Hot Topics in Cybersecurity &
Employee Privacy
Jimmy Byars, Esq.Associate
Cesar Burgos, CISA, CISSPDirector of Professional Services, Nextra Solutions
Employment & Labor Law Practice Group
Quarterly Breakfast Briefing
September 19, 2017
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy
OVERVIEWCYBERSECURITY DEPENDS ON HAVING THE RIGHT PEOPLE,
THE RIGHT PROCESSES, AND THE RIGHT TECHNOLOGY…
2
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 3
Information Governance Policies Company-Wide
Employment Policies
Implementation by People
OVERVIEW…BUT CYBERSECURITY BEGINS AND ENDS WITH PEOPLE.
INDUSTRY EXPERIENCE
CESAR BURGOS
▸ Script Kiddy
▸ SOC Engineer
▸ Ethical Hacker
▸ Social Engineer
▸ Solutions Architect
▸ Systems Auditor
▸ Global DR Service
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 5
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 6
‣ Explosion in black market (“Dark Web”)
value for data
‣ “Hacking as a service”
‣ Estimated average ROI of 1500%
‣ “Cybercrime as a commodity”
‣ Exploit kits, etc.
‣ Billions in losses each year
‣ Difficult to detect and adequately
respond—especially with overseas actors
CYBERCRIME IS A BUSINESS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy
CYBERCRIME IS A BUSINESS
2015 TARGETS BY INDUSTRY
7
‣ Source: Trustwave Global Security Report as reported by The Atlantic, Hacking Inc.: The
Employee Handbook, 2016 [http://www.theatlantic.com/sponsored/hpe-2016/hacking-inc-the-
employee-handbook/1049]
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy
▸ Careless employee
▸ Criminal syndicate
▸ Malicious employee
▸ Hactivists
▸ External contractor
▸ Lone Wolf
▸ State-Sponsored Attacker
▸ Supplier
▸ Other Business Partner
▸ Customer
WHO MIGHT BE BEHIND IT?
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 9
WHAT DO HACKERS WANT?
‣ Confidential/proprietary company info
‣ Financial info (credit card numbers, direct
deposit info, etc.)
‣ Personal identifying info (SSNs, DOBs,
addresses, etc.)
‣ Corporate communications
‣ Malware/virus introduction
‣ Control
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy
HOW DO THEY GET IT?
10
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 11
‣ Brute-force attack - a hacking method to find
passwords or encryption keys
‣ Catfish - creating a fake online profile to deceive
‣ Drive by Download - downloading of a virus or
malware on your device
‣ Ghosting - theft of identity of a deceased person
‣ Hash busters - random words or sentences to
bypass filters
‣ Keylogger - logs sequential strokes to figure out
login credentials
‣ Malvertising - malicious online advertising
containing malware
MOST COMMON METHODS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 12
‣ Pharming - when hackers use malicious programs to
route websites
‣ Phishing - trying to trick you into providing sensitive
personal data
‣ Ransomware - program which restricts or computer
by hijacking files & demanding payment
‣ Spear phishing - phishing with personalized email
appearing as someone you know
‣ Spoofing - a person masquerading as someone else
‣ Spyware - malware installed on your computer to
track actions & collect data
MOST COMMON METHODS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 13
Regulatory fines
Legal fees
Consulting fees
Notification fees
Security & privacy liability
Third-party costs
CONSEQUENCES OF BREACHTANGIBLE CONSEQUENCES = MONEY
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 14
Business interruption
o61 days from occurrence to discovery
o8 days discovery to containment
o40 days forensic investigation complete
o41 days discovery to notification
Reputational damage
Theft of intellectual property
INTANGIBLE CONSEQUENCES = TIME & REPUTATION
CONSEQUENCES OF BREACH
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 15
• Good Security Standards follow the "90 / 10"
Rule
–10% of security safeguards are technical.
–90% of security safeguards rely on people ("YOU")
to assess risks, implement and communicate
policies/procedures, and adhere to good computing
practices.
• Example: The lock on the door is the 10%. You remembering to lock
the lock, delegating locking rights to the right people, checking to see
if the door is closed, ensuring others do not prop the door open,
keeping control of the keys, testing the lock to make sure it works,
etc. is the 90%. You need both parts for effective security.
