current risks in cybersecurity – protect the value of … · purports to cover any organization...
TRANSCRIPT
![Page 1: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/1.jpg)
www.bgdlegal.com
CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF YOUR DATA
John McCauley, Partner, CIPP/US/E
January 9, 2019
![Page 2: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/2.jpg)
www.bgdlegal.comwww.bgdlegal.com
Protect Your Data From
Regulatory Penalties Third-Party Vendors Contractual Disputes Cyberattacks Inadvertent Breach
![Page 3: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/3.jpg)
www.bgdlegal.comwww.bgdlegal.com
US DATA PRIVACY REGIMESThe “Sectoral” Approach to Privacy
Health Information Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission Enforcement Children’s Online Privacy Protection Act (COPPA) Contract Law/Self-Regulation
PCI-DSS
State Breach Notification Laws State Privacy Laws
Illinois Biometric Information Privacy Act (BIPA) California Consumer Privacy Act
Tort Law/Common Law
![Page 4: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/4.jpg)
www.bgdlegal.comwww.bgdlegal.com
GENERAL DATA PROTECTION REGULATIONThe “Omnibus” Approach to Privacy
Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to data processing in most cases Requires Data Protection Impact Assessments for new products and services Agreements between all parties sharing data Mandates “right to erasure” 72-Hour Breach Notification Rule Penalties up to €20 Million or 4% of global revenue - whichever is higher
![Page 5: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/5.jpg)
www.bgdlegal.comwww.bgdlegal.com
California Consumer Privacy Act• GDPR-like• Consumers may demand deletion of data• Consumer must have right to opt-out of selling of personal data• Statutory Damages for Breach ($100-$750 per user)• Applies to Companies with > $25 million in revenue or has consumer
info of > 50,000 consumers• January 1, 2020
State Attorneys General Actions Federal Legislation
RECENT DEVELOPMENTS
![Page 6: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/6.jpg)
www.bgdlegal.comwww.bgdlegal.com
![Page 7: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/7.jpg)
www.bgdlegal.comwww.bgdlegal.com
![Page 8: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/8.jpg)
www.bgdlegal.comwww.bgdlegal.com
![Page 9: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/9.jpg)
www.bgdlegal.comwww.bgdlegal.com
Data between companies shared according to contracts Contract disputes lead to litigation or settlements Data Licenses will outline permissible and impermissible use Recent trends:
• Sweeping indemnification provisions• Disgorgement of profits• Ownership interest in product• Enforcement of auditing provisions
THIRD-PARTY MANAGEMENT
![Page 10: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/10.jpg)
www.bgdlegal.com
Cyber-Crime Trends
“Amateurs hack computers, professionals hack people.”
- Some Hacker
![Page 11: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/11.jpg)
www.bgdlegal.comwww.bgdlegal.com
The Year of the Breach
![Page 12: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/12.jpg)
www.bgdlegal.comwww.bgdlegal.com
Visualized Breaches
![Page 13: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/13.jpg)
www.bgdlegal.comwww.bgdlegal.com
WHAT IS THE WEAKEST LINK IN OUR CYBERSECURITY?
1) Hackers?2) Old Equipment?3) Software Vulnerabilities?4) The Internet?5) Employees?
![Page 14: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/14.jpg)
www.bgdlegal.comwww.bgdlegal.com
![Page 15: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/15.jpg)
www.bgdlegal.com
![Page 16: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/16.jpg)
www.bgdlegal.comwww.bgdlegal.com
EMPLOYEES, EMPLOYEES, EMPLOYEES
THE VERY WEAKEST LINK IS EMPLOYEES. 93% OF SECURITY INCIDENTS INVOLVE SOME TYPE OF EMPLOYEE LACK OF AWARENESS
SHARING CREDENTIALS SHOULDER SURFING DUAL USE AND SHARED DEVICES LOST OR STOLEN DEVICES INFECTED HOME COMPUTERS PUBLIC WIFI - - MOUSE JACKING - - JUICE JACKING
![Page 17: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/17.jpg)
www.bgdlegal.comwww.bgdlegal.com
MUST TRAIN ON SECURITY AWARENESS BECAUSE. . . Anti-virus and anti-malware are only 70% effective because of the rate that new malware
is developed. One million new strains of malware every day. The programs cannot always identify new strains of malware because it does not
recognize them.
