programs like malware, bots and worms
• They can be hard to remove
• They can be hard to detect
• They can create logs about your computer usage
A rootkit commands and controls the computer without your knowledge
Key Logger
• Key loggers are really good at stealing user names and passwords
• Common sources of key loggers are file sharing networks, online gaming sites, fake greeting cards sent via email
• A key logger a may also install root kits or other programs on your computer
• There are hardware key loggers that can be installed on a computer
Key loggers can record all of your keystrokes or even respond when you visit a banking website and enter your user name and password
Adware
• Adware can download automatically and without your knowledge by some websites or free programs
• Adware can redirect your browser to another site - more often than not, one you don’t want to visit
• Adware crooks can take advantage of misspelled URL’s to take you to a drive by website
Adware are programs that launch pop ups and other advertisements
How to protect your company from viruses
• Back up your data
• Purchase an antivirus software package
• Be sure you have a firewall in place
• Update your software
• Use secure passwords with the ability to change them periodically
• Don’t respond to emails unless you know who sent them
• Don’t click on links
• Do a full anti-virus scan on all of your computers on a regular basis
Having processes and standard procedures – that are understood and adopted by all staff relating to all of these activities - is a critical first step – these are great place to start!
Hackers/Drive by Downloads
• All you have to do is visit the site
• It is not just “those websites”
• Legitimate websites can be infected. Celebrity sites that down loaded malicious code were in the news recently
• There are ways to trace your steps
Hackers install software that downloads automatically when you visit an infected website
You may be amazed at who gets notified when you visit a website
Collusion is a browser add on that graphs what happens when you visit a website
How to protect yourself from drive by downloads
• Be sure your firewall is on
• Consider a third party firewall
• Never click on links where people other than the owner have posted them – blogs, chat rooms
• Use latest NON Beta browsers
• Don’t install plug ins or add-ons that you don’t know
• Be careful about downloading software.
SPAM
• SPAM is all that junk e-mail you get
• It is sent out in mass and spammers make money from the small percentage of people who respond
• SPAM can - and sometimes does - spread malicious code
You really can thank Monty Python
How do crooks get my email in the first place?
• They buy them• 30 million Hotmail addresses go for $450
• 5 million Gmail addresses go for $350
• If your Internet service provider won’t let you send 5 million emails at once, crooks can buy that service too
Or phone number, etc.
How do crooks get my email in the first place?
• You provide them yourself• Sign up for newsletters
• Facebook, google+
• AMAZON
• Online banking
• Go paperless
• Your Internet service provider
• All of those countless people and companies that ask you for your address
Or phone number, etc.
How to protect your company from SPAM
• Use multiple email addresses• One for your business: jhisey@management-
insights.com
• One for your personal mail: [email protected]
• You could have a “subscriber” email and use it to register in public forums, chat rooms, mailing lists etc.
• Don’t click un-subscribe links or respond to spam. When you do the spammer knows you are a real person and you will get even more.
• Use an ISP that provides SPAM filters – most do now days.
