cybersecurity

Subscribe to cybersecurity

From a cybersecurity and data protection perspective, traveling safely on business or pleasure is not an easy task.  But if you are mindful of what you do, and where you do it, you and your information can travel more securely.

Here are ten practical cybersecurity and data protection tips to keep in mind:

  1. Devices that you will be working on should be encrypted and up to date with security patches.  Even if your device is compromised (and this can happen any number of ways), the data stolen is unintelligible to anyone without the decryption key.
  2. While working on a plane, train or automobile, at the terminal or any other public venue using your laptop, use a privacy screen so the nosy traveler next to you, or walking down the center aisle, does not see your screen or your work.
  3. Consider traveling with your own cellphone charger or power bank.  The charging towers in some airports and terminals (particularly outside the US) have been found to have been tampered with so that when you plug in your device to charge, you are unwittingly sharing your data through malware installed in the charging tower!
  4. If you need to use the hotel or other third party computer to print out your boarding pass, (i) remember to log off the computer when you are done, (ii) do not ask to be remembered, and (iii) be mindful of who may be around you as you enter your credentials.
  5. If you are working at a hotel or third party location, do not assume that the Wi-Fi network you log into is the actual hotel network.  Hackers can easily spoof hotel Wi-Fi addresses to trick you into using their network – all the while, capturing your activities as you unsuspectingly work or shop online.  Best practice is to use your own hotspot.
  6. Confirm whether your company can remotely wipe your device – whether it is a laptop, phone or otherwise.  Then, if the device goes missing or is stolen, sensitive data can be wiped remotely. This obviously assumes that you have either memorized, or traveled with a hardcopy of, your office’s contact numbers to report lost devices as you will no longer have access to the stolen or misplaced device.
  7. Remember that devices used to print documents store images of those documents.  As such, before you have your office fax you documents or email information to a third party’s computer while you are traveling, be mindful that the third party printer or fax machine is retaining your data long after you are gone.  Better practice would be to read the document on your device or have your office overnight the materials, where possible.
  8. While traveling, if you are working on a printed, sensitive document (cover page reads, the “Merger of ABC into 123”), consider first printing a sanitized cover page, or replacing parties’ names with numbers in the document, so that your paper version does not reveal sensitive information to a third party.
  9. Do not check your bag with devices inside – whether as checked luggage, at the hotel or at the courtesy club for your airline.  You cannot assume that persons holding your items and/or having access to the holding area could not, or would not, access or steal your devices.
  10. Train your team to know that nothing is so critical that it cannot be confirmed by a phone call when you are traveling. There is not a wire transfer that must be made and there is not data that must be transmitted just as you are boarding a plane without first verifying with you by telephone.

Enjoy the trip and be smart so that someone else does not take you or your data for a ride.

One of the most common misconceptions surrounding cybersecurity and data protection measures is that they are too expensive to deploy and maintain – so much so that they become prohibitive for small and middle market businesses. Another one I hear often is that the implementation process can seem daunting for business owners who may be unsure about where exactly to begin.

While top-of-the-line cybersecurity programs and managed IT service packages can certainly be expensive and complex to deploy, there are several, low or no cost measures that are worth considering. An ounce of prevention, even on a limited budget, can go a long way.

1. Password protocols and two factor authentication

  • Passwords should be (at least) 10 characters
  • Changed quarterly
  • Kept in a secure location
  • Change default passwords
  • Two factor authentication can be established with minimal (or no) cost

2. Patch early, patch often: All computers and other devices should be updated regularly

3. Bank online through one, isolated computer that is not used for any other purpose, and which is not connected to the business’ local area network

4. Train your personnel on cyber mindfulness

  • More than one-third of ransomware attacks are launched via a phishing email
  • Verify from a known source – pick up the telephone!
  • If you see something, say something…

5. Least rights – for small organizations, everyone wears multiple hats… but for sensitive information, minimize who has access to the crown jewels

6. Back up your data

7. Encrypt your data

8. Secure your physical environment

9. Due diligence: read your contracts, your privacy policies and understand your legal obligations

10. Have a plan!

  • The day you discover you have had an incident is not the day to figure out “now what”?
  • PTA calling tree
  • Do NOT store the plan on the computer!

If you’d like to keep these tips at hand, they are available for download here. Be smart and be safe!

Cybersecurity is a hot button for all businesses these days. However, in the flurry of new privacy regulations and the focus on protection of consumer data, many businesses are not paying enough attention to how they could – and should – be using cybersecurity protocols to protect valuable trade secrets.

Trade secret protections apply broadly to business, financial and technical information, so long as: (1) the information is not generally known or ascertainable outside the owner’s organization and control; (2) the owner derives independent economic value or business advantage from the information not being known; and (3) the owner makes reasonable efforts to preserve its secrecy.  The unauthorized disclosure of trade secrets can lead to loss of strategic advantage over competitors and harm to your company’s finances and reputation. Failing to adequately protect trade secrets could also result in losing a misappropriation case against a bad actor.

