Cyber Security Nevada Businesses Overview June, 2014

Carolyn Schrader CEO, Cyber Security Group, Inc. Fellow, National Cybersecurity Institute Excelsior College, Washington DC Carolyn Schrader CEO, Cyber Security Group, Inc. Fellow, National Cybersecurity Institute Excelsior College, Washington DC 6/1/2014 2

Agenda  Threats to Small and Midsize Businesses  Impact to Nevadans  Hacking - What and Why  Cost of Recovery  UNR Cyber Security Center  Other States’ Actions  Action Steps  Threats to Small and Midsize Businesses  Impact to Nevadans  Hacking - What and Why  Cost of Recovery  UNR Cyber Security Center  Other States’ Actions  Action Steps 6/1/2014 3

Threats to Small and Midsize Businesses  All Fortune 500 companies were hacked  Over 50% of small businesses were hacked  Cyber criminals do not discriminate – any company, government agency, entity is a target  All Fortune 500 companies were hacked  Over 50% of small businesses were hacked  Cyber criminals do not discriminate – any company, government agency, entity is a target 2013 Cyber Crime: 6/1/2014 4

Threats Continued  Cyber crime is a borderless crime  Leading countries for cyber criminals Russia China Romania France  Cyber crime is a borderless crime  Leading countries for cyber criminals Russia China Romania France 6/1/2014 5

Threats Continued  Target data breach: 40 million customers midsized business major corporation  Target data breach: 40 million customers midsized business major corporation 6/1/2014 6

Threats Continued 2014 Cyber Threats: 1.Sophisticated malware 2.Impact of Internet of Things 3.Expansion of Bring Your Own Device 4.Expansion of black market for stolen data 5.Increased website hijacking 2014 Cyber Threats: 1.Sophisticated malware 2.Impact of Internet of Things 3.Expansion of Bring Your Own Device 4.Expansion of black market for stolen data 5.Increased website hijacking 6/1/2014 7

Threats Continued 1.Sophisticated Malware  Targeted audiences  Secretive attacks  Use of a business’ network to distribute malware 1.Sophisticated Malware  Targeted audiences  Secretive attacks  Use of a business’ network to distribute malware 6/1/2014 8

Threats Continued  2013 Over 220,00 new malware programs identified daily New malware = 80 mil Total malware = 180 mil  2014 New malware Q1 = 15 mil  2013 Over 220,00 new malware programs identified daily New malware = 80 mil Total malware = 180 mil  2014 New malware Q1 = 15 mil 6/1/2014 9

Threats Continued 2.Impact of Internet of Things  Things can be full building system controls or baby monitors  Increased number of entry points creates more RISK  Things have little security but connect to smart devices 2.Impact of Internet of Things  Things can be full building system controls or baby monitors  Increased number of entry points creates more RISK  Things have little security but connect to smart devices 6/1/

Threats Continued 3.Bring Your Own Device  Less control of data  Personal data comingled with company data  Security measures seldom used  Easily lost or stolen Stolen smartphones largest street crime in many cities 3.Bring Your Own Device  Less control of data  Personal data comingled with company data  Security measures seldom used  Easily lost or stolen Stolen smartphones largest street crime in many cities 6/1/

Threats Continued 4.Expanded black market  BIG money from illegal hacking  Sophisticated organizations  Creative marketing 4.Expanded black market  BIG money from illegal hacking  Sophisticated organizations  Creative marketing 6/1/

Threats Continued 5.Increased Website Malware  Reputable website taken over by malware to distribute to visitors  Business interruption  Rapid spread of malware to unsuspecting visitors 5.Increased Website Malware  Reputable website taken over by malware to distribute to visitors  Business interruption  Rapid spread of malware to unsuspecting visitors 6/1/

Hacking What and Why Identifying the hacker’s motivations and potential targets provides intelligence as to what will be attacked, and the potential impact. This knowledge is critical in the understanding of hacker intentions, and in establishing a preparedness and security strategy. Identifying the hacker’s motivations and potential targets provides intelligence as to what will be attacked, and the potential impact. This knowledge is critical in the understanding of hacker intentions, and in establishing a preparedness and security strategy. 6/1/

