Overview of Event:

On October 13, 2017, Belecki Inc. underwent a data breach along with an attempt at social engineering.
A half-day conference was held at the Troy Marriot Hotel on November 10, 2017, to address the situation
as well as lecture fellow employees on information technology. This report is a summary of the topics
covered at the conference.

8:00 a.m. Speaker #1

Chief Information Officer (CIO), Richard Belecki began the morning describing the data breach along
with actions the company must take to mitigate the risk. A data breach is the intentional or
unintentional release of secure information to an untrusted environment. (Wikipedia.org)

Mr. Belecki began with polling the audience with a show of hands to see how many people knew what a
data breach was, then asked who knows how to prevent one from happening? Everyones hands
lowered. We have evidence to believe that sensitive information has gotten into the hands of a foreign
competitor stated Mr. Belecki. He promptly ensured his audience that no ones personal information
was compromised; however, if it was, it is required by state law that individuals be notified of security
breaches involving personally identifiable information. (NCSL.org) Belecki Inc. is taking the necessary
precautions if just by chance this occurred. The data breach occurred at an offsite location. Passwords
were stolen from the Belecki Inc. purchasing database along with budgetary information sent via email.
Mr. Belecki already had his purchasing team change their passwords by the time of the conference, but
wanted to ensure the necessary steps were taken to prevent any event such as this from happening
again. He reminded those working offsite at unsecured locations to be mindful of the files theyre
emailing. The overall takeaway was that the data compromised should not negatively impact any of the
companys customers or suppliers. Mr. Beleckis opinion on the matter was to be as transparent as
possible with the stakeholders as more details develop.

9:00 a.m. Speaker #2

Kelly Ehde, Director of Risk Management at Hoffmeister Securities lectured on a new and seeming easy
way of stealing data through social engineering. Social engineering is an attack that relies heavily on
human interaction and often involves tricking people into breaking normal security procedures.
(searchsecurity.techtarget.com Luckily your companys information management policy does not
permit the departments with the most sensitive data to work offsite; however, this doesnt stop social
engineering from attempting phishing scams. She noted there are five common ways these attacks
come. (searchsecurity.techtarget.com)

1. Baiting: when an attacker leaves a device out in the open with the hopes that you will find it and
attach it to one of your own devices, thus installing the malware.
2. Phishing: when a 3rd party sends a fake email to trick the receiver into sharing personal
information or clicking on a link that installs malware.
3. Pretexting: when one individual lies to another in person, over the phone, or by email to gain
access to their personal data.
4. Scareware: when the attacker makes false claims about the health or safety of your device and
tricks you into downloading their fix it software which is actually the malware.
Last month an employee from payroll reported several suspicious emails requesting personal
information to IT. Ehde applauded the employee for doing the right thing and went on to discuss the
kinds of preventative measures Belecki Inc. can take to avoid future social engineering attempts. She
mentioned having a policy in place to escort visitors when theyre in the building. If these visitors are
taking a tour of the facility, it will be in your best interest to notify employees so they can clear any
confidential papers off their desks warned Ehde. This goes along with other data policies such as
shredding documents when no longer needed, having a safe way to report suspicious email or activity,
and the use on two-factor authentication. Two-factor authentication is a tool used by many firms as an
added layer of security when accessing sensitive information. Two-factor authentication requires not
only a password and username, but some additional detail about the user. (securenvoy.com) This can
make it more difficult for phishing scams to access the information they need. Taking it a step further,
we can require an additional verification code to be entered if there is an unrecognizable computer
attempting to login. An email with the code will be sent to the email account on file of the
administrator stated Ehde.

10:00 a.m. Speaker #3

Chief Security Officer, Eden Konja, provided an insightful overview on physical network security best
practices. Physical security is the protection of personnel, hardware, software, networks, and data from
physical actions and events that could cause serious loss or damage to their owner
(searchsecurity.techtarget.com).

Common events such as fire, flood, and theft are generally overlooked due to the high importance of
shielding off hackers, but physical damage can occur without any tech mastermind behind it. Brute force
is all it takes to potentially destroy a business stated Konja. Apparently Belecki Inc. has upgraded the
security around its server and hardware room since the recent move into the new building. Walk
through the IT department and youll come across various access points requiring special ID cards. Look
closer and youll see security cameras, motion and heat detection sensors that are tested regularly
according to Konja. Moving into a new office gave us a fresh start on how we view physical security. We
were going to do it once and do it right. He went on to say that his system is not perfect. He feels he
needs to get tougher on enforcing building entry policies as some employees may let each other in if
another forgets their badge.

