Protecting Your Small Business In The Digital World

SAGE N CLEMENTS, SEC +SAGE’S COMPUTER REPAIR, CEO

About Sage: Busy Guy

Been In The IT Field for 15 years Owner of Sage’s Computer Repair Security + Designation from Comptia, Currently working on CISSP Technology Underwriter for Fortune 500 Company

Specialize in Loss Control, Claims Handling and Cyber/Network Security Liability Insurance

About Sage: Loves to Play

Hobbies Include: Programming, Reverse Engineering and Watch Wrestling (Its still real to me)

AgendaWhat is a Data Breach?

Data Breach Statistics (DBIR)

Who Are The Players?

Why Small Business Are at Risk?

Reducing Attack Surface (Tips)

Questions?

What Is Data Breach?

A Data Breach is the Intentional or Unintentional release of private or sensitive information

Personal Identifiable InformationPrivate or Sensitive Information

IP Addresses Phone Numbers

Addresses Passwords

Credit Card Number

Non-Disclosure Agreements

Date of Birth

Intellectual Property

Full Name Financials

Social Security Number

Email Medical

Trade SecretsSource Code

Personnel Records

Rule #1: Data Breach Is Not Just An Online Risk

Data Breach

Hacking Phishing

Dumpster Diving Improper Disposal of Documents

Shoulder Surfing

Theft Of Equipment

Breaking and Entering

Unencrypted Mobile Devices

Social Engineering

Employees

Piggy Backing

Unencrypted Documents Malware

Weak Passwords

Outdated Software / OS

POS SkimmersRansomwareLack Of IDS/IPS Systems

2015: A Year In Review Over 5,800 Breaches Reported

More Than 857 Million Records Compromised

Phishing contributed to more than 35% of Reported Breaches

Phishing is on the Rise!!

*As Reported by ITRC http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

What is Your Password?

Threat ActorsCareer Hackers

Activists

Script Kitties

Employees

Nation States

Competitors Extortionists

Organized Crime

Myths About Security

“Too Expensi

ve”

“It won’t happen to me”

“AV will protect

me”

“I don’t surf bad sites”

“Not my responsibilities”

Financial Impact

Financial Impact

The average cost per compromised record in the US is $268 Computer Forensic Services ~ $250 - $350 per hour Ransomware payments can be expensive The average defense costs for litigation matters is approximately

$60,000 More than 60% of Small Businesses close with 24 months after

experiencing a breach Approximately 90% of businesses down for 10 days or more, do

not recover Regulatory Fines Are Projected to be More Frequent going forward

Rule #2: Big Or Small No One Is Immune

- High Profile -2015 Data Breaches- Low Profile -

Scottsdale – 4.6MT-Mobile/Experian – 15M

Georgia Secretary of State – 6M

Office of Personnel Management/US Government– 21.5M Excellus Blue Cross Blue Shield – 10M

Anthem –78.8M

Harel Chiropractic, WI – 3,000

Cuesta College, CA – 4,000 Blue Zebra Sports– 1,218

SRI, Inc – 9,000

Securus Technologies– 63,000

Why Should It Matter?

Small Businesses Are High Targets Low Hanging Fruit

Investment in Security is Low High Volume of Sensitive Data Negative Attitude towards Information Security

Employees Are More Susceptible to Social Engineering Attacks Lack Of Security Training Personal & Company Information is Readily Available on Social Sites

Poor Backup Solutions

Rule #3: Understand The Weakness Of Your Business and Apply Proper Controls

Reducing Attack Surface

Physical

Network

Annual Audits

Email

Reducing Attack Surface - Network

Use Complex Passwords Keep Operating System Updated Keep Anti-Malware Definitions Updated Keep Sensitive Data on a Separate Network Implement 2-Factor Authentication Limit Admin Access Terminate Access & Credentials Encrypt Computers With Sensitive Data Keep Vendor Access Separate From Sensitive Network Back Up Data to Off-Site Source and Test Routinely Be cautious of what you and employees put on social media

Something You Have• Authentication Card• Token• Phone• Email

Something You Know

• Password• Pin• Passphase• User Name

Something You Are

• Biometrics• Finger Print• Retinal

2 Factor Authentication

3F2F 2F

2F

Reducing Attack Surface - Physical

Shred Sensitive Documentation Limit Outsider Access to Sensitive Areas Implement Locks on Outside Trash Cans Use Locks to Secure Computers Encrypt Mobile Devices and Computers Secretary to greet (change wording)

Reducing Attack Surface - Email

Do Not Open Attachments from Unfamiliar Senders Train Employees on Suspicious Emails Simulate Phishing Email Campaigns Routinely If Sensitive Data Must Be Emailed, Encrypt Prior to Sending or

Use an Encrypted Portal Service

Reducing Attack Surface - AuditsPhysical

•Access Premise•Shoulder Surfing•Dumpster Diving•Cloning Credentials•Tailgating

Vulnerabilit

y Assessments

•Non-invasive Network Scans•Outdated Software

Pen

etration

Testing

•Invasive Network Scans•DOS/DDOS•Brute Force•Exploitation•Exfiltration of Data

Social Engine

ering

•Phishing•Whale Phishing•Targeting Disgruntled Employees•Social Media Profiles•Background Procedures

Recap

Remember the 3 Rules Data Breach is Not Just an Online Risk No one is Immune to a Data Breach Understand The Weakness of Your Business and Apply Proper

Controls Have a Business Continuity Plan in Place Reduce Your Attack Surface Consistency is the key

Questions?

Sage N Clements, Sec + Email: Contact@sagescomputerrepair.com Follow us on Twitter: @SagesCompRepair We Are On G+: Like Us On Facebook:

https://www.facebook.com/sagescomputerrepair/

Resources

Identity Theft Resource Center - http://www.idtheftcenter.org/ Verizon Data Breach Investigation Report –

http://www.verizonenterprise.com/DBIR/