1 The Insider Threat: Prevention, Detection, And Response When All Else Fails 1 Littler Mendelson, PC 2016 SCCE Dallas Regional Compliance & Ethics Conference 2 Philip L. Gordon Littler Mendelson, P.C. 1900 16 th Street, Suite 800 Denver, CO 80202 Phone: 303.362.2858 Email: [email protected]Allison E. Moore Littler Mendelson, P.C. 100 Congress Avenue, Suite 1400 Austin, TX 78701 Phone: 512.982.7255 Email: [email protected]
31
Embed
The Insider Threat: Prevention, Detection, And Response ...€¦ · The Insider Threat: Prevention, Detection, And Response When All Else Fails 1 Littler Mendelson, PC 2016 SCCE Dallas
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
The Insider Threat: Prevention, Detection, And Response When All Else Fails
Philip L. GordonLittler Mendelson, P.C.1900 16th Street, Suite 800Denver, CO 80202Phone: 303.362.2858Email: [email protected]
Allison E. MooreLittler Mendelson, P.C.100 Congress Avenue, Suite 1400 Austin, TX 78701 Phone: 512.982.7255 Email: [email protected]
2
I. Why Should You Worry
About The Insider Threat?
II. Creating A Culture Of Data
Stewardship
III. Understanding, Detecting
And Preventing The
Malicious Insider
IV.Security Breach Response
Agenda
3
Why Should You Worry About The Insider Threat?
4
3
2016 Verizon Data Breach Investigations Report5
Insiders Are #1 Cause of Security Breaches
18%
16%
15%
15%
14%
12%
8%
<1%
<1%
<1%
Average total cost = $7 million.
– ↑ 8% from $6.5 million in 2015
Average cost breakdown:
– $730K in detection and escalation
– $590K in notification costs
– $1.7M in post-breach costs, i.e., help desk and remediation
– $4M in loss of customers/good will
Average cost per lost or stolen record = $221
– ↑ 2% from $217 in 2015
2016 Cost of Data Breach Study: United States, Ponemon Institute, May 2016
Cost of a Security Breach
66
4
� 39% of CEOs/Boards involved in
data breach preparedness in 2015
vs. 29% in 2014 (Ponemon/Experian 2015)
� Several CEOs have recently lost
their jobs at least partly because of
a security breach
– HB Gary
– Ashley Madison
– Director of OPM
The CEO & Board Cares
77
� Dozens of class action lawsuits
have been filed in the wake of
security breaches
� Many are dismissed early in the litigation process
� However, the plaintiffs’ class action bar is starting to see some success
Class Action Litigation
8
5
Federal Enforcement
9
� FCC: $25 M fine imposed on telecom provider whose employees stole information on 280,000 customers
� HHS: 34 publicly announced settlements since January 2011
- 15 settlements exceeded $1M
- Average settlement > $1.3M
� SEC: Investment advisor fined $75K for poor cyber security
9
1. $95K to NY (3/16): Employer’s online application was insecure,
making about 500 employment applications available on Google
2. $20K to NY (1/16): Failure to notify workers of a data breach of
names and driver’s license numbers and collection of
unencrypted geolocation information on workers
3. $15K to NY (12/15): Nurse took patient list with diagnoses when
leaving hospital’s employ
4. $40K to MA (12/14): Theft of employee’s company-issued laptop
with more than 2,000 patient records
5. $100K to MA (12/14): Employee’s personal laptop with 3,800
patient records stolen from unlocked office
AG Enforcement Is Ramping Up
10
6
� Unintentional
– Even good employees can cause significant harm
with the tools they have today.
� Intentional
– A motivated employee who wants to do you harm,
can do so.
– Traditional tools to detect and prove harm may not
be as effective.
