How to manage your client’s data responsibly Protect your clients from fraud, identity theft and confidential information Jeremiah Cruz [email protected]Nick Kavadias [email protected]Gabor Szathmari [email protected]Marbury Chambers CryptoAUSTRALIA 2/11/2018
57
Embed
How to manage your client’s data responsiblymarburychambers.com.au/wp-content/uploads/how-to-manage-clien… · What is BEC fraud? Social Engineering / Spear Phishing: “I am the
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How to manage your client’s data responsiblyProtect your clients from fraud, identity theft and confidential information
6) Data Disposal & Physical security (dos and don’ts)
7) Metadata in documents
8) What to do post-breach 🙏
Phishing and Business Email Compromise
What is BEC fraud?
Social Engineering / Spear Phishing:“I am the CFO, pay this invoice urgently”• Display name spoofing – real name, but not email• Email address spoofing – real name, email. Different Reply-To address• Email account compromise – real email account is broken into (data breach
credentials or spear phishing)
Impersonation:“Our payment details have changed, use this bank account instead”• One of your staff’s mailbox is compromised• One of your vendor’s mailbox is compromised
How does BEC affect my practice?
• Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation
• Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines?
• Reputational damage – Negative media coverage & Twitter rage
The biggest cyber security threats in 2018
Business Email
Compromise (BEC)*
Ransomware
Data
breach
Phishing
Identity theft
Good security
practices reduce
the risk of multiple
threats.
For a generic list of threat mitigation,
refer to the ASD Essential 8 https://acsc.gov.au/publications/protect/Essential
_Eight_Explained.pdf
*9 Billion dollar industry in 2017 https://www.trendmicro.com/vinfo/au/security/ne
ws/cybercrime-and-digital-threats/fbi-bec-
losses-in-2017-shot-up-to-over-us-675-million
Secret: “hackers” log into your webmail
Password hygiene
• Websites get hacked.• People reuse same
email and password across multiple online accounts. D’oh!
Haveibeenpwned
Do you have leaked passwords? https://haveibeenpwned.com/
Meanwhile on SpyCloud
Secret: “hackers” log into your webmail
Solution: Use Two-factor authentication
If you only do one thing to improve your
cybersecurity posture, it should be to turn
on 2FA for your email
Advice evolves with threats & as criminals
become more sophisticated.
e.g. 2FA via SMS can be attacked with SIM
swapping
Two-factor authentication
Most powerful defence from:
• Crappy passwords (Letmein1)
• Stolen passwords (phishing)
• Leaked passwords (reuse)
Two-factor authentication
Why we have just a few passwords?
Problems:• Too many passwords to
remember• Has my password leaked in a data
breach?
Password managers solve both
Password hygiene – Wallets
Remember a single password only• LastPass• 1Password• Dashlane• RoboForm
1Password
100 Point ID Checks
Personal Information and Verification of Identity (VOI)
100 points ID checks VOI required by NSW conveyancing rules since 2016
• Digital certificates (e.g. PEXA key)• Leave them unplugged when not in use• Cut the built-in smart card in half to dispose
Metadata issuesGood document management practices
Metadata in Documents:What can go wrong?
1. Disclosure of instructions
• Comments, tracked changes
2. Identification of personnel:
• Disclosure of author or commentator who wishes to be anonymous
• Metadata from multiple authors, silent partners
What can go wrong? (cont’d)
3. Disclosure of former or existing clients
• Everyone is using templates – Recycled documents
4. Embarrassment
• Nasty comments left in the document that was supposed to be private
Recent decision where metadata was the turning point:
• Wadler v Bio-Rad Laboratories
• Sanford Wadler general counsel – his employment was terminated for whistleblowing
• Employer claimed erratic work and workplace outbursts
• Employer introduced a piece of evidence of an unfavourable performance review (a document)
• The document established the performance review was created one month after the employee was terminated.
• Jury awarded $8 + $5m in damages
Metadata in legal documents
Office documents
• Track changes
• Comments
• Hidden content
Removing metadata - Tooling
• Adobe’s Redact Tools
• Windows Explorer’s – File Properties
• Workshare Secure - integrates with MS Exchange
• Payne Group Metadata Assistant 5.0 – Compatible with MS Office and Windows. Integrates with document management systems and email clients – thepaynegroup.com
• cleanDocs – Removes Word, Excel, PDF – docscorp.com
• BEC MetaReveal – MS Office and MS Outlook – beclegal.com
• Litera Microsystems Metadact
Removing metadata – More information
Law Society Journal – 2018 March – page 76
Helen Brown: Why it’s time to wise up about metadata
https://lawsociety.cld.bz/e/LSJ-March-2018/76
What to do when you get hacked 🙏
• Disconnect your computer from the Internet and stop using it
• Contact your MSP and have cloud account passwords reset
• Notify Lawcover - They have an incident response team