One of the most common misconceptions surrounding cybersecurity and data protection measures is that they are too expensive to deploy and maintain – so much so that they become prohibitive for small and middle market businesses. Another one I hear often is that the implementation process can seem daunting for business owners who may be unsure about where exactly to begin.

While top-of-the-line cybersecurity programs and managed IT service packages can certainly be expensive and complex to deploy, there are several, low or no cost measures that are worth considering. An ounce of prevention, even on a limited budget, can go a long way.

1. Password protocols and two factor authentication

  • Passwords should be (at least) 10 characters
  • Changed quarterly
  • Kept in a secure location
  • Change default passwords
  • Two factor authentication can be established with minimal (or no) cost

2. Patch early, patch often: All computers and other devices should be updated regularly

3. Bank online through one, isolated computer that is not used for any other purpose, and which is not connected to the business’ local area network

4. Train your personnel on cyber mindfulness

  • More than one-third of ransomware attacks are launched via a phishing email
  • Verify from a known source – pick up the telephone!
  • If you see something, say something…

5. Least rights – for small organizations, everyone wears multiple hats… but for sensitive information, minimize who has access to the crown jewels

6. Back up your data

7. Encrypt your data

8. Secure your physical environment

9. Due diligence: read your contracts, your privacy policies and understand your legal obligations

10. Have a plan!

  • The day you discover you have had an incident is not the day to figure out “now what”?
  • PTA calling tree
  • Do NOT store the plan on the computer!

If you’d like to keep these tips at hand, they are available for download here. Be smart and be safe!

One of my husband’s goodhearted employees nearly fell victim to a scam that has been rampant throughout the country. The employee received an email from a senior staff member (or so it seemed) asking if he was in the office. It was early on a Friday morning, before many people had arrived. The employee, never wanting to disappoint, responded yes. The alleged senior staff member then asked the employee for help – asking if he could go to a nearby drug store, purchase several gift cards and then send him the redemption codes. The employee got as far as purchasing $500 worth of gift cards before he took a moment to think about what he was doing. Just prior to sending the codes, he picked up the phone to confirm with the senior staff member…

While the employee ultimately realized he might be the subject of a scam, too many people take action without first verifying. By our nature, people are helpful. We hold the door for others and offer to send money to someone in need. Scammers are all too happy to take advantage of our good nature. Sadly, in this day and age, we need to take that extra minute or two (or three) to pick up the phone and verify. Being helpful is wonderful – but being smart is self-preservation.

And, for employers, this type of scam is best combated by proper and regular cyber training for your personnel. More than half of reported breaches (and some in the headlines), begin with employees responding to this type of phishing email, a spoofed account or a suspect link. Be smart and be secure.

As the target of a corporate cyber breach, are you a victim – along with your customers and personnel – or are you a “willing” accomplice to the crime?

This week, a U.K. bank was fined in excess of $21 million dollars for failing to protect its systems and customers against a “foreseeable” cyber-attack that occurred in 2016.

The bad actors exploited deficiencies in the design of the bank’s debit cards. In the year preceding the attack, Visa, Inc. had issued a warning to lenders, including this bank, about this weakness. As such, the regulator found that the bank was on notice of the potential for the attack, and nevertheless failed to take action to prevent its occurrence.

Those of you based in the U.S. reading this post may say, “well that is the U.K.”…

However, earlier this year, a Federal District Court in North Carolina found that a U.S.-based company that failed to train its personnel about a “known” phishing scam had acted “intentionally” when one of its (untrained) employees released the company’s employees’ W-2s in response to such a phish.  In this case, the IRS had issued warnings in prior years about this type of scam.  However, the U.S. company did not train its personnel to be aware of such an attack, nor did they have protocols in place to guide personnel in such instances.  In finding that the company acted “intentionally,” the court ruled that the company, in effect, willfully exposed the social security numbers of its personnel.  Under North Carolina law, having been found to have acted intentionally, the company was subject to treble damages.

Given these rulings, and with more and more states adopting proactive legislation requiring businesses to have written policies, procedures and protocols in place to prevent, detect and mitigate cyber-attacks, companies may not be able to argue that they were “innocent” victims, too.

Having written policies and procedures, supporting technology and educated personnel will go a long way toward protecting the company, its customers and its personnel;  and when (not if) an attack occurs, the company will be prepared to respond effectively.

Many businesses and individuals dispose of aging equipment, laptops, desktops, servers and more by monetizing those items. Disposal may be by sale at auction or donation to charity. Some companies now lease equipment, and turn over such items at lease end. However, many businesses and individuals forget – or do not realize – that their equipment used to process data store the data. This could include such items as computers, fax machines, photocopiers, cellphones or other similar devices. When you return, sell or donate that equipment, you may be unwittingly causing a data breach.

NCIX, a recently failed Canadian company, did just that. The company, strapped for cash, sold off servers without first wiping the data. The devices in question stored data in plain text and contained decades of customer information, including names, addresses and payment information.

Whether you are returning leased equipment or selling or donating old items, and even if the data is encrypted, always have the data wiped from the device. For leased equipment, do not assume the leasing company will do this for you absent an express contractual undertaking to do so.

The American Bar Association’s recent cybersecurity webinar reminded us all that the largest source of cyber loss is still people. And for businesses, it is their employees who continue to click on suspicious links and respond to phishing and other scams.

If you think this does not apply to you or your business, think back to the recent Federal District Court ruling in which the court found the defendant intentionally negligent due to a failure to train its employees regarding a known scam that sought to dupe key personnel into releasing employees’ W-2s.

While annual training is certainly a step in the right direction, the fact is that the “bad guys” do not wait 365 days to launch their next scam. As such, for businesses across the board, continuous cybersecurity training is critical and warrants more than a “one and done” approach. Between formal training programs, interim tips and reminders are crucial in keeping personnel vigilant.

As with any initiative, corporate commitment to cyber-mindfulness must begin at the top and if the C-suite is not engaged, management and staff will follow suit.