What & Why Continued  Data  Passwords  Trade secrets  Intellectual property  Client lists  Financial projections  Blueprints  Sales territories and goals  Bank account information  Patient information  Research  Data  Passwords  Trade secrets  Intellectual property  Client lists  Financial projections  Blueprints  Sales territories and goals  Bank account information  Patient information  Research 6/1/

What & Why Continued  To sell the information to a competitor  To pirate a product  To get a company’s clients  Access route into larger company or organization  To sell the information to a competitor  To pirate a product  To get a company’s clients  Access route into larger company or organization 6/1/

Impact to Nevadans  Stolen personal information  Economic impact  60% of small businesses go out of business after a major attack  Detraction for new businesses moving in if cyber crime is not addressed  Savvy businesses want cyber security expertise, prosecution success, cyber secure suppliers  Cost of criminal prosecution  Stolen personal information  Economic impact  60% of small businesses go out of business after a major attack  Detraction for new businesses moving in if cyber crime is not addressed  Savvy businesses want cyber security expertise, prosecution success, cyber secure suppliers  Cost of criminal prosecution 6/1/

Cost of Recovery $200 - $246 per stolen record 10,000 records = $2,000,000 - $2,460,000 $200 - $246 per stolen record 10,000 records = $2,000,000 - $2,460,000 6/1/

Recovery Cost Continued What a Business Must Pay:  Legal representation Incident recovery counsel Customer lawsuits Government lawsuits  Customer notifications Most states have notification laws  Ongoing credit monitoring service for customers  Fix the initial problem  Assessment of other security flaws What a Business Must Pay:  Legal representation Incident recovery counsel Customer lawsuits Government lawsuits  Customer notifications Most states have notification laws  Ongoing credit monitoring service for customers  Fix the initial problem  Assessment of other security flaws 6/1/

UNR Cyber Security Center A collaborative initiative with the purpose of bringing together experts from different fields to jointly address the cyber security challenge.  Computer Science and Engineering  Information Systems  Political Science  Sociology/Psychology  Journalism  Criminal Justice  Military Science A collaborative initiative with the purpose of bringing together experts from different fields to jointly address the cyber security challenge.  Computer Science and Engineering  Information Systems  Political Science  Sociology/Psychology  Journalism  Criminal Justice  Military Science - Information courtesy of UNR Cyber Security Center 6/1/

UNR – CSC Continued Mission of CSC Perform cutting-edge interdisciplinary research. Foster cyber security education in interdisciplinary settings. Support workforce development in order to produce high- value employees for both government and industry. Mission of CSC Perform cutting-edge interdisciplinary research. Foster cyber security education in interdisciplinary settings. Support workforce development in order to produce high- value employees for both government and industry. - Information courtesy of UNR Cyber Security Center 6/1/

Other States’ Actions  California  Small business website resource:  A few AG offices offer tips and links on website  Limited visible effort in addressing the severity and frequency of the crimes  California  Small business website resource:  A few AG offices offer tips and links on website  Limited visible effort in addressing the severity and frequency of the crimes 6/1/

Action Steps 1.Aggressively support local district attorneys in their prosecution of illegal hacking 2.Initiate a statewide program to assist local law enforcement in conducting cybercrime investigations 1.Aggressively support local district attorneys in their prosecution of illegal hacking 2.Initiate a statewide program to assist local law enforcement in conducting cybercrime investigations 6/1/

Action Steps Continued 3.Initiate an annual cybersecurity conference to facilitate networking among law enforcement and cybersecurity professionals 4.Sponsor an awareness program for businesses to help them understand the impacts of cyber attacks and how to reduce the risk of attacks 3.Initiate an annual cybersecurity conference to facilitate networking among law enforcement and cybersecurity professionals 4.Sponsor an awareness program for businesses to help them understand the impacts of cyber attacks and how to reduce the risk of attacks 6/1/

Action Steps Continued 5.Advocate for cyber security requirements in businesses and support incentives for businesses to adopt cyber security measures 6/1/

Cyber Security Group, Inc. Carolyn Schrader cyber-securitygroup.com Carolyn Schrader cyber-securitygroup.com 6/1/