ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA IT Advisory 1 Agenda Consumer ID theft issues Data breach trends Laws and regulations Assessing and mitigating your risk
IT Advisory 2 Consumer Identity Theft Issues IT Advisory 3 Consumer ID Theft Statistics ID theft up 16% in 2016 1 In 2014, IRS paid $5.8 billion in fraudulent refunds 2
Virginia: 56,000 PHI records stolen since 2016 3 Federal Trade Commission 2 Government Accountability Office 3 US Department of Health and Human Services Office for Civil Rights 1 IT Advisory 4
How to Respond to ID Theft File a police report File a complaint with the FTC File form 14039 with the IRS Place fraud alert on your credit report Consider a credit freeze Dispute fraudulent accounts Contact your creditors
IT Advisory 5 How Your ID is Stolen Personal carelessness External hackers Data breaches
Your information is for sale Social engineering Targeting either you or someone you do business with Social engineering example IT Advisory 6 Fusion: Real Future, episode 8 IT Advisory
7 The Price of Your Identity Common prices for ID information: US Fullz - $30 Health Insurance Credentials - $20 Bank account with $75,000 - less than $300 Date of birth - $11 Credit card account - $4 to $13 Source: Dell SecureWorks IT Advisory
8 Protecting Yourself Never re-use passwords Guard personal information Never re-use passwords Use multi-factor authentication Set account access PINs at phone and
utility providers Never re-use passwords, seriously IT Advisory 9 Data Breach Trends IT Advisory 10 2015 Data Breaches Xoom: Victim of $31 million Business Email Compromise (BEC)
IT Advisory 11 Recent Data Breaches Anthem and Premara breaches 80 million and 11 million PHI records US Office of Personnel Management 21 million victims Ashley Madison Equifax
143 million customers IT Advisory 12 Breach Methods Phishing and Spear Phishing attacks 13% of users will click on links in Phishing emails1 Stolen, weak, or default credentials Used in 63% of breaches 1
Verizon 2016 Data Breach Investigations Report IT Advisory 13 Breach Methods Web app attacks Attacks against existing pages Hacking servers to host malicious pages Point of sale intrusions/card skimmers Used to scrape credit card data
Target, Home Depot, Hilton Worldwide Insider attacks IT Advisory 14 Breach Methods Mistakes Accidental misdelivery
Physical theft Malware Malvertising Deliberate cyber attack Industrial espionage IT Advisory 15 Cost of a Breach
Average breach cost:1 Small businesses: $86,500 Large businesses: $861,000 Notable exceptions: Anthem Healthcare: $5.55 million fine Cost of Target breach: $252 million Equifax 2017 breach: estimated $300 million to $4 billion 1 Kaspersky Labs survey IT Advisory
16 Laws and Regulations IT Advisory 17 Careful With the Word Breach Breach has legal meaning Suggests you may have legal liability Security teams should use Security Incident until its determined a breach has occurred
IT Advisory 18 Federal Laws and National Regulations HIPPA-HITECH Healthcare data (PHI) FTC Red Flags Rule Applies to financial institutions PCI-DSS Payment cards
FISMA Applies to federal contractors IT Advisory 19 State Laws 48 different state laws All vary in timing, method, and extent of notice required Virginia If breach of PII is identified Must notify Virginia Attorney General and
all affected Virginia residents IT Advisory 20 Assessing and Mitigating Your Risk IT Advisory 21 Assessing Your Risk 77% of business have suffered some
form of data loss1 Matter of when, not if Higher risk if you handle Financial information Healthcare data 1 Kaspersky Labs survey IT Advisory 22
Information Security Lifestyle IT Advisory 23 Security Process Identify Assess Your IT Environment and understand nature of your data Understand industry
and regulatory compliance requirements Perform Information Security Risk Assessment IT Advisory 24 Protect the Environment Implement Controls Based Upon
Security Risk Assessment Physical Technical Administrative Assign Roles & Responsibilities for Maintaining Controls IT Advisory 25 Detect Incidents
Monitoring & Event Logging Functions Automated Solutions Where Possible, But.. Tailor Alerting to Limit False Positives! IT Advisory 26
Respond to Incidents Execution of Incident Response Plan Strong Response Capabilities Can Limit Impact Understand Specific Reporting Requirements and Key Contacts IT Advisory
27 Recover Recover Plans and Activities to Restore Business Services Recovery Planning Key to Organizational Resilience Work with Contracting Officers and Authorities
IT Advisory 28 Additional Resources FTC Guide for Assisting Identity Theft Victims https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf FTC Consumer ID Theft Guide https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf IdentityTheft.gov Experian Credit Freeze Procedures https://www.experian.com/freeze/center.html
Equifax Credit Freeze Procedures https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp TransUnion Credit Freeze Procedures https://www.transunion.com/credit-freeze/place-credit-freeze TwoFactorAuth.org website https://twofactorauth.org/ IT Advisory 29 ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG IT Advisory
843-727-3251 IT Advisory 30
