Monthly Archives: June 2016

Attorney Confidentiality, Cybersecurity, and the Cloud

Posted on June 9, 2016 | Leave a comment

Legal

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

White_Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US_Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Cloud_Mag

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Contract

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.  Thanks to Microsoft for its support of this piece.  All views in this piece are my own.

Leave a comment

Posted in Cyber Security, eDiscovery, Public Cloud, Security

Tagged , ,

NFL’s Twitter account is sacked by hackers

Posted on June 9, 2016 | Leave a comment

Looks like the NFL needs to change its Twitter password.

The league’s official Twitter account was hacked Tuesday with a fake tweet saying Commissioner Roger Goodell had died.

nfl-hacked-tweet.jpg

A screenshot of a fake tweet saying NFL Commissioner Roger Goodell died.

“We regret to inform our fans that our commissioner, Roger Goodell, has passed away. He was 57. #RIP.”

The NFL responded quicker than a strong side safety blitz, announcing the league’s Twitter account was hacked. NFL spokesman Brian McCarthy, who tweeted to confirm the hacking, added that Goodell “is alive and well.”

The hack is the latest involving big-name Twitter accounts, including pop stars Katy Perry, Drake and reality star Kylie Jenner. On Sunday, Ourmine, a hacker group with 41,000 followers on Twitter, claimed to have compromised Facebook CEO Mark Zuckerberg’s Twitter, Instagram and LinkedIn accounts. In a tweet, the group bragged about the alleged hacks and invited Zuckerberg to contact the group.

The hacks come after LinkedIn said last month more than 100 million members’ email and password combinations had been posted online. The data was taken during a 2012 data breach.

A separate set of 6.5 million encrypted passwords stolen during that attack had previously been posted.

Although the NFL deleted Tuesday’s bogus tweet, the hacker didn’t stop. In a second tweet, the hacker wrote, “Oi, I said Roger Goodell has died. Don’t delete that tweet.”

In a third tweet the hacker gave up, saying, “OK, OK, you amateur detectives win. Good job.”

The hacker’s tweets have been retweeted thousands of times.
No word if Goodell’s Deflategate nemesis, New England Patriots quarterback Tom Brady, has seen the bogus tweets.

Goodell, who has been commissioner since 2006, later joked about the matter on Twitter:

Leave a comment

Posted in Cyber Security, Data Breach, Hacking

Tagged ,

Over 400 Million Affected in Latest Hacks

Posted on June 8, 2016 | Leave a comment

Popular-social-media-iconsMyspace and Tumblr have become the latest victims of a data breach, with over 400 million email addresses, usernames, and passwords stolen in the last month.

Myspace Breach

Chances are, you have forgotten all about that Myspace account and your friend Tom that you had back in the early 2000s. However, that account may come back to haunt you as Myspace has fallen victim to possibly the largest data breach to date. According to the hack-tracking site LeakedSource, over 360 million user records were stolen by a hacker that goes by the name of “Peace.”

“Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013, on the old Myspace platform are at risk,” Myspace announced in a blog about the hack. For those of you who have created an account since June 2013, your account is currently unaffected. Myspace says it has increased its security significantly, specifically by using “double salted hashes,” which makes it much harder to crack passwords even if they have been breached.

Tumblr Breach

tumblr-social-media-icon.pngApparently, “Peace” was a very busy hacker in 2013. The anonymous cybercriminal is responsible for the data breaches of LinkedIn, Myspace and now Tumblr. LinkedIn and Myspace could go down as the largest data breaches in history with records surpassing 100 million and 360 million respectively.

What is Tumblr? Tumblr lets you effortlessly share anything. Post texts, photos, quotes, links, music and videos from your browser, phone, desktop, email or wherever you happen to be. It is a cross between a social networking site and a blog. Often described as a ‘microblog’, Tumblr currently hosts over 217 million separate blogs with 420 million users and was purchased in 2013 by Yahoo for $1.1 billion.

On May 12th, Tumblr revealed that it had just discovered a 2013 breach of user email addresses and passwords. Troy Hunt, a security researcher at Have I Been Pwned, recently obtained a copy of the stolen data set which includes over 65 million unique email addresses and passwords.

The breaches of LinkedIn, Myspace and Tumblr are being tabbed as ‘mega breaches’ and coincidently have been released in the last couple of weeks. Could this be a trend and how many more ‘mega breaches’ could we see in the near future?

