Data Privacy Week Is a Time to Consider What You Share

This is Data Privacy Week, when everyone who uses the Web is encouraged to think about, and limit, the amount of personal data they share online. We often think of data privacy and data breaches in terms of someone stealing information we have shared. During this week, that thinking should be reversed: Ask what you share, where you share it and whether sharing is even necessary.

Data Privacy Begins with You

Thieves cannot steal what you do not share. If you never give your credit card number, name, address or phone number to any website, you have zero data privacy risk. This is impractical if you want to shop online or use services such as email and social media. Most people get so used to sharing personal information to do things online that they share freely in all spaces online, making them targets for data theft and phishing attacks. Some sites, such as Linkedin and Facebook, encourage a level of sharing that creates significant risks to your personal information. Companies may share more than necessary if they try to market their employees, as detailed in Is Your Website a Bait Shop for Phishing Attacks?

Cyber crime would be much lower if everyone followed the rule taught to all children: Do not talk to strangers. Do not tell them your name, where you live or the route you take home. Do not share where you went to high school and college, what you studied, or your employment history. Never give them your mother’s maiden name, your pet’s name, your birthday, the name of your prom date, the name of your favorite teacher, or your favorite grocery items.

By now you should have a window into all the ways you deliberately (social profiles) and casually (social media quizzes) surrender your digital privacy. While sharing online can feel normal, it invites predators. Cyber criminals will gather as much information as they can about potential victims through your posts and profiles. They then use this information to target attacks against you or people you know.

Easy Ways to Improve Data Privacy

Data privacy should be protected on two fronts: Limit what you share initially, then limit how long it remains online. “Online” includes both publicly available information and information you share with others to shop or use services.

  • Use guest checkout. Nearly every shopping site now offers a guest checkout option. When you choose this instead of setting up an account, the business should not build a profile about you or store your information permanently. Use this feature whenever you buy something online for the first time. If you come back, consider opening the account. If you never come back, you will have less risk if that business suffers a breach.
  • Never respond to online quizzes. Facebook has significant, ongoing problems with data-harvesting scams masquerading as quizzes. Because Facebook requires people to give their real names when they sign up, even the most innocent-looking quizzes can yield meaningful data. Criminals often look for clues to passwords or try to fill gaps in an individual’s data profile, or get information they can use to commit fraud. In one example, an image shows several food staples, such as eggs, milk, cereal, orange juice and bacon, then asks which one you dislike the most. Choose eggs and a criminal now knows not to buy eggs when they try your stolen credit card number at the grocery store.
  • Skip the optional fields when you sign up. Whenever you sign up for a service, your goal should be to give as little personal information as possible. This can be challenging if your browser automatically fills in all of your data, or if you fill out forms without looking to see what is actually required. Be wary of businesses that ask for credit card information for a “free” trial, or that want your email, phone and mailing address for services that do not require physical mail.
  • Only post recent, relevant information on social sites. No one needs to know your entire work history, or that you got a Masters Degree from Harvard unless that experience is highly relevant to your current work. This is challenging for thought leaders and those with specialized skills who market their abilities based on experience. Consider using less-specific descriptions, such as “Ivy League educated” instead of “Harvard Class of ’92.” Criminals need specific data points for social engineering fraud. The more you provide, the easier you make it for them.
  • Never post your personal email or phone number. Many small businesses believe posting emails and phone numbers increases the number of contacts they receive. There is no real data to support this. Contact information on a website should go to a generic inbox, such as “info@mysite.com,” and phone numbers should forward to an unpublished office line. One of the leading scams right now harvests personal phone numbers, matches them with company email addresses, then targets employees with texts that appear to come from senior executives, often asking for gift cards or passwords. This scam exploits the abundance of seemingly innocent information that individuals share.
  • Never post photos or videos from your workplace. If you or your company must Instagram what it does, set up a location in the lobby and only allow photos and videos to be shot there. Photos and videos should never be allowed in work areas for any business, because they can give away private or proprietary information. Criminals can learn about your security procedures and your workplace layout, and sometimes find passwords on notes or white boards in the background. Those who work in health care have an additional duty to protect patient privacy, as well as their own.
  • Remove anything personal in the background of your video conferencing space. The rise of video calls and videoconferencing has encouraged people to treat their home office like a television set, with strategically placed books, awards and mementos, information that is valuable to criminals. Another risk, once again, is the whiteboard or bulletin board with sensitive information. Something as simple as a diploma or family photo can be the hook a criminal uses in a targeted attack. Keep anything identifiable out of frame, or use a generated background for your calls.
  • Close all outdated accounts and subscriptions, then ask for your data to be removed. This one is last because it is a little harder. If you have ever canceled a Netflix subscription, you know how easy it seems. They turn off your service and stop billing, but they keep your information by default. Under data privacy laws in the United States, you have the right to have that information removed, which is what you must do to protect your personal data. Every online business has a process for this, and you may need to hunt for it in their Terms of Use or Privacy Policy statements. Get in the habit of reviewing and removing unused accounts at least once a year.

