24
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
UNDERSTANDING THE CYBER THREAT LANDSCAPE
© 2019 RSM US LLP. All Rights Reserved.
About your Speaker
3
Shan GrantSupervisor
Security, Privacy & Risk Services
https://www.linkedin.com/in/shan-grant/
• 15+ years security and privacy experience
• Originally from Brooklyn, New York; move to Florida 2018
• PCI QSA &PA-QSA, CISSP, CISA, Fair Credit Reporting Act (FCRA) Certification
• Worked and designed compliance programs for financial entities, fintechs, healthcare/heathtech, and non-profit
• Specializing in regulated environments:
• Payment Card Industry (PCI)
• HIPAA
• CRA (FCRA)
• FDIC/FFIEC
• Data Privacy
• Career Highlight: Worked Cannes Film Festival
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
GIMME SOME MO’ PRIVACY
© 2019 RSM US LLP. All Rights Reserved.
History of privacy
5
© 2019 RSM US LLP. All Rights Reserved.
Going down privacy lane
6
© 2019 RSM US LLP. All Rights Reserved.
How is CCPA different than GDPR?
7
Different consumer rights:Rights Covered GDPR CCPA
Right to know and of access X X
Right to deletion/erasure X X
Right to restriction of processing
X
Right to data portability X X
Right to object X
Right to opt of out sale X
Right to equal service and price
X
Right to opt In (minors under 16)
X
In addition to compliance, it’s really all about the data—what type of data and how it is used. Data governance and management programs should consider mapping for both.
GDPR CCPACOMPLIANCE COMPLIANCE
≠
© 2019 RSM US LLP. All Rights Reserved.
Privacy Cliff Notes
• Nevada Online Privacy Law• New York Privacy Act• Maine Act to Protect of Online Consumer
Information• Massachusetts Data Privacy Law• Hawaii Consumer Privacy Protection Act• Maryland Online Consumer Protection Act
8
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
THE THREATS
9
© 2019 RSM US LLP. All Rights Reserved.
Primary Exploits Leveraged by Cyber Threats
10
Hacking – Breaking through vulnerability and moving laterally− Network penetration− Data leakage and theft− Social engineering
APT – “Uninvited Guest”− Arrives into your network and stays there under the radar − Harvesting information over time− Typically not found with anti-virus software− Sophisticated
Malware – Code that is designed to do bad things− Execution of malicious code on an infrastructure− Escalate unauthorized privileges − Shut down your network (DDOS)− Encrypt data (Ransomware)
© 2019 RSM US LLP. All Rights Reserved.
RANSOMWARE-as-a-Service
• Let’s talk about GandCrab− On the scene in Jan 2018− Off the scene mid 2019—complete shutdown− Reported as RaaS
11
All the good things come to an end.For the year of working with us, people have earned more than $2 billion… Earning with us per week $2,500,000.We personally earned more than 150 million dollars per year. We successfully cashed this money and legalized it….
© 2019 RSM US LLP. All Rights Reserved.
Ransomware recovery
• There’s no guarantee that all the data will be recovered.• Roughly 5–15% loss with a decryptor
• Business are down for an average of nine days.
• For complete recovery, it could take weeks to years. Consider:• System wipes• Recover from backups• Repeat the process for each server or computer
12
© 2019 RSM US LLP. All Rights Reserved.
Facts & Stats
• Hackers attack every 39 seconds• 43% of cyber attacks target small businesses (can we find out
middle market companies- how they’re subtible—from our cyber survey- here)
• 2018 Hackers tole half a billion personal records• 95% of cybersecurity breaches are due to human error• Cyber-criminals and hackers will infiltrate your company through
your weakest link, which is almost never in the IT department.• Most companies take nearly 6 months to detect a data breach,
even major ones− Equifax, Capital One, and Facebook just to name a few. Information such
as passwords, credit card details, and social security numbers may already be compromised by the time you’re notified.
13
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
COMBATING THREATS
© 2019 RSM US LLP. All Rights Reserved.
If you do it at home, you’ll do it at work
• Use a cloud based password safe− Automatically generates passwords− Prevents reuse of passwords− Checks for compromised passwords− Some allow document storage or personal detail storage− It’s in the cloud but you can export it
• Use Multifactor Authentication (MFA)− 2 or more of the below
• Something you know• Something you have• Something you are
• Consider a VPN provider− Research (google) them!
• DNS Leakage
− Working remotely – hop on corporate VPN
Complicated Password
Enable MFA
Turn on Notifications
• Bitwarden• 1password• Dashlane• Lastpass• KeePassXC – not cloud basedhttps://www.wired.com/story/best-password-managers/
• Google Authenticator• Authy• Yubico
Why VPN and highly rated providers:https://www.forbes.com/sites/kateoflahertyuk/2019/04/19/heres-why-you-need-a-vpn-and-which-one-to-choose/#6e36315a23c9
© 2019 RSM US LLP. All Rights Reserved.
Other cool things about password managers
16
© 2019 RSM US LLP. All Rights Reserved.
Social
• Review privacy and security • Third-party app authorization – remove when no
longer needed. • Consider what you’re posting public vs private
• Remember people can screen shot something before you have the chance to take it down
• Search yourself
17
© 2019 RSM US LLP. All Rights Reserved.
Data retention – can you get rid of it?
• Old document
• Disable or delete old accounts
• Where is your data:− Data hosting (dropbox, box, etc.)− Digital image printing platform− Old email accounts− Old devices
18
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
BE VIGILANT BE AWARE
19
© 2019 RSM US LLP. All Rights Reserved.
Ransomware Attack Prevention
• Cyber Security Tenets are the same− Patch your systems− Limit access to data and systems
• Particularly write access
• Off Site backups or snap shots backup service• Good AV/anti-malware
20
Trust nothingFrom Emails to Network Shares
© 2019 RSM US LLP. All Rights Reserved.
Some personal security suggestions
21
Security, security• Always ask why someone needs your information• Do not use public Wi-Fi• People actually “dumpster dive”
Social engineering• “Delivery person,” “corporate IT”• A LinkedIn “recruiter” or “met you at a conference” request
to add you to their network
Too much information (TMI)• Geolocation tagging in photos or social media posts• Be careful what you post on social media
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
22
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
23
© 2019 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM, the RSM logo and the power of being understood are registered trademarks of RSM International Association.
© 2019 RSM US LLP. All Rights Reserved.
Shan GrantRSM US LLP
100 NE Third Ave., Suite 300Fort Lauderdale, FL 33301D: [email protected]