• If your private address is discovered – change it
• Make sure your web browser is up to date
Don’t ever click on links or attachments included in e-mail unless you know for certain who sent them. Even if you know the person be wary and find out if they actually sent the email before you reply or click
Phishing
• Phishing tricks you into giving away your personal information by creating a fake replica of a real company website
• Phishers are all those people who want to send you $1 million from their uncle in Nicaragua
• Phishers are the friends of yours who send an email from the far east saying they are stranded and need you to send them money
• Phishers are not all on the internet. Those phone calls from the “credit information” service are phishing too
Phishing tricks you into giving away your personal or company information. Sometimes it is called social engineering
This is a real example of a phishing expedition
The crook’s website is no longer there
So when you click your are taken here
This is thereal CitiBank website
Notice the real address is in boldAnd that the lock sign is there
Here is a Phishing attempt my wife received
Looks real until you check the return address and the foreign alphabet after the ID summary
How to protect yourself from Phishing
• Look for the lock symbol in the address
• Report anything suspicious to your bank
• Don’t complete a form in an email message that asks for personal information
• Be sure the HTTPS:// is in the internet address
• Don’t use an email message to load the web page. Type in the address yourself
• Check your accounts regularly
This is especially important if someone is asking you for bank information
• Facebook, LinkedIn, YouTube, Twitter and more are all important ways to network and grow your business
• As we put more and more information online it makes it easier for our customers and potential customers to find us
• Our information also opens opportunities for theft
Social Media
Secure Passwords are a major way to protect your identity on social media sights
You want customers and those you don’t know are customers to find you
You DON’T want people to change your profile
Social Media - Meet my “friend” JoergR
JeorgR sent me this email
I didn’t think I knew him but he looked sort of familiar and I was curious
Clicking on the link was a BAD idea
Fortunately my virus protection software caught the virus before any harm was done
Social MediaYou can change what people see on your public profile
The Cloud
• Drop Box
• ICloud
• Microsoft
• Amazon
More and more companies are offering to keep your information on their servers
The Cloud
• Drop Box
• ICloud
• Microsoft
• Amazon
Safety and privacy is a concern
• Cloud computing is the wave of the future • The question is do you want to have
someone else have all of your important business information on their computer
• Actually you probably have a lot of information in the cloud already
• Email, music, on line backups • You need to know how your data is being secured
and what measures the service provider takes to ensure the integrity and availability of that data should the unexpected occur
• Use secure passwords
•
Systems SecurityTHERE IS A LOT YOU CAN DO TO PROTECT YOUR COMPUTER SYSTEMS
FirewallsFirewalls control what programs can communicate with your computer
Secure your web browser
• Add ins
• Plug Ins
• Security Settings
• InPrivate
Pop Up BlockersControl those unwanted ads and websites that “Pop UP” when you visit the main site. Even MSNBC uses pop ups
Privacy settings control which pop ups are allowed
Plug Ins and Add Ins their relatives
This is software that increases the functionality of a larger program. For example, a plug in allows your web browser to play videos
Some are gateways for malware
There are ways to disable plug ins and add ins
How to create a secure password
• Make passwords you can remember but are hard to guess. Not your kids names, not your birthday, not a real word
• Mix upper and lowercase letters, numbers and punctuation marks
• Don’t use the same password on all of your accounts. If a hacker cracks one they have them all
• Use a phrase – !amcO1dt@day
• Use Padding – C@t$$$$$$$$$$$$$$$
• Change your passwords often, but don’t recycle them East1port, West2port, South3port
• Don’t tell anyone your password! If you have to give it out, change it right away
Size does matter
A 6 letter alpha numeric password can be cracked in 0.0000224 seconds
A 10 letter alpha numeric password can take weeks to crack
Password Managers
• So you have all of these fancy secure passwords but if you are like me I can’t remember them when I need them.
• A Password Manager remembers them all for you and signs you in automatically.
• They will generate secure passwords
• All you have to do is remember 1 password.
• PC magazine rates some of the best - • Dashlane 1.1
• Kaspersky Password Manager
• Last Pass 2.0
Password Managers keep track of all of your passwords...
You may find them useful
How do you know if your computer is infected
• Your computer starts behaving strangely
• Unexpected sounds or messages
• Programs that start all by themselves
• You get a firewall warning
• System errors
• Computer won’t start
• Blue screen of death
• The hard drive access light keeps running
• Web browser won’t let you close a window
• Programs or controls no longer work
It is not always easy to tell
What to do with a computer that has a virus
• Disconnect from the internet
• Try loading the operating system in “safe mode”
• Boot from a rescue CD
• If the computer starts do a complete scan using your antivirus software. If the virus scan finds nothing you may not have a virus
• Remove any unlicensed/trial software
• Remove all of those junk files you have
• Be sure you have the latest software updates installed
• If the computer was compromised and data was breached don’t turn it off
It is not always easy to tell
We are vulnerable – Dumpsters and more
Don’t forget that the internet is not the only place your data can be breached
Protect physical records and prying eyes
• Use a shredder
• Keep files locked
• Secure your mail boxes
• Use passwords on your computers’ screensaver
Preparedness Plan
It takes a whole company to protect the business
• Leadership to provide direction and resources
• Secure the computer systems
• Familiarity with changing state and federal notification requirements
• Notifying the media and keeping track of how a breach may affect on the business
• Training employees and making them aware of how to protect themselves and the organization
• Notifying and engaging law enforcement should a theft occur
• Working with a theft and data breach resolution provider to handle escalation, tracking, notification and call center services for those affected by the breach
In a small organization managing all of these functions may rest on just one or two people
If a breach occurs there is a lot to do these are the things you need to consider across your business
Make fraud preparedness a priority
• Have data security and mobile device policies and keep them current
• Communicate those policies to everyone
• Limit the type of data and employee can assess based on job requirements
• Review the plan annually
Make sure everyone in the company knows what to do
Make fraud preparedness a priority
• Choose an Incident leader• Manages the company’s overall response and
team• Is the intermediary between executives and the
team• Reports problems and progress• Identifies key tasks, timelines, documents and
reports the theft and its solution• Proposes the ID Fraud budget required to
remedy • Summarizes required steps • Updates contact lists• Assures key personnel are trained• Reviews the organization’s response to make
the next time function better
Put your team together
Train everybody
Practice – just like a fire drill
Are you ready?