Its tough to predict the next natural disaster, but as a safeguard, Belecki Inc. has been backing up its
most vital data at an undisclosed location in Colorado since the northeast blackout of 2003. The
blackout really was an awakener as to how important our data is to us. As a young company, we really
didnt have any business continuality plan back then remarked Konja. If a tornado destroyed their
building today, Belecki Inc. would still be able to serve their customers tomorrow. The only downfall
would be the loss of access to real time data and the fact that I have to justify its cost every budget
cycle laughed Konja as he exited the stage.

11:00 a.m. Speaker #4

VP of Information Technology at Visa, James Abraham, spook on a relatively new concept to most, The
Internet of Things. The Internet of Things is a network of sensors attached to objects or machines
designed to be able to communicate with each other without requiring human to human, or human to
computer interaction.

Abraham was very optimistic about the future potential of this concept. The central idea relies on
gathering as much information as we can with these sensors, sharing it on cloud computing networks,
and then leveraging that knowledge by having machines communicate and perform tasks. Just as we
created the smartphone, well begin to see more products and structures become smart as they
communicate instantaneously stated Abraham. He believed well be able to prevent certain disasters
before they even happen. For instance, new bridges will be built with sensors that monitor their own
structural integrity more efficiently than a human could. That very same bridge may have additional
sensors placed on it to detect ice and notify those driving over it of the conditions. It doesnt stop there.
Very soon well see autonomous vehicles on the road that will interact with streetlights and other
smart structures. The implications seem endless. Soon well have smart cities and then what?

The future is bright in this industry says Abraham. He may be accurate in his prediction. McKinsey
Global Institute estimates that the impact of the Internet of Things on the global economy may be as
high as $6.2 trillion by 2025 (mckinsey.com). Semiconductor companies will be the key player of this
evolution. Industry growth will rely mainly on innovations from the semiconductors. Highly integrated
microchip designs requiring low power functions is necessary for most applications. Due to the
specialized demands and small scale (at the moment), Abraham predicts heavy investments in start-up
companies over the next five years. This doesnt mean the giants are out. A 2014 survey of
semiconductor executives found that The Internet of Things will be the most important source of growth
for them over the next several years (mckinsey.com). Abraham believes this just goes to show the true
magnitude of its potential. Small companies will be able to find a niche as well as industry giants
looking for growth. Belecki Inc. CEO Jeff Belecki mentioned that he will be keeping an eye on
investment opportunities after hearing what Mr. Abraham had to say.

11:00 a.m. Speaker #5

Chief Technology Officer, Matt Belecki, closed the conference with some additional optimism on the
industry. He seemed to be really excited about augmented reality (AR). Augmented reality integrates
digital information into the real world through displays in real time (whatis.techtarget.com).

Unlike the other topics so far, AR has been around for some time. Some of the first commercial uses
were with sports on television. Belecki mentioned its use in the NFL as the yellow first down line that
appears on your TV screen. The NHL experimented briefly in the 90s with a tracer on the puck that
actually changed color depending on how fast it was traveling. Even today, the PGA tour uses similar ball
tracing technology to enhance its viewing experience. So why is Mr. Belecki so excited about a
technology thats been around for twenty years? AR is evolving from its everyday generic uses to more
sophisticated practices stated Belecki. He elaborated further into military and healthcare applications.
Imagine its implications for a surgeon performing a life threatening procedure, or in a military
operation, identifying threats before the Marine could. The doctor will quickly be able to view your
medical records, check for certain conditions, monitor your vitals, and it all culminates in a quicker
procedure with less room for error. He seems to be saying that its going to go beyond the cool factor
in peoples smartphones and homes to actually adding a real benefit in our most vital fields.

Wikipedia (2017, November 14)

https://en.wikipedia.org/wiki/Data_breach
National Conference of State Legislatures (2017, April 12) Security Breach Notification Laws
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-
notification-laws.aspx

Margaret Rouse (2016, February) Social Engineering

http://searchsecurity.techtarget.com/definition/social-engineering

SecurEnvoy (2016) What is 2FA?

https://www.securenvoy.com/two-factor-authentication/what-is-2fa.shtm

Margaret Rouse (2016, September) Physical Security

http://searchsecurity.techtarget.com/definition/physical-security

Margaret Rouse (2016, July) Internet of Things

http://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT

Harold Bauer (2017) The Internet of Things: Sizing up the Opportunity

https://www.mckinsey.com/industries/semiconductors/our-insights/the-internet-of-things-sizing-up-
the-opportunity

Margaret Rouse (2016, February) Augmented Reality (AR)

http://whatis.techtarget.com/definition/augmented-reality-AR