current risks in cybersecurity – protect the value of … · purports to cover any organization...

www.bgdlegal.com

CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF YOUR DATA

John McCauley, Partner, CIPP/US/E

January 9, 2019

www.bgdlegal.comwww.bgdlegal.com

Protect Your Data From

Regulatory Penalties Third-Party Vendors Contractual Disputes Cyberattacks Inadvertent Breach


US DATA PRIVACY REGIMESThe “Sectoral” Approach to Privacy

Health Information Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission Enforcement Children’s Online Privacy Protection Act (COPPA) Contract Law/Self-Regulation

PCI-DSS

State Breach Notification Laws State Privacy Laws

Illinois Biometric Information Privacy Act (BIPA) California Consumer Privacy Act

Tort Law/Common Law


GENERAL DATA PROTECTION REGULATIONThe “Omnibus” Approach to Privacy

Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to data processing in most cases Requires Data Protection Impact Assessments for new products and services Agreements between all parties sharing data Mandates “right to erasure” 72-Hour Breach Notification Rule Penalties up to €20 Million or 4% of global revenue - whichever is higher


California Consumer Privacy Act• GDPR-like• Consumers may demand deletion of data• Consumer must have right to opt-out of selling of personal data• Statutory Damages for Breach ($100-$750 per user)• Applies to Companies with > $25 million in revenue or has consumer

info of > 50,000 consumers• January 1, 2020

State Attorneys General Actions Federal Legislation

RECENT DEVELOPMENTS


Data between companies shared according to contracts Contract disputes lead to litigation or settlements Data Licenses will outline permissible and impermissible use Recent trends:

• Sweeping indemnification provisions• Disgorgement of profits• Ownership interest in product• Enforcement of auditing provisions

THIRD-PARTY MANAGEMENT

www.bgdlegal.com

Cyber-Crime Trends

“Amateurs hack computers, professionals hack people.”

- Some Hacker


The Year of the Breach


Visualized Breaches


WHAT IS THE WEAKEST LINK IN OUR CYBERSECURITY?

1) Hackers?2) Old Equipment?3) Software Vulnerabilities?4) The Internet?5) Employees?

www.bgdlegal.com


EMPLOYEES, EMPLOYEES, EMPLOYEES

THE VERY WEAKEST LINK IS EMPLOYEES. 93% OF SECURITY INCIDENTS INVOLVE SOME TYPE OF EMPLOYEE LACK OF AWARENESS

SHARING CREDENTIALS SHOULDER SURFING DUAL USE AND SHARED DEVICES LOST OR STOLEN DEVICES INFECTED HOME COMPUTERS PUBLIC WIFI - - MOUSE JACKING - - JUICE JACKING


MUST TRAIN ON SECURITY AWARENESS BECAUSE. . . Anti-virus and anti-malware are only 70% effective because of the rate that new malware

is developed. One million new strains of malware every day. The programs cannot always identify new strains of malware because it does not

recognize them.

www.bgdlegal.com

Malicious Insiders


INSIDER THREAT VECTOR MOST CYBERSECURITY FOCUSES ON EXTERNAL THREATS –

PERIMETER FOCUSED DISGRUNTLED EMPLOYEES, FORMER EMPLOYEES, CLUELESS

EMPLOYEES 4 METHODS TO CONTROL INSIDER ATTACKS SECURITY AWARENESS TRAINING NETWORK MONITORING ACCESS CONTROL MANAGEMENT HONEY POTS


HOW DO WE PROTECT INFORMATION?Threat Vectors & Discovery Delays Phishing, Spear Phishing, Whaling Attack Ransomware Social Media Watering holes or drive bys Social Engineering

Average 205 days from security incident to discovery 70% of the time security incident discovered by somebody else


PREVENTION METHODS

Effective Password Policies


PREVENTION METHODS

Effective Password PoliciesEncryptionTwo-Factor Authentication


ADDITIONAL PROTECTION STEPS

WHITELISTING MINIMIZING PERMISSION

LEAST PRIVILEGE ACCOUNT SEPARATION

PATCH MANAGEMENT WATCH YOUR DATA FLOW CONDUCT PERIODIC RISK ASSESSMENTS

POLICY REVIEWS PENETRATION TESTING

www.bgdlegal.com

Ransomware

www.bgdlegal.com

Ransomware

Use regular, out-of-band backups.

Do not open email messages or attachments from unknown individuals.

Implement technical safeguards.


SCAREWARE

• Tricks the user into using malware infested sites.

• These appear to be legitimate warnings from anti-virus software companies, and they claim your computer has been infected.

• Users are frightened into paying a fee to purchase software to fix the problem.

• Actually, the user is downloading fake anti-virus software, whish is really malware.

• Scammers are also perpetrating this by phone.


LET’S GO PHISHING


PHISHING – DON’T GET HOOKED

PHISHING IS AN ATTACK THAT TRICKS YOU INTO OPENING A LINK OR ATTACHMENT

JUST READING AN E-MAIL WILL NOT TRIGGER AN ATTACK YOU HAVE TO PERFORM SOME TYPE OF ACTION MOST COMMON PHISHING ATTACKS # 1 -- LinkedIn # 2 -- BANK ACCOUNTS/CREDIT CARD COPANIES # 3 -- AMAZON


COMMON SIGNS OF PHISHING The email demands immediate action before something happens like closing your

account or subjecting you to fines. You receive an email that entices you to open an attachment such as a letter from the

IRS threatening prosecution or details of unannounced layoffs at your company. The email is supposedly coming from an official organization but uses a personal email

address such as @yahoo.com or @gmail.com. The email, which is supposed to be from a business or government organization,

contains spelling errors or bad grammar. The link in the email appears to take you to another site not connected to the

organization. You receive a message from someone you know, but it does not sound like them and

contains a strange link.

www.bgdlegal.com

www.bgdlegal.com

JOHN MCCAULEY, CIPP/US/E/BINGHAM GREENEBAUM DOLL LLP

[email protected]

Thank You

current risks in cybersecurity – protect the value of … · purports to cover any organization...

Documents