• Internet access
• Preparedness is a priority
• Restricted use of thumb drives
• Laptops are encrypted
• Mobile devices
• Data access limited to those who need to know
• Best practices followed by the entire organization
• Regular bank and credit card account monitoring
Are you Ready –Look at your legal obligations
• Work with your attorney to be sure you meet your industry reporting obligations for the type of data that was stolen
• Review who needs to be contacted• Customers
• Employees
• Media
• Regulators
• Agencies
• If notification is required be sure they are sent within the required time line
• Never send Social Security Numbers or other sensitive information to vendors supporting your breach rectification efforts
Are you ready?
1. Update the data breach response team contact list
2. Review your response plan to be sure it is comprehensive
3. Review notification requirements
4. Evaluate your Information Technology Security
5. Be sure third parties that have access to your data use best practices
6. Review your vendor contracts to assure they continue to match your requirements
Quarterly
What to do if there is a breach
What to do first
1. Note the date and time the theft occurred or you found out about it
2. Engage the response team
3. Preserve evidence by securing the place where the theft occurred
4. Take affected machines offline to stop additional harm but DON’T turn them off
5. Document, document, document
6. Determine what the risk is overall and prioritize next steps
7. Notify your vendors
8. Bring in the police
The breach or theft is “discovered”
Work with your team to find out more about what happened
• What counter measures were in place when the theft occurred
• Was the data encrypted
• Review backups and other information that was preserved to find out as best you can what was taken
• Begin the process to determine who was affected and the extent of it
• Put together names and address so they can be notified
Fix the cause of the problem
• Find and delete the virus or other tools the hacker used to get the data
• Clean the affected machines before you put them back on line
• Find and fix security gaps or other risks
• Do the best you can to ensure that the type of breach does not happen again
• Document the who, what, when, how and why of the breach or theft
Resources
• Microsoft malicious software removal tool
• Microsoft Safety and Security Center
• Your computer manufacturer
• Your soft ware manufacturer
• Your ISP
• Virus definition directory
• Build a list of trusted sites
• ID theft resource center
There are tons of information out there about ID Fraud
ID Theft Protection Services
• Credit Monitoring
• Credit Reports
• Credit Scores
• Internet Monitoring
• Alerts
• Public Records Monitoring
• Software
• Lost Wallet
• Insurance / Guarantee
• Call Center
• Guidance and advice
NXG Strategies
Lifelock
ProtectMY ID
Trusted ID
Summary
Protecting the business against theft requires all of these things• Knowledge
• Systems
• People
• Policies
• Plans
• Partners
I asked someone once what is the most important thing you need to have a successful business. He said “You need it all.”
ID theft protection is part of the requirement.There is a lot to learn but you are not alone
SCOREManagement Insights
At the end of the day it is the right thing to do!
• Knowledge
• Systems
• People
• Policies
• Plans
• Partners
•Power
• Your computers and your business will run better• Your business will be more secure• You will have more time to do the important things• You will save money• You are fighting evil• You will sleep at night• You are being a proactive business owner• You will know enough to finally understand what the IT
people are talking about a little better• You will have more power over your enemies• You will have done all you can to protect your business
against a real and present danger• You will meet some really cool people who have your
back
Questions
How did we do?
Thank you!
James Hisey IIPresidentManagement Insights LLC384 Ronald DriveFairfield, CT [email protected]