Presentation is loading. Please wait.

Presentation is loading. Please wait.

Especially Prepared For:

Published byAnn Burke Modified over 6 years ago

Similar presentations

Presentation on theme: "Especially Prepared For:"— Presentation transcript:

1 Especially Prepared For:
Knowledge is power Sir Francis Bacon – 1597 Especially Prepared For: Data Breach Risk Management: The Reality of ID Theft and Data Breach September 13, 2017

2 Today’s Agenda About Merchants Information Solutions, Inc.
About Mark Pribish Data Breach Trends Identity Theft Trends The Threat Landscape Employee Education Data Breach Risk Management Questions and Answers

3 About Merchants Information Solutions
Since 1912 ID Theft Risk Management Solutions Pioneer Small Business Data Breach Risk Management Over 10 Million Consumers Covered Business | Consumer | Data Breach – Identity Theft Solutions

4 About Mark Pribish Vice President & ID Theft Practice Leader
Gannett / Arizona Republic guest columnist for cyber security, data breach, identity theft, and personal privacy Member of FBI Citizens Academy Class of 2012, FBI InfraGard Public Private Alliance, Guidepoint Global Advisors, Risk Insurance Management Society, and Arizona P&C License 27 years’ experience in helping consumers and businesses manage the risks associated with ID Theft and data breach events Served in senior sales positions for Aon and AIG Graduated from the University of Dayton in 1981

5 Data Breach Trends

6 Data Breach Trends Privacy Rights Clearinghouse Chronology of Data Breaches Timeline for 2005 – | September 2017 Since January 2005 there have been 7,650 data breaches affecting nearly 1 billion records Only 25% of these data breaches were impacted by hackers and IT related events 75% of these data breaches were impacted by social engineering (the human element)

7 Data Breach Trends Types of Data Breaches
Hacking/Malware – electronic entry via outside party, malware and spyware Insider – someone with legitimate access intentionally breaches information Payment Card Fraud – fraud with debit and credit cards such as skimming devices Physical Loss – lost, discarded or stolen non-electronic records Portable Device – lost, discarded or stolen laptop, smartphone or flash drive Stationary Device – lost, discarded or stolen stationary electronic devices or servers Unintended Disclosure – sensitive information posted publicly Unknown or other

8 Data Breach Trends Ponemon Institute Study:
Cost of Data Breach | June 2017 Total Costs – average $225 per lost/stolen customer record Direct Incremental Costs – including free/discounted services, notification letters, legal/accounting fees, etc. Lost Productivity Costs – including lost time of employees and contractors diverted from other tasks Customer Opportunity Costs – including cost of lost customers and cost of acquiring new customers

9 Data Breach Trends 2016 Symantec Internet Security Threat Report
April 2017 Cyber Attacks on Small Businesses on the Rise Pushing many entrepreneurs to the verge of bankruptcy 43% of Cyberattacks were against small businesses with less than 250 workers The cyber crooks steal small business information to do things like rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; commit health insurance or Medicare fraud; or even steal intellectual property

10 Data Breach Trends 2016 Symantec Internet Security Threat Report
April 2017 Data breaches are becoming more complex and are no longer confined to just IT The human element is again front and center as humans continue to play a significant role in data breaches and cybersecurity incidents, fulfilling the roles of threat actors, targeted victims and incident response stakeholders. Companies need to be prepared to handle data breaches before they actually happen in order to recover as quickly as possible. Breaches can lead to enterprise-wide damage that can have devastating and long-lasting consequences such as a loss of customer confidence

11 2017 Identity Fraud Javelin Strategy & Research Study
Identity Theft Trends 2017 Identity Fraud Javelin Strategy & Research Study January 2017 Identity Fraud Hits Record Number – 15.4 million Americans Up 16% from 2015 ID Theft criminals stole $16 billion dollars A billion dollar increase from 2015 New chip cards lead to dramatic rise in online fraud

12 Identity Theft Trends 2017 Identity Fraud Javelin Strategy & Research Study January 2017 Card-not-present (CNP) fraud rises significantly: Online CNP fraud increases by 40 percent Account takeover (ATO) bounces back: Account takeover incidence and losses rose in Total ATO losses reached $2.3 billion, a 61 percent increase from 2015, while incidence rose 31 percent New-account fraud (NAF) continues: As Europay, MasterCard, and Visa (EMV) cards and terminals continue to permeate the U.S. Point-of-Sale (POS) environment, fraudsters shift to fraudulently opening accounts.

13 Identity Theft Trends 2016 FTC Consumer Sentinel Network Report
Identity Theft Complaints by Victims’ Age - February 2017

14 Identity Theft Trends 2016 FTC Consumer Sentinel Network Report
HOW Victims’ Information is Misused - February 2017 Reported ID Theft & Fraud: 51% Financial 49% Non Financial

15 Identity Theft Trends GAO Tax and Identity Theft Report
January According to the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $22.5billion in fraudulent identity theft refunds in 2014   The IRS also paid $3.1 billion that year for refund requests later determined to be fraud. Fraudulent Tax Filings Linked to Anthem Data Breach – according to IRS and FBI The IRS also paid $2.2 billion in 2015 for refund requests later determined to be fraud

16 Identity Theft Trends The Rise In Medical ID Theft August 2016
Medical ID theft soared 22 percent in 2014 Ponemon estimates more than 2.3 million adult medical ID theft victims 47% of Victims were harmed by relatives or people they know (the insider threat) 65 percent of the study's respondents paid average cost of $13,453

17 The Threat Landscape Cyber Threat Will Get More Difficult
April  Companies should focus on Response, Resiliency and Recovery when it comes to cyber risks – Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, who currently is a principal at the Chertoff Group, a security consultancy At present, companies are focusing on the vulnerability aspect, and responding by building “high walls and deep moats” to keep attackers out, he said. If you do that successfully, it will prevent 80 percent of the attackers. But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about Response, Resiliency and Recovery

18 The Threat Landscape SMB’s are the Target of Future Cyber Risks
The Ponemon Institute Cost of a Data Breach Study reported “$225 per lost/stolen record” – June 2017 Experian 2017 Data Breach Forecast states “SMB data breaches will cause the most damage” – January 2017 Small to mid-size entities, often lack breach response policies, proper governance tools, and employee privacy training programs to prevent or promptly respond to breaches – Feb 2016 “Cyber risk jumps to No. 2” on Travelers Insurance Business Risk Index” – September 2016

19 43% 83% 92% The Threat Landscape
of breaches are to businesses of 250 employees or fewer 83% of SMBs have no formal cybersecurity plan 92% of companies who experienced a data breach didn’t know it until notified by third party

20 The Threat Landscape Regulatory, Consumer and Data Security Laws
HIPAA-HITECH Data Breach Requirements (2010) FACT Act Red Flags Rule (2010) PCI Data Security Standards (2006) COPPA Children’s Online Privacy Protection Act (2000) 48 State Security Breach Notification Laws New York Cyber Security Law (March 1, 2017)?

21 The Threat Landscape Business E-Mail Compromise February 27, 2017
According to the FBI “there has been a 1,300 percent increase in identified exposed losses which has victimized more than 22,000 organizations worldwide and is responsible for losses of more than $3 billion.” Spoofing accounts and websites: Slight variations on legitimate addresses vs. fool victims into thinking fake accounts are authentic. The victim thinks he is corresponding with his CEO, but that is not the case. Spear-phishing: Bogus s believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators. Malware: Used to infiltrate company networks and gain access to legitimate threads about billing and invoices. That information is used to make sure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.  

22 The Threat Landscape Ransomware According to the FBI in 2017
Ransomware - disables digital networks but usually does not steal data Hacking victims in the U.S. have paid more than $1 billion in ransom payments in 2016 Compared with $25 million in all of 2015 Paying the ransom does not guarantee the encrypted files will be released Decrypting files does not mean the malware infection itself has been removed Ransomware has evolved into stealing and deleting data Train employees to NOT open digital attachments or click on unfamiliar web links

