Upload
lamquynh
View
215
Download
0
Embed Size (px)
Citation preview
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part
of the international BDO network of independent member firms.
TRAINING AND AWARENESSTIPS AND TRICKS FOR GETTING THE
MESSAGE TO STICK
Deena Coffman
Jessica Geller
Rebecca Shore-Suslowitz
ACC NATIONAL CAPITAL REGION
2017 DATA PRIVACY AND SECURITY CONFERENCE
The handouts for this presentation were prepared and used to accompany a panel discussion given on
September 13, 2017. Neither the information contained herein or the accompanying comments of the
presenters should be construed as the provision of legal advice. Views expressed are those of the
specific presenter. They do not necessarily reflect the views of BDO, Blackboard or Under Armour
respectively.
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK2
Evolving role of a privacy officer – Privacy program advocate
General Data Protection Regulation
(GDPR)
Privacy Shield
Federal Trade Commission (FTC)
expectations and European Data
Protection Authorities (DPAs)
Health Insurance Portability and
Accountability Act (HIPAA)
NY State Department of Financial Services
(NYDFS)
Family Educational Rights and Privacy Act
(FERPA) and state-specific student data
privacy laws
Payment Card Industry (PCI) standards
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK3
Using what’s at your fingertips
Awarenessis key to program success
Leverage
existing
resources to spread the word
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK4
Using what’s at your fingertips
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK5
Prioritizing privacy within the organization
Risk assessment
Understanding where privacy sits within your risk profile Who, What, How, Where, When, and Why?
Ongoing awareness and interaction
Designing a program that encourages privacy-by-design and by-default Talking to stakeholders
Incorporating into project planning, change control and product design
Role based training
Delivered throughout the year – point-in-time
Creating a culture of security and privacy
Training/Execution
1
2
3
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK6
Risks and your environments are dynamic
Regularly assessRisk assessment results drive training content. Train on
what is relevant to your environment and emphasize
the greatest risks for the best ROI
Training specific to risk areas and roles
Awareness activities to stay top of mindRegularly align awareness and training with the
exposures identified in the assessment
Documentation to support client audits
or compliance
Refresh!
Information gathering
Analysis
Develop strategy,
plan and content
Deliver and document
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK7
Techniques and best practices
Non-traditional communication
methods Social Media, Videos, Cartoons
Conducting a Consent Summit
Regular Touchpoints with Business Units
“Privacy” Inbox
“MBWA”
Gamification
Repurposing Materials Consulting Firms and Outside Counsel Materials
and Newsletters
IAPP Materials
ICO Materials
ACC Materials
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK8
Techniques and best practices - Obtaining budget
January, 2015, Xoom, $30 million (US)
In January of 2015, Xoom Corp., an international
money transfer company acquired by PayPal in the
summer of 2015, reported that it had suffered from a
$30.8 million loss in the fourth quarter of 2015.
Stock for the low cost payments company, which
competes with Western Union, dipped 14%, or $31
million, after the loss was announced, but later
recovered. The CFO resigned.
February, 2015, Scoular, $17.2 million (US)
Scoular Co., an Omaha based commodities trader (and
one of the top privately held companies in the U.S.),
lost $17.2 million in a spear phishing wire fraud scam.
Sidenote: The Financial Times provides an in-depth
version of the Scoular attack that can be found here.
August, 2015, Ubiquiti Networks, $46.7 million
(US)
Months later, in August, Ubiquiti Networks, a San
Jose based networking technology company, fell
victim to a $46.7 million attack, wiring this sum to a
Hong Kong bank account controlled by the attackers.
2015
January, 2016, FACC, $54 million (Austria)
Fraudsters topped all previous records, making off
with $54 million from FACC, an Austrian aerospace
parts manufacturer that designs and supplies parts
to Airbus and Boeing.
February, 2016, Crelan Bank, $76 million
(Belgium)
The record for the largest loss from a targeted
spear phishing wire fraud attack was broken
when Crelan Bank in Belgium reported it lost
$76 million.
2016
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK9
Techniques and best practices
Making the cybersecurity team an extension of your own phishing exercises
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK10
Demonstrating awareness program effectiveness
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK11
Techniques and best practices
Tabletop exercises
Cross-functional privacy meetings
Pop-up messages when risky activities
are performed
Email header alerting that a message
is from an external sender
Self-promotion
Make it fun!
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK12
For the audio learner
Live presentation or webinars
Security awareness elearning modules *CBT* (SANS, onguard)
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK13
For the visual learner
Short, targeted computer tutorials placed at
the “point in time”
Intranet information page
Details elements of the security program
Links to:
• Policies
• Training materials
• Archived copies of newsletters
Live CLE-approved security awareness
training
Leverage existing resources: e.g., ICO
Resources - https://ico.org.uk/
Effective techniques: Short messages,
delivered in a timely manner, are more
effective than 60 minutes of annual training.
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK14
For the kinesthetic learner
Anti-phishing
Simulate today’s sophisticated fraudulent messages designed to:• Entice users to click
• Entire users to reveal passwords
Engaging, interactive session where participants discuss common threats
Tabletop exercises
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK15
For the fierce competitor
(Not that we have any of
these personalities…)
Brief the user community
on how well they did in
attendance, compliance,
and so forth
Quasi-gamification
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK16 TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK16
Congrats, you’re all Digital
Denim Global (DDG) employees
COMPANY OVERVIEW
DDG is the world’s leader in digital denim
production. The company’s success is due in
large part to its newest release – Smarty Pants
– which not only comes in several washes and
cuts to suit every fashionista, but also
integrates GPS capabilities so you never get
lost, tracks how many steps you have taken,
and sends an alert to your phone suggesting
you stop eating if the waistband sensor is
engaged.