• THE POINT: MOST CYBERSECURITY PROTECTION—AND MOST
RISKS—COME FROM EMPLOYEES. Even well-meaning ones.
THE 90-10 RULE
WHAT CAN WE DO?
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 16
‣ What do we have?
‣ Where and how is it stored?
‣ Who has access?
‣ How is access restricted—and by whom?
‣ How is access recorded? (logs, etc.)
‣ How is access monitored– and by whom? (security
patches, etc.)
‣ What devices can access it, and who controls those
devices?
‣ Do we have clear, effective, and comprehensive policies?
‣ How are those policies trained and implemented?
‣ WHAT COULD GO WRONG?
UNDERSTAND YOUR DATA AND ITS RISKS
WHAT CAN WE DO?
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 17
‣ Info Governance Policies– management/IT
- Committing funds
- Assessing & prioritizing risks
- Developing/implementing procedures
‣ Employment Policies– IT/HR
‣ Training– IT/HR
‣ Auditing– IT
‣ Accountability– IT/HR
DEVELOP, COMMUNICATE, TRAIN, AND ENFORCE POLICIES
WHAT CAN WE DO?
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 18
‣ IT security policies and related measures on the network side
can booth boost data security and provide important means
for identifying movement of info and potential policy violations
‣ IT staff or consultants can play an important role in identifying
where security gaps may exist and the best methods of
preventing and detecting potential misappropriation
‣ Biggest issues/questions for IT staff to address:
1. Who can access the company’s confidential ESI?
2. What steps can be take to limit access and discover misuse?
3. What role do employees play, and how should they be trained?
INFORMATION GOVERNANCE POLICIES
IT STAFF PLAY IMPORTANT ROLE IN ELECTRONIC SECURITY
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 19
1. Data Loss Prevention (DLP) tools: monitor and report
movement of data on/off secure network to external device or
non-network location
2. Auto-encryption tools: automatically encrypt and password
protect data moved to external devices and/or preclude access
on computers/devices not connected to company network
3. Email monitoring protocols: periodically generate reports of
data emailed to non-company accounts
4. Access rights: restrict access to certain portions of company
network to authorized individuals on need-to-know basis
5. Multi-factor authentication: require those with access to
certain portion of networks enter password AND confirm identity
through other means (phone, USB, etc.)
ELECTRONIC SECURITY TOOLS– THE “TECH”
EXAMPLES
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 20
‣ KNOW WHAT YOU NEED
‣ Multi-vendor approach
‣ Implement automated systems with great
alerting and reporting
‣ Audit and test third-party vendors
ELECTRONIC SECURITY TOOLS– THE “TECH”
BEST PRACTICES
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 21
‣ Physical security measures can serve to restrict
physical access to sensitive info, track who had
access to info and when, and deter misappropriation
‣ Examples:
1. Keycards
2. Video surveillance
3. Screen barriers
4. Remotely-accessed or time-delayed doors
5. Physical locks on workstations or computers
6. Secure shredding
INFORMATION GOVERNANCE POLICIES
PHYSICAL SECURITY MEASURES
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 22
‣ Written security policies are critical to protecting
the company’s electronically-stored info (ESI)
‣ Not enough to just have policies– they need to
be communicated, followed, and enforced
‣ At a minimum, policies should define:
1. What types of ESI are confidential
2. Where and how confidential ESI must
be stored or accessed, and by whom
3. Restrictions on transfer/reproduction
4. Company monitoring rights
EMPLOYMENT POLICIES & PROCEDURES
DATA SECURITY BASICS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 23
‣ Only access, store, and/or use info to which you have a “need
to know” to perform job duties
‣ Confidential info must be encrypted, password protected,
and/or maintained solely on Company secure network
‣ *Transfer of Company information to external devices,
networks, or accounts prohibited unless expressly authorized*
‣ All Company-owned devices and information stored thereon is
exclusive Company property… may be monitored, intercepted,
etc. at any time without notice. NO EXPECTATION OF
PRIVACY IN USE OF COMPANY PROPERTY
‣ Company-owned devices and related passwords cannot be
shared with or accessible to anyone, including coworkers
‣ No copies/reproductions of ESI unless necessary to perform
job duties or otherwise expressly authorized
DATA SECURITY POLICIES & PROCEDURES
EXAMPLE POLICY CONTENT
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 24
‣ Privacy rights are limited…but not non-existent
‣ Policies, procedures, and tech must balance privacy
‣ Employment policies should clearly identify the limits of
employees’ “expectation of privacy”
‣ Potential issues with “surveillance”
- Property rights (think BYOD)
- Consent (audio vs. video vs. electronic)
- NLRA risks – “protected activity”
- Stored Communications Act
- Whistleblower protections
DATA SECURITY POLICIES & PROCEDURES
EMPLOYEE PRIVACY ISSUES
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 25
‣ Ensure employee does not have a risk history (i.e.
appropriate background/reference check in
accordance with job role)
‣ Ensure all devices employee will use have appropriate
security tools and apps installed and functional
‣ Ensure network access is configured in accordance
with job description– including remote access rights
‣ Distribute handbook and/or other policies and require
employee to sign acknowledgement of receipt
‣ TRAIN employee on confidentiality/e-security
policies and permissible access, use, and
disclosure of info
ONBOARDING DATA SECURITY PROCEDURES
NEW HIRE CHECKLIST
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 26
‣ Access rights. David is solely responsible for
selling/marketing products in the Midlands. But his
username/password to get on the company’s internal
networks give him access to everything– R&D, customer
accounts/payment data, competitive data for other
markets, company credit/routing numbers, etc.
‣ Devices. The company lets David use his own
laptop/phone for work purposes. He’s supposed to install
some security software, but no one checks or coordinates
that process.
‣ VPN. Since he travels so much, David is provided with
VPN rights to access the company’s networks remotely
from the road or from his home, with no restrictions on the
device being used and no change in log-in requirements
from ordinary network access.
ONBOARDING DATA SECURITY PROCEDURES
COMMON SCENARIOS & MIS-STEPS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 27
• Frequent training on security policy
• Periodic updates/workshops on security practices in the workplace
• Recognizing and reporting potential security risks
• Password complexity and management
• Proper handling & disposal of confidential documents & information
• Third-party access to work spaces
• Email authentication procedures (the “social engineering” problem)
• Communicate about security threats as they are identified and addressed
• Make information security duties part of the job description
EMPLOYMENT PHASE DATA SECURITY PROCEDURES
EMPLOYMENT CHECKLIST
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 28
‣ Bad passwords. David’s password is his wife’s name and their
wedding date—the same password he uses for everything else.
(Remember the VPN…)
‣ Document management. When David needs to work from
home, he emails (unencrypted) documents to his personal email
account to avoid going through the VPN. He also throws
documents in the trash when he’s done.
‣ Devices. David’s kids know the password to his work tablet so
they can get online when his wife is using the family computer.
One kid loses the tablet on a family trip, so David just buys
another and loads it with data using a USB drive.
‣ Vendors. David is working with a vendor to do a customer
analysis, and a customer intelligence file kept on the company
intranet is too big to send via email. He loads it on his personal
Google Drive account and sends a link to the vendor.
EMPLOYMENT PHASE DATA SECURITY PROCEDURES
COMMON SCENARIOS & MIS-STEPS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 29
‣ Obtaining confidential info by manipulation of legitimate
users “users are the weak link in security”
‣ Generally involve communications with the indicia of
legitimacy to people who may be tricked into disclosing
or providing data or access to other internal networks
‣ Sometimes it only takes one hook into the company’s
network to set off a data breach chain
‣ Example: John Podesta
‣ What can be done? Users must be familiar enough
with security procedures to identify suspicious activity,
and must know a verifiable and trusted person to contact
with questions or concerns.
EMPLOYMENT PHASE DATA SECURITY PROCEDURES
SOCIAL ENGINEERING
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 30
• Posed as Tracy from I/T and wanted Carl to provide his
password for strength testing. He would not immediately
respond but offered to call me back after I sent him an
email request. We then sent him a “spoofed” email
message asking to call 585-721-0159 (cell phone of Jeff
Thon, xDefenders). Carl called back immediately and
provided his password.
• We called Tracy and posed as Steve of a Sister Company
and told him that our password was not working and we
needed another. Tracy gave us a temporary password.