![Page 18: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/18.jpg)
www.bgdlegal.com
Malicious Insiders
![Page 19: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/19.jpg)
www.bgdlegal.comwww.bgdlegal.com
INSIDER THREAT VECTOR MOST CYBERSECURITY FOCUSES ON EXTERNAL THREATS –
PERIMETER FOCUSED DISGRUNTLED EMPLOYEES, FORMER EMPLOYEES, CLUELESS
EMPLOYEES 4 METHODS TO CONTROL INSIDER ATTACKS SECURITY AWARENESS TRAINING NETWORK MONITORING ACCESS CONTROL MANAGEMENT HONEY POTS
![Page 20: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/20.jpg)
www.bgdlegal.comwww.bgdlegal.com
HOW DO WE PROTECT INFORMATION?Threat Vectors & Discovery Delays Phishing, Spear Phishing, Whaling Attack Ransomware Social Media Watering holes or drive bys Social Engineering
Average 205 days from security incident to discovery 70% of the time security incident discovered by somebody else
![Page 21: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/21.jpg)
www.bgdlegal.comwww.bgdlegal.com
PREVENTION METHODS
Effective Password Policies
![Page 22: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/22.jpg)
www.bgdlegal.comwww.bgdlegal.com
PREVENTION METHODS
Effective Password PoliciesEncryptionTwo-Factor Authentication
![Page 23: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/23.jpg)
www.bgdlegal.comwww.bgdlegal.com
ADDITIONAL PROTECTION STEPS
WHITELISTING MINIMIZING PERMISSION
LEAST PRIVILEGE ACCOUNT SEPARATION
PATCH MANAGEMENT WATCH YOUR DATA FLOW CONDUCT PERIODIC RISK ASSESSMENTS
POLICY REVIEWS PENETRATION TESTING
![Page 24: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/24.jpg)
www.bgdlegal.com
Ransomware
![Page 25: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/25.jpg)
www.bgdlegal.com
Ransomware
Use regular, out-of-band backups.
Do not open email messages or attachments from unknown individuals.
Implement technical safeguards.
![Page 26: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/26.jpg)
www.bgdlegal.comwww.bgdlegal.com
SCAREWARE
• Tricks the user into using malware infested sites.
• These appear to be legitimate warnings from anti-virus software companies, and they claim your computer has been infected.
• Users are frightened into paying a fee to purchase software to fix the problem.
• Actually, the user is downloading fake anti-virus software, whish is really malware.
• Scammers are also perpetrating this by phone.
![Page 27: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/27.jpg)
www.bgdlegal.comwww.bgdlegal.com
LET’S GO PHISHING
![Page 28: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/28.jpg)
www.bgdlegal.comwww.bgdlegal.com
PHISHING – DON’T GET HOOKED
PHISHING IS AN ATTACK THAT TRICKS YOU INTO OPENING A LINK OR ATTACHMENT
JUST READING AN E-MAIL WILL NOT TRIGGER AN ATTACK YOU HAVE TO PERFORM SOME TYPE OF ACTION MOST COMMON PHISHING ATTACKS # 1 -- LinkedIn # 2 -- BANK ACCOUNTS/CREDIT CARD COPANIES # 3 -- AMAZON
![Page 29: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/29.jpg)
www.bgdlegal.comwww.bgdlegal.com
COMMON SIGNS OF PHISHING The email demands immediate action before something happens like closing your
account or subjecting you to fines. You receive an email that entices you to open an attachment such as a letter from the
IRS threatening prosecution or details of unannounced layoffs at your company. The email is supposedly coming from an official organization but uses a personal email
address such as @yahoo.com or @gmail.com. The email, which is supposed to be from a business or government organization,
contains spelling errors or bad grammar. The link in the email appears to take you to another site not connected to the
organization. You receive a message from someone you know, but it does not sound like them and
contains a strange link.
![Page 30: CURRENT RISKS IN CYBERSECURITY – PROTECT THE VALUE OF … · Purports to cover any organization holding personal data of an “EU Data Subject” Requires affirmative consent to](https://reader036.vdocuments.net/reader036/viewer/2022070718/5ede4e3fad6a402d6669a0e3/html5/thumbnails/30.jpg)
www.bgdlegal.com