cybersecurity don t be scared be prepared dean n.
Skip this Video
Loading SlideShow in 5 Seconds..
Agenda PowerPoint Presentation


237 Vues Download Presentation
Télécharger la présentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Cybersecurity:Don’t Be Scared; Be PreparedDean Choudhri, CISSP, CISM, CRISCAssistant Vice President, Cybersecurity and Information AssuranceAlloya Corporate FCU

  2. Agenda Current Cybersecurity Landscape What You Can Do to Protect Your Credit Union & Members What the Future Holds (Hint: Wash, Rinse, Repeat)

  3. Everything Old Is New Again • Analyzed current cybersecurity investigative reports from FBI and large security services provider • What we learned: • Small businesses are primary targets • Ransomware is on the rise • Phishing attacks continue to dominate • The human factor continues to be a weakness

  4. Cybersecurity Threats The threats below accounted for nearly 2/3 of all security incidents at financial institutions: Ransomware Financial Malware Phishing and Business Email Compromise

  5. Who Are The Perpetrators • Nearly 75% of attacks were by outsiders • Generally, members of small criminal organizations • Small percentage of nation states (comparatively) • Remaining 25% were insiders • Difficult to detect a legitimate user who is stealing your data • (Honest) mistakes happen; nearly 20% of incidents caused by insiders were accidental

  6. Data Breach Costs

  7. How Much Is This Going To Cost? Reputational damage Members leaving the credit union Everyday, operational costs (you still need to run your credit union!) Consider a Cyber Insurance Policy

  8. Who Are The Victims? • The short answer is EVERYONE • Senior citizens experienced the greatest losses: • What is the member demographic of your credit union?

  9. Top 10 States By Number Of Victims Combined NJ, NY and PA rank second highest in country

  10. Top 10 Sates By Victim Loss Source: 2017 IC3 Report

  11. Top 10 Crimes

  12. Types Of Crimes

  13. Ransomware Malicious software installed on your computer often via phishing emails Encrypts data on your computer or network Must pay a ransom for decryption key!

  14. Hackers Most Preferred Method Email is the primary way to conduct business AND is the primary attack method used to: • Commit fraud • Steal your identity • Install ransomware • Steal personal account information • Capture your online credentials

  15. Phishing/Business Email Compromise • Phishing • Emails that appear to be from legitimate institutions • NACHA, Amazon, FedEx, Microsoft, LinkedIn, Facebook, etc. • Entice you to click on link or attachment • 4% of users will always click! • Business Email Compromise (BEC) • Spoof company email accounts and impersonate executives • Use hacked email accounts of your vendors to send invoices to AP department

  16. Not a real email address More links… Clicking on any of the links in this email could result in malware being installed on your computer, credential theft, and account takeover

  17. Not a valid email address Includes link to click on Safety Tip: Hovering over the link will show you the actual website you will be direct to. It’s not Microsoft!

  18. BEC Is On The Rise • July 2018 FBI issues PSA regarding BEC • Asian banks primary destination of funds • Since 2013 • $12 billion in losses worldwide • Nearly $3 billion from U.S. victims • More than half of that amount was during the previous 18 months

  19. Business Email Compromise Who are the targets?

  20. Business Email Compromise Ransomware is on the rise Phishing attacks continue to dominate The human factor continues to be a weakness

  21. To prevent spoofing, Alloya tags all emails that originate from outside of the organization Hovering over the link shows you the actual website you will be visiting. Generic. There is no contact number, email address, etc. Staff should be instructed to call a verified number to validate

  22. Include Link which would ask for me to sign in with my account credentials

  23. Possible Initiatives To Enhance Cybersecurity Upgrade systems and third-party tools Move (carefully and with a lot of thought) additional systems and applications to the Cloud Increase member and staff education Further restrict non-business use of credit union systems

  24. How To Inform Members And Staff About Cybersecurity Newsletters Postings on website Email blasts In person (at branch or in office)

  25. Low Cost, High Impact Protection/Prevention • Security awareness costs nothing and can save big $$$ • Inform staff about the dangers of phishing and BEC. • Advise staff that they should contact the requestor (even the CEO) via phone or in person (not via email!) to verify a request. • Use known and verified contact numbers. • Security awareness culture starts at the top. • Be aware of your online presence. Your LinkedIn profile can make you a potential target.

  26. Protection/Prevention Continuous security training at Alloya: • Annually • Online, one hour session required for everyone • Periodically • Online, short five-minute sessions • Send email notifications and reminders • Test users by sending phishing emails Results: We have seen significant and measurable improvements: • Understanding danger and their security role • Ability to detect phishing and business email compromise scams

  27. Protection/Prevention Do not allow users to install software. Email is for work purposes only. Do not tie your personal business (Amazon, Apple, personal banking) to your work email address. Patch systems quickly. Use and UPDATE your anti-virus software, use anti-malware software. Newer AV uses AI for increased protection.

  28. What’s Around The Corner? • It is expected that current threats facing financial institutions will continue to make up majority of incidents. • Ransomware will continue to be a growing threat. • Low cost; hackers make money by asking for money • Virtual currency payments • Social engineering via: • Business Email Compromise • Phishing! • Phone and Text

  29. Free Cybersecurity Resources NCUA Cybersecurity: Phishing: Center For Internet Security: SANS: Premier View! We regularly post alerts regarding the latest security topics.

  30. Thank you! Dean Choudhri, CISSP, CISM, CRISC Assistant Vice President, Cybersecurity & Information Assurance (518) 292-3846