protecting your business and client information in a digital world - mitch tanenbaum, information...
TRANSCRIPT
![Page 1: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/1.jpg)
How To Survive In A Risky Cyber World
2016 IFG Wealth Management Forum Scottsdale, AZ April 2016
Mitch Tanenbaum www. CyberCecurity . com Mitch @ CyberCecurity.com 720-891-1663
![Page 2: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/2.jpg)
GEEK ALERT!
![Page 3: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/3.jpg)
Ransomware
![Page 4: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/4.jpg)
![Page 5: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/5.jpg)
![Page 6: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/6.jpg)
![Page 7: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/7.jpg)
What can you do?
1. Backups, backups and more backups 2. Business continuity plan 3. Disaster recovery plan 4. Incident response plan
• Rowlett incident
Test repeatedly!
![Page 8: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/8.jpg)
Law Firms (and financial advisors)
![Page 9: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/9.jpg)
![Page 10: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/10.jpg)
1500 x the size of the WikiLeaks State Department cable leak
![Page 11: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/11.jpg)
And Financial Advisors
Ask your law firms and advisors for a copy
of their written cyber security plan
As a law firm or advisor have a written plan
Same goes for family offices – have a plan, ask for a plan
![Page 12: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/12.jpg)
NASDAQ Study
![Page 13: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/13.jpg)
1500+ CxOs and Directors
90% of respondents have a medium to high
cybersecurity vulnerability
91% of NEDs cannot read a cybersecurity report, preventing them from asking the intelligent questions (executive coaching)
40% don’t feel responsible for the repercussions of a cyber attack.
![Page 14: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/14.jpg)
Spear Phishing
![Page 15: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/15.jpg)
Targeted Emails–often to execs and finance
Drop malware
Asks employees to wire money
Conduct phishing tests
• At one client, they sent 350 emails
139 were opened, 35 clicked on the malware
Including one C-Suite member
![Page 16: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/16.jpg)
What Does The FBI Think?
![Page 17: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/17.jpg)
“I am convinced that there are only two types
of companies: those that have been hacked
and those that will be. And even they are
converging into one category: companies that
have been hacked and will be hacked again “
- Robert S Mueller III,
Director, Federal Bureau of Investigation
RSA Cyber Security Conference,
San Francisco, CA. , March 1, 2012
![Page 18: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/18.jpg)
New York DFS Proposed Regulations
(Post Ben Lawsky)
![Page 19: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/19.jpg)
Shared proposal with every state, federal and local regulator in the country
1. 12 written cyber security policies and procedures
2. Third party service provider management 3. Multi factor authentication 4. Chief Information Security Officer
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
![Page 20: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/20.jpg)
5. Application security 6. Cyber security personnel and
intelligence 7. Annual cyber security audits 8. Notice Of cyber security incidents
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
![Page 21: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/21.jpg)
If you are required to comply, it will require
outside expertise
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
![Page 22: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/22.jpg)
SEC Risk Alert To Investment Advisors
and Broker Dealers
![Page 23: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/23.jpg)
Issued Last September
1. Governance – manage the cyber risk process 2. Access rights – who can see what 3. Data Loss Prevention – PII in emails 4. Vendor Management – who do you share data with? 5. Training 6. Incident response plan
Cyber security exam initiative to improve compliance
http://mtanenbaum.us/sec-issues-risk-alert-to-advisors-and-brokers/
![Page 24: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/24.jpg)
What To Do
![Page 25: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/25.jpg)
![Page 26: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/26.jpg)
California – Bellwether for the rest of the
country
![Page 27: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/27.jpg)
CA AG Kamala Harris released a breach
report in February
As part of that, she defined
REASONABLE SECURITY PROCEDURES as
referred to in CA AB 1950
![Page 28: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/28.jpg)
Implement all CIS 20 controls which are
appropriate
Implement multi factor authentication for
consumer facing web sites containing
sensitive personal information
Consistently use strong encryption on
portable devices and maybe desktops
![Page 29: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/29.jpg)
AG Harris Says:
The failure to implement all the controls
that apply to an organization’s environment
constitutes a lack of reasonable security.
![Page 30: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/30.jpg)
What Is The CIS 20
Center For Internet Security: 1. Inventory devices 2. Inventory software 3. Secure configurations for user devices 4. Continuous vulnerability assessment 5. Control admin privileges 6. Manage audit logs
![Page 31: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/31.jpg)
What Is The CIS 20
7. Email and web protection
8. Malware defenses
9. Control of ports, protocols and services
10. Data recovery capability
11. Secure configuration For network devices
12. Boundary defense
13. Data protection
![Page 32: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/32.jpg)
What Is The CIS 20
14. Control access based on need to know
15. Wireless control
16. Account monitoring
17. Security skills assessment and training
18. Application software security
19. Incident response and management
20. Penetration testing and red team exercises
![Page 33: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/33.jpg)
What Does The CFPB Say?
![Page 34: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/34.jpg)
CFPB entered consent decree with fintech firm Dwolla in February
Specifies what CFPB expects Dwolla to do
$100k fine, 5 years of monitoring
NO BREACH INVOLVED!
![Page 35: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/35.jpg)
1. Establish, implement and maintain a comprehensive data security plan 2. Adopt and implement reasonable and appropriate data security policies and procedures 3. Designate a qualified person to be accountable for the data security program 4. Conduct data security risk assessments twice a year 5. Evaluate and adjust the data security program in light of the results
![Page 36: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/36.jpg)
6. Conduct regular, mandatory employee security training 7. Develop, update and implement security patches 8. Develop, implement and maintain an appropriate method of customer identity authentication at registration time. 9. Develop, implement and maintain reasonable procedure for third party risk (service providers). 10. Obtain an annual data security audit from an independent, qualified, third party, using generally accepted professional procedures and standards
![Page 37: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/37.jpg)
The Board must review all submissions
The Board is ultimately responsible for
ensuring compliance with the consent
order
![Page 38: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/38.jpg)
Mobile
![Page 39: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/39.jpg)
More and more sensitive data on mobile
Encrypt devices
Restrict what applications are installed
Use encrypted text (WhatsApp, Signal)
Use encrypted email (Absio)
• Both directions
• With clients and internally
![Page 40: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/40.jpg)
Mobile Device Management (MDM)
software
Use current OS version
• Android Ver 6 – Marshmallow
• iPhone iOS 9
PATCH
![Page 41: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/41.jpg)
Cyber Insurance
![Page 42: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/42.jpg)
It is not a silver bullet
We are seeing insurance carriers claiming
the insured “failed to follow minimum
required practices”
You need to verify that coverages and
practices are aligned
![Page 43: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/43.jpg)
Education
![Page 44: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/44.jpg)
![Page 45: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/45.jpg)
![Page 46: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/46.jpg)
![Page 47: PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Tanenbaum, INFORMATION RISK STRATEGY CONSULTING](https://reader031.vdocuments.us/reader031/viewer/2022030206/58ab29991a28abb5278b67e7/html5/thumbnails/47.jpg)
To get our free weekly cyber security
email newsletter, please send an email to
Mitch @ CyberCecurity.com and we will
add you to the list.