© 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING the CYBER THREAT LANDSCAPE

• 15+ years security and privacy experience • Originally from Brooklyn, New York; move to Florida 2018 Shan Grant • PCI QSA &PA-QSA, CISSP, CISA, Fair Credit Reporting Act (FCRA) Certification Supervisor • Worked and designed compliance programs Security, Privacy & for financial entities, fintechs, healthcare/heathtech, and non-profit Risk Services • Specializing in regulated environments: • Payment Card Industry (PCI) [email protected] • HIPAA https://www.linkedin.com/in/shan-grant/ • CRA (FCRA) • FDIC/FFIEC • Data Privacy • Career Highlight: Worked Cannes Film Festival

Different consumer rights:

Rights Covered GDPR CCPA

Right to know and of access X X Right to deletion/erasure X X ≠ Right to restriction of X processing GDPR CCPA COMPLIANCE COMPLIANCE Right to data portability X X Right to object X In addition to compliance, it’s really all Right to opt of out sale X about the data—what type of data and Right to equal service and how it is used. X price Data governance and management Right to opt In (minors under programs should consider mapping for X 16) both.

• Nevada Online Privacy Law • New York Privacy Act • Maine Act to Protect of Online Consumer Information • Massachusetts Data Privacy Law • Hawaii Consumer Privacy Protection Act • Maryland Online Consumer Protection Act

. Hacking – Breaking through vulnerability and moving laterally − Network penetration − Data leakage and theft − Social engineering

. APT – “Uninvited Guest” − Arrives into your network and stays there under the radar − Harvesting information over time − Typically not found with anti-virus software − Sophisticated

. Malware – Code that is designed to do bad things − Execution of malicious code on an infrastructure − Escalate unauthorized privileges − Shut down your network (DDOS) − Encrypt data (Ransomware)

• Let’s talk about GandCrab − On the scene in Jan 2018 − Off the scene mid 2019—complete shutdown − Reported as RaaS

All the good things come to an end. For the year of working with us, people have earned more than $2 billion… Earning with us per week $2,500,000. We personally earned more than 150 million dollars per year. We successfully cashed this money and legalized it….

• There’s no guarantee that all the data will be recovered. • Roughly 5–15% loss with a decryptor

• Business are down for an average of nine days.

• For complete recovery, it could take weeks to years. Consider: • System wipes • Recover from backups • Repeat the process for each server or computer

• Hackers attack every 39 seconds • 43% of cyber attacks target small businesses (can we find out middle market companies- how they’re subtible—from our cyber survey- here) • 2018 Hackers tole half a billion personal records • 95% of cybersecurity breaches are due to human error • Cyber-criminals and hackers will infiltrate your company through your weakest link, which is almost never in the IT department. • Most companies take nearly 6 months to detect a data breach, even major ones − Equifax, Capital One, and Facebook just to name a few. Information such as passwords, credit card details, and social security numbers may already be compromised by the time you’re notified.

• Bitwarden • Use a cloud based password safe • 1password • Dashlane − Automatically generates passwords • Lastpass − Prevents reuse of passwords • KeePassXC – not cloud based − Checks for compromised passwords https://www.wired.com/story/best-password- Complicated managers/ Password − Some allow document storage or personal detail storage − It’s in the cloud but you can export it • Use Multifactor Authentication (MFA) Enable MFA − 2 or more of the below • Something you know • Google Authenticator • Authy • Something you have • Yubico Turn on • Something you are Notifications • Consider a VPN provider Why VPN and highly rated providers: https://www.forbes.com/sites/kateoflahertyuk/2019/04/19/h − Research (google) them! eres-why-you-need-a-vpn-and-which-one-to- choose/#6e36315a23c9 • DNS Leakage − Working remotely – hop on corporate VPN

• Review privacy and security • Third-party app authorization – remove when no longer needed. • Consider what you’re posting public vs private

• Remember people can screen shot something before you have the chance to take it down

• Search yourself

• Old document

• Disable or delete old accounts

• Where is your data: − Data hosting (dropbox, box, etc.) − Digital image printing platform − Old email accounts − Old devices

• Cyber Security Tenets are the same − Patch your systems − Limit access to data and systems • Particularly write access • Off Site backups or snap shots backup service • Good AV/anti-malware

Trust nothing From Emails to Network Shares

Security, security • Always ask why someone needs your information • Do not use public Wi-Fi • People actually “dumpster dive”

Social engineering • “Delivery person,” “corporate IT” • A LinkedIn “recruiter” or “met you at a conference” request to add you to their network

Too much information (TMI) • Geolocation tagging in photos or social media posts • Be careful what you post on social media

100 NE Third Ave., Suite 300 Fort Lauderdale, FL 33301 D: 954.449.8017 [email protected] rsmus.com

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM, the RSM logo and the power of being understood are registered trademarks of RSM International Association. © 2019 RSM US LLP. All Rights Reserved.