If you maintain strong data privacy, you will be at a far lower risk from breaches and targeted attacks. This is part of the personal approach to data protection that Protect Now promotes through its CSI Protection Certification program, which boosts cyber security by teaching employees the importance of personal as well as professional data privacy. To learn more, contact us online or call us at 1-800-658-8311.

Feds Move Toward Mandatory Cybersecurity

Mandatory cybersecurity is coming, according to details published by Slate of the Biden Administration’s National Cybersecurity Strategy now circulating in Washington. The document, which is expected to be approved in the coming weeks, details significant, meaningful changes in the way the United States approaches cybersecurity that every business owner needs to understand.

Mandatory Cybersecurity Is Coming to Some Sectors

Over the last few decades, as business owners know, cybersecurity has been voluntary. Business owners faced costly liability for failing to secure customer data, including the costs of credit monitoring and lawsuits, but there were no cybersecurity regulations or mandates. Government relied on conscience and customer pressure to convince business owners to do the right thing.

In recent years, the failure of the voluntary cybersecurity model has been plain. Cyber attacks have reached record highs each year. The most brazen attacks have gone after municipal government systems and what the Federal Government defines as “critical infrastructure”: pipelines, water supplies and electrical systems. The new guidelines present a direct response to the failure of voluntary compliance, and while their initial reach is limited, they point to a future of growing government oversight and regulation.

There are two main components to the Biden Administration plan:

  1. The United States Government will take direct action against cyber criminals. For the first time, offensive cyberattacks, conducted under the supervision of the FBI’s National Cyber Investigations Joint Task Force. Organizations that conduct repeated attacks against U.S. targets, or that attempt to infiltrate critical infrastructure will now face retaliation designed to degrade and destroy their capabilities. This is, essentially, a declaration of cyber war on hackers.
  2. Mandatory cybersecurity requirements will apply to organizations with critical infrastructure, including banking, utilities, telecommunications and emergency management. In areas where the Biden Administration lacks the authority to impose mandatory cybersecurity via an executive order, it is expected to seek Congressional authorization to do so.

Every U.S. Business Will Be Affected

The new U.S. government approach to cybersecurity reveals frustration at the current state of cybersecurity defenses. Although it will target critical infrastructure initially, these regulations will eventually impact any organization that conducts business online or uses the Internet for communications.

Directly and in the short term, any business that works with or supplies an organization subject to these rules will be required to follow them as well. Expect compliance with to be part of any service or sales contract for businesses that support, supply or collaborate with critical-infrastructure organizations. Law firms and managed service providers will be among those facing new regulations before the end of 2023.

Over the long term, the standards developed to protect critical infrastructure will be handed down to all businesses and likely enforced at the Federal level. Those standards are not currently known, but based on FTC Safeguards Rule compliance, they are likely to include end-to-end encryption of all data, regular employee training and penetration testing and restrictions on how and where data can be stored. Some level of certification or accreditation for cybersecurity oversight is also likely. Business owners in some sectors, including banking, mortgages and real estate appraisals, already must file compliance paperwork, along with third-party vendors who support these businesses. Those requirements will eventually extend to all businesses and will present particular problems for those who develop their own software, apps or websites.

Businesses must begin to prepare now for tighter cybersecurity regulations, which will fall into three categories:

  1. Hardened Infrastructure. All systems will need to be secured and all data will need to be encrypted. Passwords will need to be strong, and two-factor authentication is likely to become mandatory.
  2. Employee Training: Cyber security awareness and anti-phishing training will be required on an annual basis. Employee response testing may be a requirement as well.
  3. Breach Monitoring and Response: Businesses will be required to monitor for data loss and intrusions, and to have written policies to respond to cyber attacks, which will include notification requirements both for law enforcement and customers.

