Webinar: Understanding the Cyber Threat Landscape for Nonprofits
0 likes165 views
This document discusses understanding the cyber threat landscape for nonprofits. It notes that nonprofits face a high risk of cyber intrusion due to complacency, lack of security expertise and budgets, and lack of independent security audits. Cybercriminals may target nonprofits for economic gain, hacktivism, personal information, or donor lists. Examples are given of past cyber attacks on nonprofits. Motivations of threat actors and potential impacts of security incidents are examined. Methods that could be used to damage nonprofits are outlined.
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
- 4. Matthew Ferrante, Partner at Withum Summary Accolades • Sony Network Intrusions, Target Data Breach, Neiman Marcus, Banner Health Networks, etc.. • Cyber Services to SMEs, Global Enterprises, Nonprofits, Energy, Technology, Crypto, Manufacturing, Medical, etc.. • Criminal, Civil, Regulatory Actions, Class Action Lawsuits Technical Experts • Barclays Global Security Transformation • US Secret Service Top Electronic Crimes Expert • Awarded by Debit & Credit Card Industry • US Secret Service’s Director’s Citation • US Department of Justice Awards for Invaluable Expertise • Designed the First Title III Computer Network Wiretap in United States • 65+ hackers apprehended Globally… Summary Special Operations > Disaster Recovery | Business Continuity Rebuild of NYFO after 09/11 Attacks > Operation Firewall / Operation ‘Get Rich or Die Tryin’ > Joint Terrorism Task Force (USSS E‐Crimes Support) > 50th & Broadway: PBX Hacking, Access Device Fraud & Shoulder Surfing > Al‐Qaeda Network Takedowns: Netherlands, Middle East, etc.. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2019 WithumSmith+Brown, PC All rights reserved.
- 7. Incident Response & Cyber Forensics • Criminal Actions • Regulatory Violations • Asset Identification • Restitution • Civil Actions • Intellectual Property Theft • Organized Crime • Supplier Misconduct • IT Misconduct • Employee Misconduct • Whistle Blowers • Data Leakage / Data Loss • Unauthorized Forwarding of Confidential Information • Espionage • Terrorism • Child Pornography • Kidnapping • Extortion • Fraud • Insider Trading • Price Fixing • Threats • Hacking • Data Breaches • Hacktivism • Proxy Busting • Intelligence • Social Networking Analytics • Due Diligence & Audits • Incident Response Support This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. Withum Cyber
- 8. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. • STRATEGY • IDENTIFICATION • COLLECTION • PRESERVATION • RECOVERY • PROCESSING • REVIEW • REPORTING ***GIGO*** Modern Incident Response and Forensic Analysis of Devices
- 10. Nonprofits High‐Risk of Cyber Intrusion • Complacency / Weak Security • No Cohesive Security Strategy • Lack of CISO / vCISO / Director of Security • Limited IT Security Expertise • Misaligned and/or Limited IT Security Budget • Lack of Independent Modern Cyber Security Audits This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 11. High‐Risk of Cyber Intrusion for Nonprofits • Economic Gain: Assets & Personal Information • Hacktivism: Radical Groups • Vanity, Revenge, Outrage and more… • Confidential information, e.g. PII Data • Donor Lists | Springboarding This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 12. Breakdown Cybercrime Economy in Profits • Illicit Online Markets: $860 Billion • Theft of Intellectual Property or Trade Secrets: $500 Billion • Data Trading: $160 Billion • Cybercrime‐As‐A‐Service: ~$1.6 billion • Ransomware: $1 Billion This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 13. Cyber Security Stats and Facts • Cybercrime economy in profits: • Cybercrime Damages: • Ransomware Attacks: • Top Country Targeted: • Est. Records Exposed 2018 ‐ 2023: • Est. Cost Per Record Exposed: • Average Cost of Data Breach: • Dark Web Cybercrime Toolkit Cost: This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. Source: IBM/Ponemon $1.5 Trillion $6 Trillion by 2021 14 Sec. | 11 Sec. 2021 USA $146 Billion $242 per record $8 Million
- 14. COVID‐19 Related Cyber Attack Statistics Since COVID‐19 pandemic began: • Cyber attacks up 400% • Google has been blocking 18 million COVID‐19 related phishing emails and malware daily • Spear‐phishing attacks increased 667% • FBI complaint center for internet crime has received over 3,600 COVID‐19 related scam complaints • COVID‐19 related phone scams are on the rise • Ransomware attacks increased 148% • Average amount demanded for ransomware attacks increased 33% Source: techjury
- 15. COVID‐19 Related Cyber Attack Statistics (Cont.) • 46% of businesses that started working remotely have experienced at least one form of a cybersecurity attack • Phishing websites have increased by 350% • Between March 9th and March 23rd, over 300,000 coronavirus keyword‐related websites were created. • Banks have experienced a 238% increase in cyberattacks Source: techjury
- 19. Polling Question 1 • What are the biggest challenge for your Nonprofit? A. Technology Refresh(es) B. Security C. Compliance, e.g. e‐PHI/ HIPAA, NY‐SHIELD, CCPA, GDPR D. All of the Above
- 25. Nonprofits Related Cyber Attacks • Contractor Serving Greater Morristown Nonprofits • Reagan Foundation • Nonprofit Times, MIP • Kansas University Endowment and Community Foundation of Texas • People Inc. • Massachusetts Nonprofit Shelter Targeted by Ransomware
- 33. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. Nonprofit Destruction • Complacency • False Sense of Security | Rubber Stamping Environment • Check the Box Security | No Validation of Controls • Not us…yes you! • No Strategy / Plan • Lack of Independent Security Audits • Lack of Accountability • Fix‐on‐Failure
- 35. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. Dawn of Kinetic Cyber A cyber kinetic attack is a direct or indirect assault causing damage, injury or death through the exploitation of vulnerable information systems and processes.
