Upload
ngotuyen
View
220
Download
6
Embed Size (px)
Citation preview
1
1
Jon McDowall, CFE, PCI, CIFI
Chief Executive Officer
Fraud Resource Group
866.355.3866
Ten Steps to a More Secure Small Business
2
1. Explore, identify and understand risks unique to your business
2. Take a layered approach to security
3. Leverage customer intimacy whenever possible
4. Identify meaningful resources to better secure against today’s schemes
5. Position yourself and employees to identify red flags of relevant frauds
6. Educated employees keep smaller businesses IN BUSINESS
7. Stand-alone computer for banking/transactions (no email, browsing)
8. Review Online Banking/Transactional Accounts Daily
9. Get to know Law Enforcement resources before you need them
10.Vigilance and Paranoia can be your friends…embrace them!
10 Steps to a More Secure Small Business
1. Explore, Identify and Understand Risks Unique to Your Business
3
10 Steps to a More Secure Small Business
2
The Cost
Average U.S. Cost per Data Breach:
$6.75 million
(equivalent to $204 per compromised record). * Ponemon Institute, Annual Study: Global Cost of a Data Breach, April 2010
4
85% of Data Breaches Occur at Small Business Level. *
* Visa Global Security Summit Report
5
Large Enterprise,
15%
Small Business,
85%
Data Security Breaches
Large Enterprise
Small Business
Data Breach Causes:
7
1. Intentional Employee Acts
2. External Malicious Attacks*
3. Lost Devices
4. Human Error / Negligence
* Fastest Growing
3
Concerns
8
• Data Accessible via Many Means
• Embracing Technologies without:
• Assessing Risk
• Developing Policies / Procedures
• Providing Adequate Training
2010 Javelin Identity Fraud Report:
Small Business Owners
suffered Identity Fraud at
One-and-One-Half Times
the rate of other consumers
9
Prediction: Increased Breach Reports
10
• Increased Oversight/Regulation/Reporting
• Training isn’t Prioritized
• Vulnerability Points will Grow
• Cloud Computing is Embraced
• Professional, Organized, Profiting Criminals
4
11
* Obama Administration, Cyberspace Policy Review – Assuring a Trusted
and Resilient Information and Communications Infrastructure, May 2009.
Cyber Attacks against American Business:
Over $1 TRILLION in Compromised Intellectual Property. *
Does not count losses due to:
• Theft of PII
• Loss of customers
• Negative impact on corporate share values
Malware, Keylogging
12
• Browsers
• Links
• PDFs
• Word Docs
• Pictures
• Auction and Game Sites
• Almost Anything with Code
5
GeoLocation
• Allows pinpointing locations of users:
– Cell Phones, PDAs, Tablet PCs
– Cameras, Photos
– Flikr
– iPhone and Droid Apps
14
Mule Schemes
Work at Home Offers
Great Titles / Positions
Great Pay
Easy Money
Legitimate and Legal – Trust Us…
2. Take a Layered Approach to Security
16
10 Steps to a More Secure Small Business
6
LAYERED APPROACH to RISK MITIGATION
Keyloggers, Worms, Trojans & Malicious Code
Anti-Virus & -Spyware
Authenticated Applications, Users & Machines
Spyware and Intrusion Detection
Employee Education / Training
3. Leverage Customer Intimacy Whenever Possible
18
10 Steps to a More Secure Small Business
Take-Aways / Best Practices
19
• Initial Authentication is Critical
• Leverage Customer Intimacy (advantage: small business)
7
4. Identify Meaningful Resources to Better Secure Your Firm against Today’s Schemes
20
10 Steps to a More Secure Small Business
Resources
• http://www.acfe.com
Webinars, Self-Studies, Training
• http://csrc.nist.gov/securebiz/
Workshops, Videos & Exercises
• http://www.infragardawareness.com
Free Security Awareness Training
21
5. Position Yourself and Your Employees to Identify Red Flags of Relevant Fraud Schemes
22
10 Steps to a More Secure Small Business
8
Social Engineering:
23
Manipulation or Trickery
• Relies on Inherent Human Tendencies:
• Trust
• Desire to Help
• Avoid Conflict and Awkward Situations
• Avoid Confrontation
• Anticipates Typical Human Reactions
24
1. Telephone Impersonation
2. Online / Email
3. In Person
• Network / IT Support
• Outside Vendor
• Senior Manager
• Executive Assistant
• Customer / Client
• Human Resources Dept.
Common Approaches
• Personally Identifying Information (PII) = ID Theft
• Network Log-ins & Passwords
• Company Confidential Data
• Theft of Trade Secrets
• Revenge or Punishment
• Financial Fraud
• Profit!
Common Goals
9
• Front Line Phone Personnel
• Help Desks
• Executive Assistants
• Executives (directly)
• Employee ID / Financial Data
• Customer ID / Financial Data
Common Targets
Influence
Persuasion
Social Engineering
• Timeless Fraud Indicator
• At Least Some Elements
Present in All Schemes
• Helpful in Identifying Not-
Yet-Experienced Schemes
6. Educated Employees Keep Smaller Businesses In Business
28
10 Steps to a More Secure Small Business
10
Best Practices
29
Employees are Your First Line of Defense
Uneducated Employees = Liability
Meaningful Employee Training is Critical
Document Employee / Other Training
Look Beyond “Compliance”
Pass it On…
You May Also Need to Educate
• Customers
• Vendors
• Partners
• Others
30
Policies
31
Personal Use of Business Computers
Portable Media Use
Social Media
Offsite Network Access
Bluetooth and Wireless Peripherals
GeoLocation Data
11
TENSION:
Information Security
vs.
Customer Service
7. Consider a Stand-Alone Computer for Banking/Transactions
33
10 Steps to a More Secure Small Business
Take-Aways / Best Practices
34
• PC and Anti-Virus: Auto Updates
• Isolated Security Zones
- Stand-Alone Computer for Banking
- Minimum Needed Access to Info
12
8. Review Online Transactional Accounts on a Daily Basis
35
10 Steps to a More Secure Small Business
Take-Aways / Best Practices
• ACH, Wire, P2P, A2A Transactions = Elevated Risks
• Review Online Banking Activities Daily
36
9. Get to Know Law Enforcement Resources Before You Need Them
37
10 Steps to a More Secure Small Business
13
Take-Aways / Best Practices
38
• Electronic Crimes Taskforces
• Local, State and Federal
• Host Educational Event
• Be Creative
10. Vigilance and Paranoia are Your Friends…Embrace Them!
39
10 Steps to a More Secure Small Business
Take-Aways / Best Practices
40
Anticipate & Plan for a “Breach.”
Consider Updating Your Business Continuity Policy to Include a Data Security Breach Plan
- Victim Explanation/Apology Letter
- Pre-Arranged Victim Credit Monitoring
- Other Appropriate Measures
14
Take-Aways / Best Practices
41
• Timely Operating System and Application Patches
• Redundancies in Transaction Authorizations
• Regular Data Back Up
Thank You!
42
Jon McDowall, CFE, PCI, CIFI, CII
866.355.3866