forthright security lunch and learn - ransomware focus 2
TRANSCRIPT
Don't Be The Next Target!Protecting Your Business From The Latest Threats
Welcome!
Today’s subject:
Protecting Your Company from Ransomware
Trends
SMB’s Are More And More Digital
Small and Medium business has to compete more and more with Mega-stores. Most have:
● Web Sites● eCommerce Orders● Paypal● Square● Multiple Email Accounts● Social Media Accounts● Etc...
Trends
Big Data – Your Data
Facebook leverages big data in it’s marketing
Most businesses use Facebook in their marketing
Every social media platform uses big data
Trends
Most SMB’s will be in the cloud soon
Cloud services are lowering:
● Costs
● Complexities
● I.T. Staff
Trends
Bring Your Own Device(BYOD) is happening
So what is happening to Security?
Where is Business going to be exposed?
Around the World
● Daily Cyber Attacks Against US Gov
● Dams, Water Treatment, Power Grids
● ISIS Paying Big Money to Hackers
In The News
● Hollywood Hospital - $17,000 in Ransom
● Apple – 600,000 Incidents of Ransomware so far
● iPhone Encryption – FBI hacked it
In The News
“The New York State Attorney General’s office said that the number of breach notifications
issued by his office had risen 40% during 2016 compared with the same period a year earlier.”
- WSJ 05/05/16
What Are The Threats?Bots, Phishing, Social Engineering, Malware of all sorts
Who Has Been Affected?
Millions spent to respond and Millions in lost revenue
The Heritage FoundationIssue Brief #4487 on Cyber Security November 18, 2015
● Morgan Stanley – 350,000 Client Records Stolen● Anthem – 80 Million Client Records Stolen● Penn State – 18,000 Student Records Stolen● All Had Passwords - Firewalls - AntiVirus
What Are The Threats?BYOD (Bring Your Own Device):
● 20 Years Ago Software was Expensive
● Now iPhone Apps are Free or 99 cents
● Just Search for what you need and install it
What Could Go Wrong?
What Are The Threats?Social Media:
● People used to keep things private
● Now everyone’s life is public
● So our exposure to risk is at new levels
● Now it’s Easy for Hackers to find personal info to use in a Social Engineering or Phishing Attack
What Are The Threats?
Cheap Wireless Routers:
● Installed Randomly for Convenience
● Can be an Easy Gateway into your company data from hundreds of feet away
● Most are never monitored for illegal access
What Are The Threats?
False Security:
● Passwords Don’t Work – Malware Doesn’t Care
● Insider Threats are Huge – Employees Steal Data
● The FBI says it takes an average of 14 months for companies to detect an intruder. Most won’t know until it’s too late.
What Are The Threats?
Internal:
“90% of I.T. employees indicate that if they lost their jobs, they’d take sensitive company data with them...
59% of employees who leave an organization voluntarily or involuntarily, say they take sensitive data with them.”
Deloitte via WSJ – 05/02/16
Who Are The Targets?
“...SMB’s make much more attractive targets for cyber-thieves”
“...a data breach involving an SMB can be far more devastating for the company than a similar type breach at a larger company.”
csattorneys.com Nov 5, 2014
Ransomware
“The FBI said the number of so-called ransomware attacks is on the rise. Hackers break into a corporate network, encrypt data and hold it ransom until the victim agrees to pay...”
- WSJ 05/04/16
Ransomware
“More small businesses are falling victim to “ransomware…”
“...Bitcoin is a preferred method of payment, partly because the use of bitcoin makes payments difficult to track.”
WSJ – April 15, 2015
Ransomware
“...About 30% of ransomware victims pay to regain their data, estimates Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., an Irving, Texas, cybersecurity firm.”
WSJ – April 15, 2015
How Can You Be Safe?
Start with 3 important questions:
1) What are you Protecting?
2) What are the Threats?
3) What is happening right now?
What Are You Trying To Protect?
● Company Secrets, Intellectual Property
● Customer Emails, Credit Card Details, Purchases
● Company Accounting System
● Patient Health Records
● What’s Important?
What Are Your Threats To That?
● Contractors?
● Service Providers?
● Employees?
● Hackers?
● Ransomware?
What Is Happening – Right Now?
● Do you know – right now – what is happening to that data?
● How will you respond to a breach?
● You are liable for it, Not the I.T. dept.
What Can Be Done?
Think about home security:
What secures a home?
Locks – Alarms – Dogs – What Else?
What Can Be Done?
Home Security
Protect Detect Respond
DoorsWindowsLocksFence
AlarmsMotion SensorsCrime WatchMonitoring
DogGunPoliceInsurance
Which column is most important?
What Can Be Done?
Protect Detect Respond
DoorsWindowsLocksFence
AlarmsMotion SensorsCrime WatchMonitoring
DogGunPoliceInsurance
Must Have – But They ALL Break
Must Be Able To Detect The Break
Must Be Able To Respond Quickly
You Cannot keep people out – But you can detect them
A System
Security is not Firewalls, Passwords Or Encryption
Security Is A System
The System is a combination of People, Policies, Training and Technology all working together
(When) Will It Happen To You?
● That is the question.
● Everyday I work with small business who have Malware of all sorts on their business and personal computers.
● Much of it is designed to be a back door into the computer – bypassing firewalls and anti-virus.
● And some... the evil Ransomware
● Most SMB’s have no system to Detect and Respond in time
Compliance
Do Industry Compliance Standards = Security?
PCI-DSS, HIPAA, Etc
If Compliance = Security how do Hospitals, Financial Institutions and Retailers get hacked every day?
Compliance <> Security!
Cost and Liability
The Ponemon Institute and Symantec estimates that it costs businesses $188 per record lost.
Just 1000 records = $188,000 in one breach!
Businesses also suffer potentially priceless damage to their reputation and trust.
Cyber Insurance
“...Cyber liability insurance coverage (CLIC) has been available for more than 12 years…
The average cost of a data breach to the affected business is $3.8 million...a 23 percent increase since 2013...”
CNN.com June 30, 2015
Attitude?
“Security is also a Frame of Mind...
It’s about Culture, Structure and Strategy...
Every aspect of doing business requires looking at it through a security lens...”
Paraphrased from TheGuardian.com Mar 11, 2014
How Do You Answer...● Do you have Policies in place for proper handling of
company data?
● Do you have a system to provide Security Intelligence?
● Do you have an Employee Cyber Security Training Program?
Remember – Cybercrime is the fastest growing industry!
Key Points
● Biggest Threat = Ransomware - Easy Money For Hackers
● Malware is SMART – Typical Anti-Virus is almost useless
● Most Big co’s have been hacked. SMB’s are even Easier
● Targeted Social Engineering attacks are growing fast
● Employee Security Awareness Training is a Must!
Key Points
● Compliance is NOT security
● Security is a State of Mind
● Liability for exposing customer data is Real & Expensive
● A Complete System is required for modern security