- 41. Protect Your Nonprofit (Assessments) This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved. Threat Emulation Security Assessment vCISO / vCCO Analysis of Sec. Control Framework Business Continuity & Backup Assurance Incident Response Exercises ‘Trust; but Verify’
- 42. Security Measures for Nonprofits Secure workstations • Lock our systems (Ctrl‐Alt‐Delete) • Shut down systems not in use • Run up‐to‐date virus scanning software • Password protect files • Apply software patches • Run a desktop firewall Backup Data • Test backups • Securely store backup media (offsite) • Restrict access to who can perform restoration Control Access to Data • Only allow access that is absolutely required • Don’t grant accounts because access “may” be required • Use least privilege access policies that state access will only be granted if required, not by default • Are accounts removed and passwords changed when someone changes jobs or is terminated? Physical Security • Control access to sensitive areas • Install cable locks • Limited the amount of people who has access? • Are sensitive documents secured? Incident Response • Do you Have a plan? • When was it last reviewed and updated? • Who gets alerts when something is wrong? • Who contains/remediates it? Perform Audits • Evaluate internal/external controls • Use third party for non‐bias reporting • Conduct regular penetration testing/scanning This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 43. Security Measures for Nonprofits (Cont’d) Teleconferencing • Create Virtual Waiting Rooms • Use unique meeting ID’s and Passwords • Lock down your meeting (If Applicable) Remote Work • Use VPN (Virtual Private Networks) • Use 2FA / MFA Others • In‐House CFI / Security • Understand your Cyber Security Policy, e.g. what is REALLY covering and under what terms and conditions • Cloud: Use the right licensing to protect your staff and your customers data, e.g. M5 vs O5 (Microsoft Example) • Data Loss Prevention • FIM Solution • Threat & Intel
- 45. How to Protect your Nonprofits Assess the Risks and Formulate a Plan • Perform an objective analysis of your information, systems and processes. Your IT team is probably qualified, but a third party with experience in cybersecurity is recommended to avoid any bias. • Look for weak spots in your network and data security. Make evaluations and scans a regular part of your internal audit processes. Conduct regular external assessments and scans to identify vulnerabilities. Avoid Human Error • Cyber risks are not just a problem with technology. It all comes down to protecting information, and anyone with access to that information (staff, contractors, vendors, and even customers) must be responsible and accountable. • Establish a culture of cybersecurity awareness. All staff should regularly be made aware of the most current threats and attacks being used by criminals. • Provide mechanisms to enable remote workforces to perform their functions securely, while limiting the organization’s risk exposure due to human error. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 46. How to Protect the Nonprofits (Cont.) Be Prepared for the Worst • It is important to plan your response in the event you are hit with an attack. A comprehensive and documented Incident Management Plan is designed to guide the organization through a suspected security incident. • Roles and responsibilities should be defined, such as who will carry out key tasks like forensic investigation and legal response. Most states have requirements for reporting data security breaches. It is important that your team know who is responsible for understanding the breach reporting requirements and reporting to the applicable state(s) in a timely basis to avoid potential fines and penalties. Commonly Overlooked Risks • Even with the best of planning, there are still risks that are often overlooked. Problems can arise from disparate IT systems, poorly configured personal devices used on the corporate network, and when services are integrated with third party vendors. • Hackers will find and exploit your systems weakest link, whatever it may be. It is important to know where all of these weak links are and work toward securing them. This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited. ©2020 WithumSmith+Brown, PC All rights reserved.
- 49. Questions?