2017 COMPASS LLC www.COMPASScyber.com

2017 MD SHRM State Conference

Presented by Robert “Bob” Olsen, Chief Executive Officer

MS ITS, MBA, CISSP, CISM

October 16, 2017

Cyber Security – Risk Management and Identity Theft

This presentation may not be reproduced or distributed without prior written approval of COMPASS Cyber Security.

2017 COMPASS LLC www.COMPASScyber.com

Agenda

•Cyber Security Threats Overview

• Practical Tips and Considerations

•Responding to Identity Theft

2

2017 COMPASS LLC www.COMPASScyber.com

Common Misconceptions

• We would never be targeted by a hacker,

• My IT team is responsible for cyber security,

• We do not need to train our employees on security awareness,

• All our data is in the cloud so we are no longer responsible for protecting it.

• “We have cyber liability insurance so we are good”.

3

2017 COMPASS LLC www.COMPASScyber.com

2017 Verizon Data Breach Report

4

2017 COMPASS LLC www.COMPASScyber.com

2017 Verizon Data Breach Report

5

2017 COMPASS LLC www.COMPASScyber.com

Threat Actors – External

• Script Kiddies,

• Ego, victim embarrassment,

• 3rd Party Application Vendor,

• Financial gain, negligence,

•Hacktivists,

• Cause driven - religious, political, environmental.

6

2017 COMPASS LLC www.COMPASScyber.com

Threat Actors – External

•Criminal Hacker,

• Financial gain,

• Extortion,

• High value client targets,

•Nation State,

• Blackmail,

• Espionage,

• Financial gain.

7

2017 COMPASS LLC www.COMPASScyber.com

Threat Actors – Internal

•Negligent Insider,

• Lost mobile device,

• Accesses sensitive data from personal device,

• 3rd Party Vendor,

• HVAC, security, janitorial, etc.,

•Malicious Insider,

• Disgruntled employee(s),

• Bribed or blackmailed employee.8

2017 COMPASS LLC www.COMPASScyber.com

Threats and Business Impacts

• Phishing – loss of data, brand damage,

•BEC – transfer of $, brand damage,

•Ransomware – loss of data and extortion, brand damage,

•DDoS – loss of client access to portal, brand damage,

• Stolen user credentials – unauthorized 3rd

party access, brand damage.

9

2017 COMPASS LLC www.COMPASScyber.com

Threats and Risks Analysis

10

2017 COMPASS LLC www.COMPASScyber.com

Phishing Example

11

Nearly identical email address(JohnHill vs. JohnHilll)

Place she had visitedfrom Facebook

Name of a local bank

Home addressIncluding phone number

2017 COMPASS LLC www.COMPASScyber.com

Threat/Controls Mapping Example

12

PEOPLE POLICY TECHNOLOGY

Culture of Security Least Access Privileges Email Filters

Awareness Training Incident Response Plan Firewall

Mock Phishing BCP/DRP Network Segmentation

Role Based Access Cyber Insurance Patch Management

Data Governance SIEM

IDS/IPS

2017 COMPASS LLC www.COMPASScyber.com

Practical Tips – Policy

• Inventory and classify your data,

• Catalog and classify your data,

• Focus protection measures on most sensitive data,

• Perform annual policy reviews,

• Organization changes,

• Emerging/new technology,

• Newly outsourced/insourced functions,

• Policies should include all departments.

13

2017 COMPASS LLC www.COMPASScyber.com

Practical Tips – People

• People are the weakest link!

• Senior leadership support is critical,

• Lead by example,

• Regularly raise employee security awareness,

• “Drip” method,

• Seminar, webinars, podcasts, security tips, etc.,

• Create a culture of security and make it personal for everyone.

14

2017 COMPASS LLC www.COMPASScyber.com

Creating a Culture of Security

•Make it personal,

• If this then that examples,

• Tailor training to specific functions:

• Option 1 – Individual departments (HR, finance, legal) and general population,

• Option 2 – Group high risk users (hr, finance, legal) and general population,

• Incorporate reminders into everyday activities.

15

2017 COMPASS LLC www.COMPASScyber.com

House Analogy – Technology

16

Your Residence Your Organization

Locks on doors Passwords, 2 factor authentication

Monitored alarm system Firewall, antivirus, security monitoring

Signage Group policies

Safe for valuables Network segmentation, encryption

Dog Firewall, intrusion detection system, network alarms

Video cameras Security incident & event monitoring (SIEM)

Security guard(s) Security consultants

Police activity reports Threat intelligence

2017 COMPASS LLC www.COMPASScyber.com

House Analogy – People & Policy

17

Your Residence Your Organization

Individual keys Password management; privileged access; access control policy

Alarm system code(s) Role based access; password management

Stranger danger awareness Security awareness training

Check who is at door beforeopening

Role based access (guest/faculty); awareness training

Annual fire drill exercises Phishing exercises, incident response plan

2017 COMPASS LLC www.COMPASScyber.com

Practical Tips – Technology

• Technology should support and enforce your policies,

• Layered defense is the most effective,

• Ensure that you are regularly updating your network devices (laptops, firewalls, servers, etc.),

• Operating systems and applications,

• Understand the risks of your cloud provider(s).

18

2017 COMPASS LLC www.COMPASScyber.com

Identity Theft

• PII and/or PHI used to create a false identity,

• Employees,

• Family members,

• Clients,

• Usage examples include credit cards, false tax return, store loyalty programs, internal impersonation,

• Combination of technical and social engineering tactics being used.

19

2017 COMPASS LLC www.COMPASScyber.com

Identity Theft Fraud Statistics

20

2017 COMPASS LLC www.COMPASScyber.com

Identity Theft Fraud Statistics

21

2017 COMPASS LLC www.COMPASScyber.com

Identity Theft Top 10 States – 2015

22

1. Missouri

2. Connecticut

3. Florida

4. Maryland

5. Illinois

6. Michigan

7. Georgia

8. Texas

9. New Hampshire

10.California

Ranked based upon complaints per 100,000 residents.Source – Insurance Information Institute

2017 COMPASS LLC www.COMPASScyber.com

https://www.identitytheft.gov

Identity Theft Response Steps

23

2017 COMPASS LLC www.COMPASScyber.com

https://www.identitytheft.gov

Identity Theft Response Steps

24

2017 COMPASS LLC www.COMPASScyber.com

https://www.identitytheft.gov

Identity Theft Response Steps

25

2017 COMPASS LLC www.COMPASScyber.com

Summary

• Hackers are targeting all organizations that possess high value data,

• Human resources professionals play a key role in cyber security,

• A risk management approach is the most effective and practical one,

• You must be proactive,

• Cyber security is a team sport.

26

2017 COMPASS LLC www.COMPASScyber.com

Contact Information

Robert (Bob) Olsen

Chief Executive Officer

rolsen@compasscyber.com

410-340-3560

LinkedIn: @rolsen3

Twitter: @rlolsen3 and @compasscyber

27

2017 COMPASS LLC www.COMPASScyber.com

Follow Us

WASHINGTON, DC

701 8th Street NW

Suite 400

Washington, DC 20001

BALTIMORE

250 S President Street

Suite 2300

Baltimore, MD 21202

https://www.facebook.com/compasscyber

https://www.linkedin.com/compasscyber

https://twitter.com/COMPASScyber

https://plus.google.com/+COMPASSCyberSecurityBaltimore

https://soundcloud.com/compasscyberguide

https://itunes.apple.com/us/podcast/the-cyberguide/