4 Things in Microsoft’s Security Intelligence Report that You Need to Implement!

In 2018, Microsoft’s Security team analyzed more than 6.5 trillion security signals a day to identify security trends. Prevention, detection and response were highlighted, but since an ounce of prevention is worth a pound of cure, these four prevention recommendations should be on your radar.

  1. Security Hygiene

Security hygiene and configurations are designed to protect your assets. Running up-to-date software is crucial, especially on operating systems, anti-virus software, email, and internet browsers. Also important: creating a backup program, using software only from trusted sources, securing privileged administrator accounts, and using a secure email gateway with advanced threat protection capabilities to help guard against phishing attacks.

  1. Access Controls

Access controls regulate who or what can view or use organizational resources, so implement Multi-Factor Authentication (MFA) across the board. Apply least privilege principles, segment your network, and remove local administrator privileges from end-users to reduce potential cyberattack damages. Restrict downloading privileges and limit application downloading to only reliable sources.

  1. Backups, Backups, Backups!

Critical systems and data must be backed up regularly. Up-to-date and easily accessible backups can nullify a ransomware attack. Follow the 3-2-1 rule for backups: have 3 copies of your data, including 2 copies on different media types (USB, external hard drive, cloud, etc.) and 1 copy offsite.

  1. Employee Training and Awareness

Employee security awareness and training is the best cyber risk mitigation technique you can implement. For example, Microsoft reported that inbound phishing emails increased 250 percent in 2018! Train your employees to recognize phishing emails, especially those that request sensitive information or ask them to click on a link or open an attachment. One easy way to ensure something is authentic is to ask your IT team to verify it before proceeding. Additionally, instruct your employees how to report suspicious email requests, so your security team can investigate them. Finally, training your employees on ransomware, data safeguarding, and other social engineering techniques can give you and your organization the advantage when it comes to preventing a data breach.

Georgia County Pays $400,000 Ransom

Jackson County, Georgia was recently infected with ransomware that shutdown IT systems for over two weeks.

Struggling to recover, local officials paid a $400,000 ransom to access and restore their systems. While the FBI is investigating the attack, a relatively new strain of ransomware called “Ryuk” is likely behind the attack and was probably delivered through a phishing email.

Ransomware can quickly shut down an entire business. The good news is you can protect yourself and render ransomware completely ineffective. Here are some ways to protect your organization.

  1. Install software patches in a timely manner.

 Outdated operating systems and software are vulnerable to ransomware attacks.

  1. Perform regular and comprehensive backups.

The 3-2-1 backup strategy is the gold standard and requires at least 3 copies of your data, 2 copies on different media types (USB, external hard drive, cloud, etc.) and 1 copy offsite. Prioritize your information. Ask yourself, what information is most important to the operations of the company? What is the harm if this information was lost? Start with the most important information.

  1. Train your employees to spot phishing emails.

Be careful when clicking on links in emails, even if the sender appears to be known. Avoid opening attachments or Office documents from unknown sources. When in doubt, ask your IT department before responding to any suspicious emails.

KEY TAKEAWAY

Ransomware can be devastating. But its effects can be neutralized if you have up-to-date and easily accessible backups. Importantly, practicing restoring from backups should be part of your organization’s incident response plan so that when the time comes, restoring from backups is almost second nature.

Microsoft Annual Security Report: Phishing Attacks Jump 250%

In 2018, Microsoft’s Security team analyzed more than 6.5 trillion security signals a day to identify security trends that expose organizations to significant cyber risks. Here’s what they found!

Phishing is Way Up!

After scanning more than 470 billion email messages sent and received in its Office 365 platform, Microsoft found that the number of phishing emails grew an alarming 250 percent. Making matters worse, techniques used by scammers are becoming more proficient and harder to detect because scammers are beginning to diversify the phishing attack techniques.

Diverse Attack Methods

According to the report, techniques used by attackers include domain spoofing & impersonation, user impersonation, text lures, credential phishing links, phishing attachments, and links to fake cloud storage locations. These sophisticated techniques make phishing emails appear legitimate, while presenting malicious files and links for a user to access. Continue reading Microsoft Annual Security Report: Phishing Attacks Jump 250%

Popular Music Video App Agrees to Record COPPA Settlement

Musical.ly, the popular social media app for children known as TikTok, and the FTC recently settled allegations of violations of the Children’s Online Privacy Protection Act (COPPA). The settled amount was  $5.7 million, the largest civil penalty the agency has collected for a children’s data privacy case.

Musical.ly

The Musical.ly app allows users to make short lip-syncing videos that can be shared on the platform. Over 200 million users have downloaded the Musical.ly app worldwide, according to the FTC, with 65 million of those accounts being in the United States.

COPPA Rule

COPPA prohibits the unauthorized or unnecessary collection of children’s personal information online by internet website operators and online services, and requires that verifiable parental consent be obtained prior to the collecting, using, and/or disclosing of personal information of children under 13. Continue reading Popular Music Video App Agrees to Record COPPA Settlement

European Standards Body Publishes New Internet of Things Standard

In February 2019, the European Telecommunications Standards Institute (ETSI) published ETSI TS 103 645 V1.1.1 —a high-level outcome-focused standard for the security of  internet-connected consumer products or Internet of Things (IoT) devices. IoT devices covered by the new standard include connected children’s toys and baby monitors; IoT-enabled smoke detectors and door locks; smart cameras; TVs and speakers; wearable health trackers; connected home automation and alarm systems; and connected appliances.

ETSI and the New Standard

ETSI is an independent not-for-profit standards organization based in France with about 800 members in over 60 countries across the world and is a European Standards Organization (ESO). Continue reading European Standards Body Publishes New Internet of Things Standard

FTC Keeps CAN-SPAM Unchanged

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) is here to stay, the Federal Trade Commission (FTC) recently announced after completing its review.

What is CAN-SPAM?

Effective January 1, 2004, CAN-SPAM establishes requirements for commercial messages, gives recipients the right to make you stop emailing them, and outlines tough penalties for violations. For example, each email in violation of CAN-SPAM is subject to penalties of up to about $40,000. That can quickly add up!

On February 12, 2019, the FTC announced that it had completed its first review of CAN-SPAM. Based on its review, the FTC announced its decision to retain the rule in its present form. Continue reading FTC Keeps CAN-SPAM Unchanged

The New Biometric Data Ruling You Need to Know About!

Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.

Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.

The Trouble with Biometrics

While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.

BIPA Basics

Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.

Companies are required to publish a privacy policy describing their biometric data retention policy. BIPA also gives individuals a private right of action to sue companies and obtain damages for violations.

Technical Violations Benefit Plaintiffs

Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.

Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.

Practical Advice

This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.

  • If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
  • Provide adequate informed notice and receive written consent before collecting or using biometric data.
  • Review your privacy policy for notice and consent procedures designed to educate individuals about the company’s privacy practices.
  • Review vendor relationships and determine whether third parties have access to or use your biometric data. If so, make sure you disclose that in your privacy policy!
  • Train your employees to properly handle biometric data.

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Indiana Argues Companies are Deceptive if They Suffer a Data Breach

The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.

If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.

The Indiana Deception Act

The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches. Continue reading Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine