Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself?
2/11/2015 Asher Dahan
2
Agenda
Security Hack2FASecurity ConcernsCase StudiesSecurity ProcessSecurity Preparation
ExamplesPreventionRecent BreachesCosts of a BreachCyber Insurance
3
Security Hack Security Demo
2FA – what is it and why you should use it everywhere you can
5
Security Concerns Broad security concerns for businesses
For remote users For home users For firms that hold client data (legal implications)
In an Information Age, Information is Power How much is your info worth to hackers? A LOT!
Info is saved, stored, and flows freelyMobility BYOD Some employees have a tendency to be careless – it takes only one!
6
Case Studies Law firm and insurance company
Security issuesRisk?
TJX, Home Depot, Target, JP Morgan, Anthem Vermont Country Store, other smaller companies HIPAA
7
Security is a Process of Prevention Security is an ongoing process and there is no such thing as
being completely secure!!! The criminals work at this all day, every day, and so must your
security team.You must have a team working together to enforce security and
comprised of….. Management Legal Communications IT/Security
What can small/mid-size businesses do specifically to reduce their risk of exposure to a security breach?
Manage IT from a security standpoint Behavior modification – passwords, remote logins, trainingOngoing monitoring, Two-factor authentication, employment
policiesDistrust & Caution are the Parents of Security (Ben Franklin) Security protocols, Vigilance, etc….
9
Security Preparation30% of small business get hacked each year - of them, 60% close within in a year
Security Preparation (2)
Take a proactive approach Have a written plan in place on how to protect before, during,
and after an attempt to breach Developed by your IT, Security and Legal teams
Put a C-level person on it Risk management
Shift risk (& make yourself a good risk – see yourself through the lens of an insurer)
Cycle, Prevent, Detect, Respond, Recover
Elements of a PlanTreat company information like the crown jewelsUnderstand what you have, why/how you store & secure it, why you keep it.You cannot lose data you don’t have. Risk cannot be managed after a breach occurs when panic and confusion have
set in. Calm communication of facts shows a company in control of itself, its systems,
and the story.
12
Cyber Insurance
Cyber insurance Policy for the business
Policy for client data
Coverage? Are all policies the same? Expense? Directors & Officers?
Class actions? Is there a standard of care for negligence?
All are good questions – get your insurance broker involved and ask the questions !!
13
Examples How small business data get hacked What has been seen out in the field and how was it handled.
Law FirmManufacturerEntertainment CompanyStart up
14
Recent Breaches Why are large companies like Target and Home Depot
breached? What could have been done better?
What lessons we take from those events that can be implemented for any business, of any size?
Board of Directors, Corporate Officers How much and when to disclose/notify
Penalties vs. harm to the corporate image
15
Costs of a Breach IT Costs
Investigation
Remediation
Business Interruption
Recovery & Prevention
Management & P R Costs
Notification (Regulatory Compliance) of Affected Parties
External Communications (P R)/Loss of Reputation/Share Price
Legal advise & counseling
Legal Team
Litigation Costs (Defense and Indemnity), Class Actions
The Forensic point of view – if data needs to be analyzed as to who did what, when, how
16
Top 10 Breaches (that were published as of October 2014)
Thank You! Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can
You do to Protect Yourself?
2/11/2015 Asher Dahan