Kyle KucheraVP - Sales, Zog Inc.

www.zoginc.com

You’ve Worked Hard to Gain the Trust of Your Clients and Donors,

Don’t Be Careless In How You Protect Them

Today We’re Going To Cover

• The Evolving Cyber Security Landscape• Regulatory Environment / Your

Obligations• Recent Events Affecting Non-Profits• Economic Impacts of Cybercrime• Why the Non-Profit Industry is a Target• What Non-Profits can do to Protect

Themselves• What to do when an Attack Occurs

How To Avoid Being A Sitting Duck To Cybercriminals And Protect Everything

You’ve Worked So Hard To Achieve

Ultimately We’re Going To Cover…

The Biggest Danger Is Complacency

“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.” - Andrew Grove, former CEO of Intel

A Quick Overview Of The Sophistication

And Proliferation Of The

Cybercrime Business

The Digital Underground’s

Thriving Black Market

• Credit card details: $2 to $90

• iTunes accounts: $8

• Physical credit cards: $190

• Card cloners: $200-$300

• Fake ATMs: $35,000

• Anyone can easily buy training, tools and services for committing fraud, hacking systems, buying stolen credit cards, setting up fake websites, etc.

Ransomware

How Ransomware Works

!

Files

Inaccessible

Email w/ Malicious

Attachment

Ransomware

Payload

Encryption Key C2

Infrastructure

Files

Inaccessible

Encryption Key C2

Infrastructure

User Clicks a Link

or Malvertising

Ransomware

Payload

Malicious

Infrastructure

EMAIL-BASED INFECTION

WEB-BASED INFECTION

!www

Emails are still popular and are

getting better

TACTIC

Trick SMB into

opening link or

attachment

Malvertising Using Hijacked Images to Target SMBs

YourFiles Are Encrypted

Malware & DropperMalware

Increasingly Common Step: DropperIncreasingly common option for ransomware

1

Bad actor gets a piece of malware onyour computer

2

Malware sits quietly and just phones home; not the flashy/noisymalware

3Bad actor sellsor rents ability to infectcomputer• Malware phones

home• Installs main

payload:Ransomware, Keylogger,Spambot

4

If contract ends or more capacity,install moremalware

TACTICMalware thatinstalls othermalware

The AV-TEST Institute registers over 350,000 new malicious programs every day.

Source: https://www.av-test.org/en/statistics/malware/

Why Isn’t My Antivirus

Catching This?

Getting around signatures:Crypters

Can bypass 35 AV’s in under 3 minutes

Regulatory Concerns

& Your Obligations

HIPAA

• HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) mandates that health care organizations protect the privacy of patients’ personal information.

• Maintaining HIPAA compliance requires several key cyber security measures.

PCI / DSS

• PCI/ DSS stands for “Payment Card Industry Data Security Standards.”

• This means that the Payment Card Industry has put in place certain standards which ensure any company who handles cardholder data maintains a secure environment.

• Cardholder data is defined as any sensitive data associated with the credit card account.

• This includes the primary account number, cardholder names, expiration date, and service code.

NIST

• The NIST CSF is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level.

• NIST wrote the CSF at the behest of President Obama in 2014. As cyberattacks become more complex, repelling them becomes more difficult, especially without a single cohesive strategy.

• The CSF aims to standardize practices to ensure uniform protection of all US cyber assets.

• The CSF affects anyone who makes decisions about cybersecurity in their organization, and those responsible for implementing new IT policies.

GDPR

• The European Union General Data Protection Regulation (GDPR) is a set of rules about how companies should process the personal data of data subjects.

• GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organization is not complying with GDPR requirements.

• California’s COPAA has similar requirements.

Recent Events

Arc of Erie county

• 3751 records compromised

• $200,000 HIPAA Fine

• “The Arc of Erie County’s work serves our most vulnerable New Yorkers and that comes with the responsibility to protect them and their sensitive personal information,” New York Attorney General Barbara Underwood said in a news release. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

Delaware Guidance Services

• Delaware Guidance Services Ransomware Attack Impacts 50,000

• Ransomware locked the mental health service provider out of its data servers and officials say they paid the ransom to unlock the encrypted files.

Columbia Surgical Specialists of Spokane

• Reported they paid the hackers about $14,000 during a ransomware attack so they could “immediately begin proceed unlocking the data.”

• Officials said they were concerned for patient care, as there were surgeries planned just hours after the attack.

What is the potential impact to

YOUR Non-Profit?

• HIPAA Fines

–2018 was a record year - $28.7mm in fines

• Reputation often can’t be recovered

• Costly Downtime

• Website down = Loss of Donations / Data

“But We’re Small...

Nobody Would Bother To Hack Us, Right?”

Wrong!• One in five small organizations falls victim to cybercrime

each year and that number is GROWING.(Source: National Cyber Security Alliance)

• Small organizations are low-hanging fruit because they don’t believe they are a target, and therefore have very loose or no security systems and protocols in place.

• Half of all cyber-attacks are aimed at SMBs and non profit organizations. (Source: Forbes Article, “5 Ways Small Businesses Can Protect Against Cybercrime”)

Why the Non-Profit segment has

been and remains a target

• Tons of Personal Data

– Credit Card Records

– EMR / EHR

• Free software / inexpensive hosting

• Limited IT expertise

• Frequent use of volunteers

• Limited budget for security

So How Do Non-Profits Protect Themselves?

Reducing

Security Risks

Security is About Managing Risk Through Layers

On-network Off-network/Roaming

Email security

Endpoint antivirus

Firewall

Filtering Services

Training and policy

Recommendations

Employee Education

Anti-Virus

Filtering (Email, Content,

Spam, DNS)

Firewall

SIEM Tools

Vulnerability Testing

Patching

Backup and Recovery

Local Drive Encryption

Mobile device policy &

security policies

Multi-Factor Authentication

Password Policies

Device Lockout Policies

Onboarding / Offboarding

Polices

Step 1: Threat AssessmentWhat’s lacking in your security right now? How are employees using your company-owned devices? What third-party cloud apps are you using? Are your systems truly backed up? Where are you exposed to risk? Whose job is it to make sure your network is protected, and how do you know if they’re doing their job?

Step 2: Action PlanBased on what’s discovered, what do we need to do to ensure our systems, data and operations are secure from theft, compromise, corruption, etc.?

Step 3: Ongoing MaintenanceYou definitely don’t want to take a “set-it-and-forget-it” approach to security – your attackers won’t!

3 Steps To Protecting Your Organization:

What to do in the event of an attack?

Disconnect affected device from network

Implement your Incident Response Plan

Notify your security officer

Assets the damage and severity

Ready to Learn More?

www.zoginc.com