By taking a comprehensive approach to cybersecurity now, businesses will find it easy to pivot to any new mandatory cybersecurity requirements. Businesses that already have some level of security in place may find it helpful to employ a Virtual CISO to review threat readiness and compliance, if only to establish a relationship with a cybersecurity professional in the event that new regulations require one.

Protect Now provides complete cybersecurity training and compliance support for small- and mid-sized businesses, specializing in the real estate, legal, managed hosting and municipal sectors. Our services can be customized to meet your specific needs and to work with legacy systems and decentralized operating environments. Contact us online or call us at 1-800-658-8311 to speak to a cybersecurity professional.

Ransomware Group Posts Sensitive Police Files to Dark Web

A ransomware group known as Vice Society has taken credit for an attack on California’s Bay Area Rapid Transit (BART) police that saw unredacted police reports published on the Dark Web. A review by NBC News found six documents that included information on endangered children, including names and birthdates. Anyone named in a BART police report may be impacted by the leak, which included more than 120,000 documents.

The Dark Web Threat from Ransomware

Risks from ransomware have changed over the last several years. These were once regarded as nuisance attacks on unwary, underprepared victims, who would have their systems and data held for a cryptocurrency “ransom” that would provide a de-encryption key. Threats to post data on the Dark Web were typically an intimidation tactic aimed at victims who refused to pay the criminals.

Hackers have since evolved their tactics and methodology. Ahead of a ransomware attack, it is now common for hackers to create a duplicate of the target’s data and systems. This allows them to ask for two ransoms: One to unencrypt systems, and a second to keep data off the Dark Web. This allows criminals to make twice as much money as they would from a straightforward ransomware attack. Paying the ransom is no guarantee of protection; criminals will post it online if they believe they can monetize it. Certain types of data, including credit card numbers, Social Security numbers and passwords, will almost certainly be sold by hackers.

The Dark Web Threat Against BART

Reporting on the recent BART hack suggests that only part of the police department’s system was compromised. This is similar to another attack against The Guardian, which saw criminals exfiltrate personal information, including passport data and bank accounts. Those data, which have not yet been published online, were acquired as part of a wide-ranging attack against the media stemming from a phishing attack.

In BART’s case, investigators suggested that criminals published the police reports to the Dark Web as punishment for failing to pay the ransom. The risk remains for The Guardian; once criminals have sensitive data, they are likely to try and make money through future extortion attempts or simply by selling it.

This exposes one of the hidden threats that criminals exploit: Less-secure systems connected to highly secure systems. BART revealed that criminals only breached the system that held police reports, while The Guardian faced a wide-ranging attack that succeeded in exfiltrating a subset of personnel data.

Both cases could point to systems that are partially but not fully secured. In many organizations, there are dedicated systems for functions such as document storage or HR. Access to these systems may have robust front-end protection but lack defenses against intrusions from someone who has breached those defenses. In other cases, access to data-use and retrieval systems may be secure, but the data are held in a less-secure environment.

These situations arise when organizations rely on older systems or third-party solutions, which is often necessary. Any integration between systems generates potential cyber risk. Sensitive data are coveted by cyber criminals, who will find any way to access the records themselves, with or without access to systems normally used for data retrieval.

Dark Web Monitoring Reveals Breaches

Regular Dark Web monitoring is the best protection against breaches and ransomware attacks. In some cases, Dark Web chatter can alert an organization to a pending attack. Dark Web monitoring can also reveal a breach, if regular review discovers new or unexpected data circulating or offered for sale.

Every organization that collects and stores sensitive data, which include any non-public records about employees, clients or business operations, should know what is already on the Dark Web and have alerts in case new data are found. Protect Now provides affordable Dark Web monitoring as part of our cyber security suite built for SMBs in the real estate, legal and financial sectors. We also offer Virtual CISO services that can help organizations integrate and secure legacy and third-party systems, as well as cyber security training to prevent phishing attacks. To learn more, contact us online or call us at 1-800-658-8311.

Let’s Be Honest About SMB Cybersecurity Risks

There is a disconnect between the reality of small- and mid-sized business (SMB) cybersecurity risks, the way SMBs think about them and the services that cyber security companies offer. This disconnect is most obvious for law firms and real estate agencies that may have office WiFi, or even a cloud-based server, but that lack central IT and cybersecurity support.

Everyone at the firm or agency has their own laptop. They likely use their own devices for work at home. They use their own phones at all hours of the day to conduct business. If this describes your SMB, then this cybersecurity guidance is for you.