Trade secret rights are secured and maintained solely by “reasonable efforts” to preserve their secrecy, which must be both internal (i.e., with employees) and external (i.e. with third party vendors).  While appropriate steps to protect trade secrets include offline actions like using non-disclosure agreements or physically locking confidential information away, courts are also now considering the adequacy of cybersecurity measures when they analyze reasonable efforts.

So, in the trade secret world, what is a reasonable “cyber” effort?  Like cybersecurity technology, case law on this issue is continuously evolving.  However, if you possess any trade secret information that is stored or communicated electronically, we recommend, at a minimum, the following:

  1. Ensure you have appropriate access protections in place. Trade secret information should be password protected and stored on a secure server.  Review your firewalls, encryption procedures, anti-virus software and the like.  Stay current with software patches and consider encryption for data at rest as well as for data in motion.  Access credentials should require multi-factor authentication.
  2. Limit the people who have access to your electronic information (think “least rights” access). Consider limiting electronic access to those specific employees or agents who actually need the information.  The more people who have access to trade secrets (and the ability to share it with just the click of a mouse), the higher your risk of breach or misappropriation.
  3. Train your employees and agents on appropriate use of your electronic systems. For example, remind them not share their passwords with anyone (even co-workers) and educate them on using company devices (like laptops and smartphones) correctly when they are offsite.  Consider how your employees connect to your system when working remotely (i.e. require them to only use password protected Wi-Fi networks, and not public Wi-Fi).  Think about limiting or prohibiting use of USB ports or other portable drives on company computers.  Teach your employees how to recognize phishing attempts.
  4. If you allow employees to access your systems from personal devices, consider an appropriate “BYOD” (bring your own device) policy and technology to secure the work environment on those devices.
  5. Restrict departing employees’ access to electronically stored information. Following termination, disable access to IT systems, change passwords, and make sure company-owned devices are returned.
  6. Ensure that you are monitoring and improving your cybersecurity efforts periodically. Consult experts about the latest developments in technology.  Conduct regular training about appropriate use of electronic systems and advise your employees of the risks of failure to follow protocol.
  7. Revisit confidentiality agreements with third parties and consider whether they reflect cybersecurity protocols.

Once your “crown jewels” are exposed, you cannot “recapture” them.  Be smart, be secure and be prepared.

I am sure you have read about the latest breach this time, hitting Facebook.  Facebook confirmed that the access codes for 50 million accounts were compromised.  Facebook is still investigating the impact of the breach, and has not yet reported whether any personal information was gathered or misused from those accounts.

For those of you that use Facebook, err on the side of caution and assume your information was compromised.  If you have not already done so, change your login credentials for your Facebook account.  If you use the same credentials for other accounts (which you should not do), then those account credentials should be changed, too.  If you link your Facebook account to other social media accounts, you should check those accounts and change the credentials on those accounts, too.

I noted in a prior post that birthdays should not be posted on LinkedIn.  Similarly, such personally identifiable data points should not be posted on your Facebook or other social media accounts.

While Facebook may be a wonderful way to stay in touch with friends and family, living out loud online puts you at risk.

Do not feel compelled to share future plans for travel, or other personal data/information, on social media. Be smart and be safe!

I recently had a death in the family. One of the things we addressed while making arrangements was to freeze the credit of my stepfather. I would like to say, as a cyber attorney, that this was my idea, but I confess in mourning the loss of a wonderful man, I was thinking like a daughter and not like an attorney. The credit freeze was one of the services the funeral home offered.

Sadly, this is one of the more important things that a family should do after losing a loved one. Criminals comb obituaries to find homes they can break into, and identities they can steal. Freezing the credit of a lost loved one does not impede the settlement of the estate, and ensures that a grieving family does not have the added heartache of a stolen identity and stolen assets. Consideration should also be given to social media profiles and accounts, along with credit cards. While it is a unfortunate statement about our society that a family in mourning must address such matters, it is essential that this be undertaken quickly.

NJCCIC shared today that as of 9/21/18, Equifax, Experian and TransUnion will be required to offer free credit freezes. NJCCIC further reported that “[a]s part of the new Economic Growth, Regulatory Relief and Consumer Protection Act, parents will also be able to request free credit freezes for children under the age of 16 and free crediting monitoring services will be offered to all active duty military personnel.” More information is available on the Federal Trade Commission Consumer Information blog.

Keep in mind, however, that if you are in the process of buying or financing a major purchase (car or home), or undertaking any other venture for which a third party would look to run a credit check, you will need to allow for those parties to access your credit report. Further, if you do freeze your credit, and then misplace your access credentials with the particular credit agency, it is not a small undertaking to prove you are really you to unfreeze your credit. And, of course, be careful how you select your access credentials, respond to security questions, and keep credentials in a secure location.