1

2

3

4

© 2017 All Rights Reserved Brown Smith Wallace LLP

• Identify and discuss major issues related to cybercrime and

the increasing risks associated with cybercrime

• Identify ways in which owners/operators can help protect their

senior living residents from cybercrime

• Identify and discuss identity theft issues, other than those

related to cybercrime

– Protecting information maintained in paper form

– Assisting your seniors to be proactive in protecting their

own personal information

– Crime in which someone wrongfully obtains and uses another

person’s personal information in some way that involves fraud or

deception, usually for personal gain

– Tax ID Theft

– Medical ID Theft

– SSN Theft

– Higher all the time

– Especially high for those over 50 years of age

– Frequently more financially stable and don’t

check credit reporting agencies often

– Vulnerable population

– Hesitant to report

– May not be computer savvy

– Emails frequently look legitimate

– Look closely at the url

– Contain links that may:

• Access your email account and all your contacts

• Infect your system with a virus

• Access personal information you have utilized via email

– Foreign royalty/money scams

– IRS—Email is never the first point of contact from the IRS

– Sham charities

– Sham sweepstakes—you “won a prize”

• Technical systems

• Technical support

• Education for Resident Population

– Licensed Areas

• Charts

• Face Sheets

• Short Stay

• Transfer Documents

– Independent Living

• Mail

• Documents in the residence

• Security of the residence

– The “Can You Hear Me” scam

– Bail money or ransom

– IRS

– Bank

• Monitor bank accounts and the credit reporting agencies

• Shred old documents

• Be mindful of what you are carrying with you

• Secure documents with identifying information

• Secure your mail

• Share your personal information with caution

• Email

– Don’t open unexpected email or email from unknown sources

– Don’t click on links contained in the email

– Federal Trade Commission (FTC)--obtain ID Theft Affidavit

– Local law enforcement—provide them with ID Theft Affidavit. Should

get an ID Theft Report

– You will need these two documents to report to other

agencies/organizations

– Banks/creditors where fraudulent accounts may have been opened

– Your insurance company, if medical identity theft is suspected

– IRS

– Your bank/creditors/retailers

– Credit Reporting Agencies

– State Consumer Protection Agency/State Attorney General

• ftc.gov/scams

• dor.mo.gov/personal/individual/identity_theft

• www.idtheftcenter.org

• USA.gov

• IdentityTheft.info

http://www.latimes.com/business/technology/la-fi-tn-wannacry-lawsuits-20170515-htmlstory.html

• According to the 2017 Trustwave Global Security Report, phishing

and social engineering increased 141% from 2015 to 2016,

making it the second most popular contributor to data

compromise.

© 2017 All Rights Reserved

• In the 2017 Verizon Data Breach Report, it was reported that 51%

of breaches involved malware. While this threat is beginning to

taper off compared to prior years, it still remains one of the most

frequent threat vectors for all organizations.

Malicious or criminal attacks include

malware, criminal insiders (employees,

contractors or other third parties),

phishing/social engineering and web site

attacks

Human error is negligent insiders that

are individuals who cause a data breach

because of their carelessness, as

determined in a post data breach

investigation.

System glitch includes loss of system or

component, IT and Business process

failures

Brown Smith Wallace LLP

Almost

by a ransomware attack, according to a survey by

security firm Malwarebytes.

• Financial Institutions

– Financial motives

– Social Security Numbers

• Health Care

– Social Security Numbers

– Health data (WannaCry hit NHS)

• Public Sector

– Social Security Numbers

– Health data

– Activism

• Nation States

– Attack Public Sector and Infrastructure

– Motivation is to instill fear within populace

– North Korea believed to be behind WannaCry

• Hobbyists

– Financially motivated

– Accepting ransoms for financial gain

• Russia, Eastern Europe, and China?

– Highly educated population

– High unemployment in some countries

• US credit bureau Equifax has acknowledged a breach that may have

compromised as many as 143 million records.

• At the moment, nobody not under NDA knows the full details of the breach,

including what could have been done to stop it.