• We called Dave and posed as Matt (learned that Matt
handles DNS changes from Tracy) and told him that we
need a new password with 8 characters for the Active
Directory roll-out. We asked for the current password and
he gave us them.
EMPLOYMENT PHASE DATA SECURITY PROCEDURES
SOCIAL ENGINEERING: HOW A HACKER WORKS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 31
‣ Require employee to surrender ALL company devices
(phone, tablet, laptop, external storage, etc.) immediately
upon receiving notice of resignation/termination
‣ Immediately disable all electronic access to company
networks, devices, etc. (remote wipe if necessary)
‣ Require employee to return ALL hard-copy documents or
other employer property and sign acknowledgement
confirming all has been returned
‣ Provide escort/supervisor for offboarding process
‣ Remind employee in writing of restrictive covenants and
provide duplicate copies
‣ Consider IT audit of network activity
OUTBOARDING DATA SECURITY PROCEDURES
TERMINATION CHECKLIST
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 32
‣ Work the notice. David unexpectedly gives his two
weeks’ notice. The company lets him keep working and
doesn’t restrict his electronic access to internal networks.
‣ Keep the devices. David was a BYOD employee; he
used a personal iPhone and iPad for work. Someone is
supposed to remotely wipe them, but he said he deleted
everything off them, so nothing gets reviewed.
‣ Bad blood. David’s company tells him he’s fired when he
tries to resign. His manager is busy and doesn’t promptly
call IT to cut off his network rights. David still has VPN
access 3 days later.
‣ Vendors. David forgets to get in touch with the 3rd party
vendor to whom he sent the client intelligence file. The
vendor’s rep gets mad because they never got paid.
OUTBOARDING DATA SECURITY PROCEDURES
COMMON SCENARIOS AND MIS-STEPS
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 33
1. Assemble a response team‣ Decision-makers (key executives)
‣ Legal
‣ Information Security/Technology
‣ PR/Communications
‣ Designated Spokesperson(s)
‣ 3rd party vendors?
2. Stop the bleeding
3. Gather the facts to assess the damage
4. Consider legal vs. PR obligations
5. Come with a plan for mitigating/addressing
the breach
IF A BREACH OCCURS
STEP 1: ASSESS THE SITUATION
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 34
1. This is what happened…
2. This is how it happened…
3. This is what we’ve done to stop it…
4. This is what we’re doing to protect you/those harmed...
5. This is what we’re doing to help make sure it never
happens again…
6. Last but not least:
We’re sorry for any damage/concern/trouble this may
have caused.
IF A BREACH OCCURS
STEP 2: DEVELOP MESSAGE TO STAKEHOLDERS
P.S. Always tell the truth.
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 35
Communications should be timely and coordinated
‣ Board Members, key benefactors or partners
‣ Officials: elected or regulatory officials, law enforcement as
appropriate
‣ Employees...all of them
‣ Those affected/harmed: customers, patients, members,
employees
‣ Media: affirmative response if reportable market event
(public company) or high likelihood of coverage; otherwise,
prep media statement for response
‣ Notification options: depend on type of threat: email,
letter, phone call, website, media, social media
IF A BREACH OCCURS
STEP 3: DECIDE WHO TO TELL AND HOW TO TELL THEM
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 36
‣Monitor damage and consumer response
‣Assess likelihood of any continuing risks and alert mechanism
to ensure damage is stopped
‣Online: Social media, blog posts, chat rooms
‣Provide forum for public/customer questions, comments and
complaints (i.e. call center)
‣Update communications as needed and appropriate
‣Learn from the experience and update policies, practices, and
training accordingly
IF A BREACH OCCURS
STEP 4: MONITOR AND IMPROVE
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 37
‣ Cybersecurity isn’t just a problem for big businesses, and
it isn’t just the job of IT
‣ Processes and technology are important safeguards, but
employees play the most critical role
‣ Well-defined, company-specific policies + regular,
meaningful training go a long way to minimize risks
‣ HR/management play critical role in communicating
employee responsibilities and demanding accountability
‣ CONSIDER AN AUDIT if there is any doubt about how
well your policies/procedures guard against today’s risks
THE BIG PICTURE
www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 38
Jimmy Byars
803-540-2051
QUESTIONS/COMMENTS?
Cesar Burgos
803-540-2093