All posts by Erich Falke

4 Things in Microsoft’s Security Intelligence Report that You Need to Implement!

In 2018, Microsoft’s Security team analyzed more than 6.5 trillion security signals a day to identify security trends. Prevention, detection and response were highlighted, but since an ounce of prevention is worth a pound of cure, these four prevention recommendations should be on your radar.

  1. Security Hygiene

Security hygiene and configurations are designed to protect your assets. Running up-to-date software is crucial, especially on operating systems, anti-virus software, email, and internet browsers. Also important: creating a backup program, using software only from trusted sources, securing privileged administrator accounts, and using a secure email gateway with advanced threat protection capabilities to help guard against phishing attacks.

  1. Access Controls

Access controls regulate who or what can view or use organizational resources, so implement Multi-Factor Authentication (MFA) across the board. Apply least privilege principles, segment your network, and remove local administrator privileges from end-users to reduce potential cyberattack damages. Restrict downloading privileges and limit application downloading to only reliable sources.

  1. Backups, Backups, Backups!

Critical systems and data must be backed up regularly. Up-to-date and easily accessible backups can nullify a ransomware attack. Follow the 3-2-1 rule for backups: have 3 copies of your data, including 2 copies on different media types (USB, external hard drive, cloud, etc.) and 1 copy offsite.

  1. Employee Training and Awareness

Employee security awareness and training is the best cyber risk mitigation technique you can implement. For example, Microsoft reported that inbound phishing emails increased 250 percent in 2018! Train your employees to recognize phishing emails, especially those that request sensitive information or ask them to click on a link or open an attachment. One easy way to ensure something is authentic is to ask your IT team to verify it before proceeding. Additionally, instruct your employees how to report suspicious email requests, so your security team can investigate them. Finally, training your employees on ransomware, data safeguarding, and other social engineering techniques can give you and your organization the advantage when it comes to preventing a data breach.

Georgia County Pays $400,000 Ransom

Jackson County, Georgia was recently infected with ransomware that shutdown IT systems for over two weeks.

Struggling to recover, local officials paid a $400,000 ransom to access and restore their systems. While the FBI is investigating the attack, a relatively new strain of ransomware called “Ryuk” is likely behind the attack and was probably delivered through a phishing email.

Ransomware can quickly shut down an entire business. The good news is you can protect yourself and render ransomware completely ineffective. Here are some ways to protect your organization.

  1. Install software patches in a timely manner.

 Outdated operating systems and software are vulnerable to ransomware attacks.

  1. Perform regular and comprehensive backups.

The 3-2-1 backup strategy is the gold standard and requires at least 3 copies of your data, 2 copies on different media types (USB, external hard drive, cloud, etc.) and 1 copy offsite. Prioritize your information. Ask yourself, what information is most important to the operations of the company? What is the harm if this information was lost? Start with the most important information.

  1. Train your employees to spot phishing emails.

Be careful when clicking on links in emails, even if the sender appears to be known. Avoid opening attachments or Office documents from unknown sources. When in doubt, ask your IT department before responding to any suspicious emails.

KEY TAKEAWAY

Ransomware can be devastating. But its effects can be neutralized if you have up-to-date and easily accessible backups. Importantly, practicing restoring from backups should be part of your organization’s incident response plan so that when the time comes, restoring from backups is almost second nature.

The New Biometric Data Ruling You Need to Know About!

Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.

Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.

The Trouble with Biometrics

While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.

BIPA Basics

Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.

Companies are required to publish a privacy policy describing their biometric data retention policy. BIPA also gives individuals a private right of action to sue companies and obtain damages for violations.

Technical Violations Benefit Plaintiffs

Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.

Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.

Practical Advice

This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.

  • If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
  • Provide adequate informed notice and receive written consent before collecting or using biometric data.
  • Review your privacy policy for notice and consent procedures designed to educate individuals about the company’s privacy practices.
  • Review vendor relationships and determine whether third parties have access to or use your biometric data. If so, make sure you disclose that in your privacy policy!
  • Train your employees to properly handle biometric data.

Canada’s New Consent Guidelines are Effective Now!

Consent is an important element in privacy law.

Last year, Canadian officials jointly issued guidelines on how to obtain meaningful consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) which generally requires that you obtain meaningful consent for the collection, use and disclosure of personal information.

The guidelines outline seven principles for obtaining meaningful consent.

  1. Emphasize key elements

Organizations must allow individuals to quickly and easily review key elements affecting their privacy decisions early in the process. Key elements include what information is being collected, why it is being collected and who it is shared with. Continue reading Canada’s New Consent Guidelines are Effective Now!

A Data Breach Can Cost a Small Business $2.5 Million

SMBs are attractive targets to cybercriminals because they typically have smaller cybersecurity budgets and may lack an internal security team dedicated to timely discovering and responding to cyberattacks. Critically, these organizations may also lack resources to train their employees to identify preventable breaches like phishing campaigns.

The Cisco Report

Late last year, Cisco published a special cybersecurity report (Cisco’s SMB Cybersecurity Report)(Report) focused how cyberattacks affect SMBs. The Report includes 1,816 survey respondents from 26 countries.

When surveyed, respondents listed these as the most concerning threats.

  • Targeted employee attacks (BEC and phishing)
  • Advanced persistent threats (new malware)
  • Ransomware

Continue reading A Data Breach Can Cost a Small Business $2.5 Million

Employers Have a Legal Duty to Protect Employee Data

The cybersecurity standard of care is getting clearer: if you collect sensitive data, you must take reasonable measures to protect it.

Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).

The Facts

The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers. Continue reading Employers Have a Legal Duty to Protect Employee Data

HHS Publishes Cybersecurity Best Practice Guide

The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.

All entities, especially those in the healthcare field, can learn from this valuable resource.

The Four-Part Best Practice Guide

The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide

5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

How much do you know about cyber risks? If the answer is, “Less than I should,” then your company may be at risk. A data breach can be costly. To minimize your cyber risks, learn the reality behind these cybersecurity myths!

Myth 1: IT is responsible for cybersecurity.

Reality: Everyone is responsible for cybersecurity.

IT may create and enforce cybersecurity policies and procedures, but everyone plays a role in keeping a company safe from cyber attacks. For example, phishing email attacks present a big risk. Effective employee training can reduce the chances of this type of breach and also reduce the harm it causes.

Myth 2: My organization doesn’t have anything of value to hackers.

Reality: Every organization is a target. Continue reading 5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Get “Incident Response” Ready with Help from the DOJ

Being ready and able to effectively respond to a cyber incident is vital in terms of minimizing the resulting damages, but do you know what to do or where to look for assistance?

An effective response means having a plan before a cyber incident occurs. To help with your incident response planning efforts, the U.S. Department of Justice (“DOJ”) recently released a revised version of its “Best Practices for Victim Response and Reporting of Cyber Incidents” (Guidance). The DOJ’s Guidance was based on the real-life lessons learned by federal officials with input from private companies who managed cyber incidents.

The Guidance consists of four sections: Continue reading Get “Incident Response” Ready with Help from the DOJ