23 The Threat Landscape Threat of identity theft played a role in record Anthem settlement June 26, Anthem is paying a $115 million settlement making it the biggest payout in U.S. history for a data breach Target and Home Depot, two companies that suffered well-documented data breaches each paid less than a fifth of what Anthem agreed to pay to settle their claims 80 million records were exposed in the 2015 Anthem breach, revealing names, birth dates, Social Security numbers and other information – information that lends itself to identity theft   The Anthem breach happened because an employee opened a phishing and that it took almost an entire year for Anthem to notice anything

24 Employee Education What is Information Security Governance?
Information security governance has many definitions but for the sake of this presentation it is: The creation of an information security governance strategy Within an organization’s governance framework That can support the detection, prevention of, and response to identity theft and data breach events

25 Employee Education Why Have an Information Security Governance Program? Because poor communication and lack of leadership are barriers to effective information security governance employee education To support employee education and data breach response To communicate current and future ID theft and data breach risk management trends To help safeguard employee and customer information To help safeguard intellectual property All of which are targets for identity thieves and cyber criminals

26 Employee Education How to Support Information Security Awareness?
An effective security awareness program should include education on specific threat types, including but not limited to: Social engineering Phishing/Vishing/Smishing Password Management Malware/Trojans/Viruses Communicate ID Theft and Data Breach Trends Regularly

27 Employee Education Are You Aware of The Insider Threat?
Negligent and malicious insiders are considered the biggest security risks to any size organization Including current and former employees, contractor and vendors Small business owners and senior executives should be more concerned about the threat within, than with external risks caused by cyber criminals As you develop your organization’s employee education program on information security governance, you will also enhance your incident response plan

28 Data Breach Risk Management
Response and Recovery (Before it Happens) Create and Implement an information governance policy Require annual information security training and education Understand type of employee, customer and proprietary data is being collected, stored, and transferred Constantly assess and test your organization’s needs and requirements Define document destruction and retention polices Be aware of current and former employees, customers and vendors Understand the state and federal breach notification laws that apply to your business Vigilance – including annual pre-employment screening Implement baseline safeguards and controls

29 Data Breach Risk Management
Response and Recovery (After it Happens) Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company. Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile. Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters. Protection plan - include the small business or consumer protection services to  be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services. Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.

30 Data Breach Risk Management
Response and Recovery (After it Happens) 48-Hour Data Breach Response Plan Response to State and Federal Notification Laws Develop Customized Customer/Employee Notification Develop Employee Talking Points and FAQs Develop Call Center Scripting Need to minimize the negative impact when news of breach is released

31 Data Breach Risk Management
Response and Recovery (After it Happens) Notify - contact employees within the organization and affected individuals outside the organization Notify - law enforcement if criminal activity is suspected Notify - know that 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have notification laws in place to notify any individual whose personally identifiable information has been breached Notify – know the two Federal laws including the FTC Red Flag Rule and HIPAA HITECH Data Breach Notification Rule

32 Conclusion: Understanding Data Breach Risk Factors
People The insider threat, whether accidental or malicious, can include current and former employees, customers, associates, vendors, and independent contractors Including information technology, enterprise risk management, marketing/sales and human resources need to be aligned, defined, and documented Processes That are relied on to conduct and grow your business are also being used to identify vulnerabilities and cyber threats on your business Technologies People “No One Company Can EVER Prevent Itself from Experiencing a Data Breach Event” The Arizona Republic/Gannett News …… Mark Pribish 2008

33 THANK YOU! Mark Pribish Vice President & ID Theft Practice Leader
Merchants Information Solutions, Inc.   THANK YOU!

Download ppt "Especially Prepared For:"

Similar presentations

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Identity Theft Statistics Identity Theft – “Fastest Growing Financial Crime in the United States.” (1) 9.3 million U.S. Adults were Victims of ID Theft.

Identity Theft Statistics Identity Theft – “Fastest Growing Financial Crime in the United States.” (1) 9.3 million U.S. Adults were Victims of ID Theft.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.

** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.
1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Controlling Fraud Risk Exposure and Loss Sherri Goodman Director of Fraud Operations September 22, 2005.

Controlling Fraud Risk Exposure and Loss Sherri Goodman Director of Fraud Operations September 22, 2005.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.

Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Similar presentations

Ads by Google