Let’s start by dispelling the biggest SMB cybersecurity myth:

SMBs Face Lower Cybersecurity Risks

You run a small firm or agency. You have no custom code or central client database loaded with credit cards or passwords for criminals to steal. No one would bother to target you.

This is at once true and untrue, and this is the largest source of the disconnect between SMBs and cybersecurity firms. The attacks that make headlines involve the theft of tens of thousands of customer records, or disrupt operations that impact thousands of customers. It is true that the cyber criminals and state-sponsored attackers who commit these crimes are very unlikely to target a single-office law firm or a Main Street real estate agency.

But those crimes are just the tip of the iceberg. The most recent report from the Anti-Phishing Working Group (APWG) documented 1,270,883 phishing attacks in the third quarter of 2022, the third quarter in a row to see a record number of these attacks. The report also revealed that U.S. businesses are the most frequently targeted by ransomware attacks and are nearly five times more likely to report one, accounting for 39% of all attacks reported. England and France tied for the second-most targeted, with 5% of ransomware attacks each.

Legal services accounted for 5% of ransomware attacks in the third quarter of 2022. These attacks happen because the majority of criminals are simply trolling for easy targets. If you have a website, if you have a Linkedin presence, if you have a social media profile that identifies what you do, you are a target.

IT Providers Protect Online Systems

A firewall is not sufficient cyber security, and even the best protection can fall to a basic phishing attack. Law firms, real estate appraisers, small insurance agencies and real estate professionals are uniquely vulnerable to phishing because employees deal directly with a large number of clients on an irregular schedule. Opening attachments, handling sensitive information and responding to emails are all part of the job. Amid a flood of emails, it is easy to click the wrong link or respond to the wrong address. Criminals know this, and low-level cyber criminals target small firms and agencies looking for vulnerabilities.

Your IT provider may do a good job of keeping your systems running, protected and patched, but they likely do not provide ongoing anti-phishing training and simulated attacks that improve awareness. Without regular training and reinforcement, you are vulnerable to an attack.

Cyber security also does little to prevent Business Email Compromise (BEC) attacks, where criminals impersonate your employees or clients in an attempt to steal money. Vigilance is the only way to thwart these criminals.

Law Enforcement/Our Insurance Company Will Protect Us

Anyone who has been a victim of a low-level cyber attack will tell you that there is little to nothing that law enforcement can do. Local police, even state police and the FBI have little authority to prosecute extrajudicial crimes launched from overseas. In most cases, they lack the ability or resources to properly investigate low-level cyber crimes. You will be told to pay the ransom or write off the monetary loss. They will collect details on the crime, and some day years from now you may get a tiny fraction of restitution. None of that will get your systems running again or repair the reputational damage a cyber attack can cause.

Insurance may cover your losses, but only if you are in full compliance with the terms of your cyber liability insurance policy. You may be required to have a CISO overseeing your systems, or to provide regular cyber security training to file a claim.

SMBs Have Limited Liability for Cyber Attacks

This situation is changing. Between the expansion of the FTC Safeguards Rule, which mandates SMB cybersecurity for any business defined as a “financial institution” by the Federal government, to the suspension of a municipal IT director to government sanctions against the CEO of Drizly. regulators are placing a far greater burden for strong cyber security on employees and business owners. This situation is similar to the fallout from the Enron scandal, which led Federal regulators to require executives and CPAs to sign off on all financial reports under the penalty of fines or prison time if they knowingly misrepresented results.

A similar trend is taking shape around cyber security. Faced with growing complaints from cyber crime victims, the U.S. government is placing the burden of developing and following best practices on the shoulders of business owners, with no exception for SMBs.

Existing Cyber Security Solutions Are Unaffordable

This is the last major disconnect in SMB cybersecurity. The online conversation is driven by big firms that serve big clients, leaving a gap for SMBs that lack full-time CISOs or centralized systems. In some cases, the services offered are incompatible with the way small firms operate. You may not have the ability or employee support to restrict the use of devices, manage all communications through a central source or send the staff off for a week of training.

A cursory search of the options available can be disheartening, especially for SMBs that know they need help but have no idea where to begin. Protect Now exists to fill this gap. We built our business around the cyber security needs of real estate agencies and financial services providers, helping small and mid-sized firms get the training and support they need to conduct business efficiently and safely. We welcome all SMB cybersecurity enquiries and can tailor a program to meet the specific needs of your business. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.