• This breach is in a class by itself and should invite immediate Congressional

hearings

• The exposed data include Social Security numbers (SSNs), birth dates, and

driver's licenses. The breach also compromised payment card numbers of

more than 200,000 consumers

• It has been estimated this breach impacts 57% of adult Americans.

• Equifax set up a web site to allow you to check whether you are impacted,

but it requires the last six digits of your SSN, and suggests returning

regularly to make sure your status hasn't changed.

• Taking action to establish credit monitoring and lock your credit profile would

be more prudent.

The most common type is email phishing

• “It’s like a fake ATM that prints out an error message when you try to use

it, but in the meantime has taken your credit card details and pin number.”

• “It’s like fishing, hence the name. The phisher casts the net (usually by

sending out spurious emails to a large group of people) and waits for an

unsuspecting user to be drawn in. Or in the case of ‘spear phishing’, the

phisher targets a specific user, usually by posing as someone they know

well. But it’s also not like fishing, which suggests a fairly harmless amateur

pastime.”

- sidewaysdictionary.com

= icious Soft

• Command and control – a hacker uses your computer resources to

their benefit

• Ransomware – a hacker encrypts your data and holds it hostage for a

sum of money

• Spyware – a hacker reads all of your computer inputs and steals your

passwords

• Backdoors – a hacker gains complete access to your computer

• Data exfiltration – a hacker downloads your personal or company

information

• Provide staff with security awareness training

• Actively engages users to adhere to security and privacy policies

• Keeping up-to-date systems is critical – patching/configuration

• Comprehensive and regular backups

• Antivirus with Malware detection is up-to-date

• Restrict internal user permissions

If your organization is unfortunate enough to be hit

with an infection:

• Do you have an Incident Response Plan?

• Isolate the workstations immediately from the network to stop

any further incursions.

• Do not re-image the PC until it is determined what the infection

was.

• Start cleaning-up the infection by contacting your endpoint

security vendor’s support staff, who will be able to assist with any

clean-up activities and ensure the infection is completely

removed.

If your organization is unfortunate enough to be hit

with an infection:

• Determine the nature of that particular infection with your

vendor’s support staff.

• Check if user data was encrypted. The earlier this is done the

better.

• Alert other employees if this was a targeted attack, or about the

threat vector, if appropriate.

• Notify law enforcement.

NIST is a great resource!

Challenges for Small Businesses:

• People

• Budget

• Knowledge

Small businesses are becoming a target for hackers.

Goal for a small business is to deter hacker enough to move onto the

next small business.

What can small business do?

• Document and communicate policies and procedures

• Complete background checks on employees

• Limit access to IT resources and use strong passwords

• Patch systems

• Use firewalls, set up spam filters, and secure wireless networks

• Encrypt sensitive data and laptops

• Install and monitor anti-virus

• Develop incident response, disaster recovery, continuity plans

• Take backups and test data recovery

What can small business do?

• Pay attention to the people you work with and around

• Be careful of email attachments and web links

• Use separate personal/business computers, mobile devices, accounts

• Do not connect personal or untrusted storage devices or hardware into

your computer, mobile device, or network

• Be careful downloading software

• Do not give out personal or business information

• Watch for harmful pop-ups

• Use strong passwords

• Conduct online business more securely

1. Annual Risk Assessment is a foundational requirement in all new

compliance models

a) How do you take inventory of risk in your environment?

b) How are you treating that risk?

c) Are there risks that haven’t been treated or mitigated?

2. Outsourcing of services is leading to Vendor Management

programs to monitor security obligations

a) How much trust are you putting into a Managed IT Service Provider?

b) Are you hosting your data with a third party?

Tony Munns| amunns@bswllc.com | 314-983-1297

6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200

1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100

1.888.279.2792 │ bswllc.com

Brown Smith Wallace is a Missouri Limited Liability Partnership

Suzanne Sheldon-Krieger | sheldonkriegersuzanne@friendshipvillagestl.com