Insider Threat Model
11
Establishing A Culture Of Data Stewardship
12
7
� Key steps for reducing risk:
1. Implement comprehensive pre-employment screening of employees and temps and contractors
2. Tailor checks for positions involving access to sensitive data
3. Consider conducting continuous monitoring on current employees
‒ Only 36% conduct any form of on-going surveillance for changes in
an employee’s risk profile (Sterling 2016)
� Confirm that background check program complies with FCRA, ban-the-box laws, and EEOC guidance
Background Screening
13
� During the on-boarding process
� Key Terms:
1. “Confidential Information” should cover sensitive
consumer and employee information
‒ Beware of potential NLRB, EEOC, SEC restrictions
2. Summarize key information security obligations
3. Require return of all confidential information upon
request or at termination of employment relationship
Confidentiality Agreements
14
8
� Policies and procedures need to address all forms of
data, not just digital data “owned” by IT
� Policies and procedures not directly related to
safeguarding data also are critical
- Code of ethics - Pre-employment screening
- Confidentiality - Acceptable use
Policies And Procedures
15
� Every employee should receive data privacy training at
orientation
– Only 44% provided training at orientation (Ponemon/Experian 2015)
� Employees with access to trade secrets, confidential
information, or personal data should have more in-depth
training
– Training can vary based on job functions and sensitivity of data that is
accessed
� Periodically send reminders, updates, and notices
– 71% of companies that provide training do so only once or sporadically
(Ponemon/Experian 2015)
Information Security Training
16
9
1. Employer’s legal and/or contractual
obligations to safeguard sensitive data
2. Types of information falling within scope of
legal duty
3. Potential consequences for employer of
noncompliance
4. Steps employees can take to safeguard
sensitive data
Big Picture Points
17
1. Importance of protecting log-in credentials
– In 2015, 63% of confirmed data breaches involved weak, default or
stolen passwords (2016 Verizon Data Breach Report)
2. How to create a strong password
3. Screen security
4. How to recognize a “phishing” e-mail
– Sanctioned phishing tests conducted in 2015 revealed that 30% of
phishing messages are opened and 12% click on the
malicious attachment (2016 Verizon Data Breach Report)
Training On Safeguards
18
10
Phishing E-mail: Exhibit #1
Your Account has been limited ! Login Now and solve it
Dear Client
It looks like your account has limitation due to login from unkowndevice . We are keep your informations secret so you need to login to your account and provide us with some informations as security check .
To reset your account access please enter the link below
Login Now
19
5. Physical safeguards for
mobile devices
6. No storage in personal
online accounts
7. What is a security
incident?
8. How to report a security
incident?
Training On Safeguards
20
11
1. Devices must be registeredand centrally managed
2. Password protection
3. Remote wipe capability
4. Encryption
5. Inactivity time
� Require participation in a BYOD program for
employees using a personal mobile device
for work
Mobile Device Security
21
1. Only employees who need
access to sensitive information
to perform job responsibilities
have authorized access
2. Authorized access restricted by
“minimum necessary” principle
3. Access rights are modified
when job duties change
4. Terminate access promptly
upon termination of
employment
Technical Access Controls
22
12
1. Provide departing employee with copy of
executed confidentiality agreement
2. Remind employee of ongoing obligation to keep
information confidential
3. Ensure return of all employer-owned computers,
mobile devices and portable storage media
4. Ensure return of all paper documents containing
confidential information
Exit Interviews
23
5. Coordinate removal of confidential
business information from any
“BYOD device”
– Only 38% of organizations do this
(Blanco Tech Group 2016)
– Only 34% securely wipe departing
employees’ BYOD 100% of the time (Blanco Tech Group 2016)
6. Coordinate removal of confidential
information from all personal
accounts and media
Exit Interviews
24
13
The Malicious Insider
25
� Attend ALL information security training sessions
“Naturally, our cars are inspired by European carmakers,” said Karl Schlössl, a German who is the chief executive of China Automobile. “But we reject the charge that they are copies.”http://www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vs-shuanghuan/