The company is headquartered in and operates
from the United States, but through its e-
commerce site, has a global presence,
including a large customer base in the
European Union.
Table topicYou have limited resources and want to
highlight your program between now and
January 1, 2018.
Members of your table make up the DDG
privacy council (GC, CIO, CISO, CPO, and HR
Lead).
Outline the one thing you’d do to
promote privacy at DDG.
Assumptions You’re a digital company and have some social networking
services available, although adoption has not taken off
across the company.
Your CISO is new to the company and doesn’t have
additional budget to allocate to your efforts.
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK17 TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK17
Outside the privacy
awareness box
What did you decide to do, and why?
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK18
Takeaways – Short term
1. Be pro-active – use internal company
communications channels to sell the
privacy story.
Go back tomorrow and set up a #privacy
channel – check out ACC or IAPP and post a
link to one article that your organization
might be interested in.
Check out this article. This is something the privacy
team is keeping an eye on and will let you know
if/how it impacts us in the future. Reach out if you
have any questions.
2. Create a privacy mailbox -
3. Set up a recurring meeting with your
head of cybersecurity (at least monthly)
4. Ask for the summary of your company’s
Risk Assessment and Data Map to start
focusing your awareness and training
efforts on the company’s key risk areas
5. Talk to HR about onboarding and role
transition training – open up
communications about adding privacy in
6. Ask the cybersecurity team for an
update on your company’s phishing
training and the related management
report
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK19
Takeaways – Long term
1. Future-proof your policies and
notices
2. Set up your first annual privacy
summit
3. Update annual cybersecurity training
to include privacy
4. Find opportunities to work with
your colleagues in areas throughout
the information lifecycle – consider
establishing an information
governance committee
5. Work with cybersecurity to establish
a phishing awareness and training
program
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK20
Deena Coffman, BDOManaging Director
EXPERIENCE SUMMARY
Deena Coffman is a Managing Director in BDO Consulting’s Technology Advisory Services practice, leading data privacy and protection
with more than 20 years of experience serving in technology, risk and compliance executive management roles.
Previously a COO of a global risk management firm, Deena established its data analytics practice and led cybersecurity and information
assurance teams, providing computer forensics, incident response, data analytics, data privacy and compliance services. She also led
the global discovery program for a major pharmaceutical company, where she worked closely with international counsel and local data
protection authorities (DPAs) to comply with EU and APAC data privacy requirements when moving evidence across international
borders.
While at a Big Four accounting firm, Deena served as a secondee to a global financial institution leading its e-discovery program,
managing evidence on global and domestic matters in coordination with international counsel and local DPAs to comply with data
privacy directives in Asia and the EU.
Prior to joining BDO, Deena was CEO of a boutique consulting firm providing information security and data privacy services, and CISO
for the parent company of an international supplier of insurance products related to cyber liability and data breach coverage.
PROFESSIONAL TRAINING AND AFFILIATIONS
Global Information Assurance Security Essentials Certification (GSEC)
International Association of Privacy Professionals (CIPP/US, CIPP/E, CIPM, FIP)
Microsoft Certified Systems Engineer (MCSE)
Microsoft Certified Professional + Internet (MCP+Internet)
EDUCATION
M.B.A., Cornell University
B.A., University of Illinois
Contact Information: [email protected]
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK21
Jessica Geller, Blackboard Inc.Global Privacy and Commercial Transactions Counsel
EXPERIENCE SUMMARY
• Jessica Geller serves as lead counsel for U.S. federal and state student data privacy, breach notification, and data
security regulations. Jessica works closely with the company's Data Privacy Officer to develop and implement a global
privacy program and GDPR compliance.
• Jessica also advises business and technology stakeholders on creation and implementation of policies for data
collection/processing and product development to meet global data privacy regulations.
• Prior to joining Blackboard, Jessica worked for the Discovery Channel and supported its subsidiary company, Discovery
Education with student data privacy and data security related matters.
PROFESSIONAL CERTIFICATIONS
• International Association of Privacy Professionals (CIPP/US)
EDUCATION
• J.D., University of Denver
• B.A., University of Colorado - Boulder
Contact Information: [email protected]
TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK22
Rebecca Shore-Suslowitz, Under ArmourAssociate Counsel, Senior Manager – Global Privacy
Rebecca Shore is a global privacy specialist and strategic planner focused on data privacy,
policy development, and strategic and operational privacy planning. Most recently,
concentrating on the evaluation of digital mobile privacy issues, and the development and
implementation of solutions that meet global requirements.
In 2014, Rebecca established Under Armour’s formal privacy program. In this role, Rebecca
supports Under Armour Connected Fitness (i.e., MyFitnessPal, MapMyFitness, Endomondo,
UA Record, etc.), eCommerce (North America and International), Retail, Human Resources,
Marketing, Legal, and Information Technology at Under Armour.
Prior to joining Under Armour, Rebecca worked for ai solutions as a Senior Security Analyst
providing cybersecurity and privacy support to the National Aeronautics and Space
Administration (NASA) Office of the Chief Information Officer, Information Technology
Security Division.
PROFESSIONAL CERTIFICATIONS
• International Association of Privacy Professionals (CIPP/G)
EDUCATION
• J.D., University of Maryland School of Law
• B.A., University of Delaware
Contact Information: [email protected]
This photo was taken while hiking in Iceland
and decked out in Under Armour gear.
Rebecca used this image in an internal privacy
message focused on navigating across privacy
waters.