Download presentation
Presentation is loading. Please wait.
Published byAbel Hamilton Modified over 6 years ago
1
ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA
2
Agenda Consumer ID theft issues Data breach trends Laws and regulations Assessing and mitigating your risk
3
Consumer Identity Theft Issues
4
Consumer ID Theft Statistics
ID theft up 16% in In 2014, IRS paid $5.8 billion in fraudulent refunds 2 Virginia: 56,000 PHI records stolen since 1 Federal Trade Commission 2 Government Accountability Office 3 US Department of Health and Human Services Office for Civil Rights
5
How to Respond to ID Theft
File a police report File a complaint with the FTC File form with the IRS Place fraud alert on your credit report Consider a credit freeze Dispute fraudulent accounts Contact your creditors
6
Personal carelessness External hackers Data breaches
How Your ID is Stolen Personal carelessness External hackers Data breaches Your information is for sale Social engineering Targeting either you or someone you do business with Social engineering example
7
Fusion: Real Future, episode 8
8
The Price of Your Identity
Common prices for ID information: US “Fullz” - $30 Health Insurance Credentials - $20 Bank account with $75,000 - less than $300 Date of birth - $11 Credit card account - $4 to $13 Source: Dell SecureWorks
9
Protecting Yourself Never re-use passwords Guard personal information Use multi-factor authentication Set account access PINs at phone and utility providers Never re-use passwords, seriously
10
Data Breach Trends
11
2015 Data Breaches Xoom: Victim of $31 million Business Compromise (BEC)
12
Anthem and Premara breaches US Office of Personnel Management
Recent Data Breaches Anthem and Premara breaches 80 million and 11 million PHI records US Office of Personnel Management 21 million victims Ashley Madison Equifax 143 million “customers”
13
Phishing and Spear Phishing attacks
Breach Methods Phishing and Spear Phishing attacks 13% of users will click on links in Phishing s1 Stolen, weak, or default credentials Used in 63% of breaches 1 Verizon 2016 Data Breach Investigations Report
14
Point of sale intrusions/card skimmers
Breach Methods Web app attacks Attacks against existing pages Hacking servers to host malicious pages Point of sale intrusions/card skimmers Used to scrape credit card data Target, Home Depot, Hilton Worldwide Insider attacks
15
Deliberate cyber attack
Breach Methods Mistakes Accidental misdelivery Physical theft Malware Malvertising Deliberate cyber attack Industrial espionage
16
Cost of a Breach Average breach cost:1 Notable exceptions:
Small businesses: $86,500 Large businesses: $861,000 Notable exceptions: Anthem Healthcare: $5.55 million fine Cost of Target breach: $252 million Equifax 2017 breach: estimated $300 million to $4 billion 1 Kaspersky Labs survey
17
Laws and Regulations
18
Careful With the Word “Breach”
Breach has legal meaning Suggests you may have legal liability Security teams should use “Security Incident” until it’s determined a breach has occurred
19
Federal Laws and National Regulations
HIPPA-HITECH Healthcare data (PHI) FTC Red Flags Rule Applies to financial institutions PCI-DSS Payment cards FISMA Applies to federal contractors
20
All vary in timing, method, and extent of notice required Virginia
State Laws 48 different state laws All vary in timing, method, and extent of notice required Virginia If breach of PII is identified Must notify Virginia Attorney General and all affected Virginia residents
21
Assessing and Mitigating Your Risk
22
77% of business have suffered some form of data loss1
Assessing Your Risk 77% of business have suffered some form of data loss1 Matter of when, not if Higher risk if you handle Financial information Healthcare data 1 Kaspersky Labs survey
23
Information Security Lifestyle
24
Security Process Identify
Assess Your IT Environment and understand nature of your data Understand industry and regulatory compliance requirements Perform Information Security Risk Assessment
25
Protect the Environment
Implement Controls Based Upon Security Risk Assessment Physical Technical Administrative Assign Roles & Responsibilities for Maintaining Controls
26
Detect Incidents Monitoring & Event Logging Functions
Automated Solutions Where Possible, But….. Tailor Alerting to Limit False Positives! We love our automated alerting systems, don’t we? Useless unless they are customized to the environment and normal system behavior.
27
Respond to Incidents Execution of Incident Response Plan
Strong Response Capabilities Can Limit Impact Understand Specific Reporting Requirements and Key Contacts Response procedures: Target Example
28
Recover Recover Plans and Activities to Restore Business Services
Recovery Planning Key to Organizational Resilience Work with Contracting Officers and Authorities
29
Additional Resources FTC Guide for Assisting Identity Theft Victims
FTC Consumer ID Theft Guide IdentityTheft.gov Experian Credit Freeze Procedures Equifax Credit Freeze Procedures TransUnion Credit Freeze Procedures TwoFactorAuth.org website
30
ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG IT Advisory
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.