“If this is indeed a trend, where does it end? What more is in store that we haven’t already seen?” Hunt wrote. “…how many more are there in the ‘mega breach’ category that are simply sitting there in the clutches of various unknown parties?”

How Serious Is This?

While it’s extremely unlikely that anyone is going to want to hack into your zombie Myspace page or Tumblr account, cybercriminals who get access to your email addresses, usernames or passwords are going to attempt to use them to gain access to other accounts; such as your bank accounts. It’s as important as ever to have different and very sophisticated passwords for each online account you use. While this may be a huge pain, it’s worth doing and might save you a lot of hassle in the long run.

Leave a comment

Posted in Cyber Security, Hacking, Public Cloud

Tagged

5 cyber security mistakes that might make you vulnerable to hackers

Posted on June 7, 2016 | Leave a comment

 

cyber_security_2Very few of us fall for the old Nigerian prince email scam these days, and even fewer will click on a pop-up ad inviting us to “win $1 million” by playing a simple game. We’ve come a long way in terms of learning the do’s and don’ts of cyber security, but that doesn’t mean our days of online vulnerability are completely behind us.

Over 6 million internet users were attacked by malware in 2015. As we become savvier to the tricks they’ve pulled in the past, hackers begin to up their game by catching us where we least expect it. Although we’d like to assume that all of those users who were attacked in 2015 were prime targets, or perhaps people who are a bit less tech savvy than the rest of us, the fact is that many of them were normal internet browsers like you and me who actually know a thing or two about online safety.

There are additional risks these days, and even some of the tech-savviest internet users create cyber security risks without knowing it. To help avoid online attacks, here is a list of some of the top cyber security mistakes internet users are making in 2016.

1. Storing passwords in a browser

According to a recent survey, 59 percent of millennials store passwords in their browsers on a regular basis. It may be convenient to easily access your most-used accounts without typing in a username and password each time, but it also puts you at serious risk for an online attack.

The first step in keeping your passwords safe is to create a strong password that uses numbers, symbols, and both capital and lower case letters. You’ll also want to use a different password for each site. Once you’ve got a solid password for each of your online accounts, avoid storing them in your browser! If you’re like me and tend to forget things easily, try using a secure password storage system or software such as “KeePass, LastPass, Dashlane, 1 Password, RoboForm”  to keep track of your logins.

2. Purchasing locked devices

Prices for phones, laptops, and tablets can be high these days. The good news is that the market for selling used electronics online is getting bigger and more easily accessible. The bad news is that scammers have begun to use this second-hand marketplace as a means for duping consumers into paying more for devices that they’ve already paid for.

If you’re looking into purchasing a used device online, it will be important to ensure that it is unlocked. There will be different processes for checking iOS and Android devices.

For iOS devices, you’ll also need to ensure that the former user’s iCloud account is taken off of your device. If it’s not, you’ll need to take the necessary steps to remove their account from your device before they have a chance to lock the phone.

3. Connecting to unencrypted Wi-Fi networks

The ability to hop onto free Wi-Fi at your local coffee shop or the university library sure does make working on projects or simply browsing much easier on the go. The problem is, hackers are starting to take advantage of society’s reliance upon public Wi-Fi connections.

Do your best to avoid Wi-Fi connections that don’t have password protection when you’re out and about. Checking for the password of the official Wi-Fi at your location of choice will also help you avoid logging into a network set up by hackers looking to view your online activity.

To be extra secure on public Wi-Fi, stick to HTTPS sites while you’re browsing and look into using a virtual private network. It’s also best to avoid installing new software while using a public Wi-Fi network.

4. Ignoring security software updates

We’re all guilty of clicking out of software update notifications when they pop up on our screens. Although taking a few minutes to update your device’s security software may seem like a burden in the middle of a big project, it will be worth your while when it prevents an online attacker from installing malware on your device.

Be sure to install security software updates each time you receive a notification. If you’re connected to a public Wi-Fi network or really don’t have the time to do it when the notification pops up, set a reminder to install the new software later. The longer your device runs without up-to-speed security software, the more vulnerable you become to cyber security breaches.

5. Clicking on links in emails

Most of us receive emails from banks, utility companies, and other organizations with links to view account activity online. Although these are typically from a trusted source, you can never be too sure. A well-written email from a seemingly credible source could send you a link that installs malware on your device when clicked.

Next time you receive a link in an email, leave your email account and look for the actual site in your browser to avoid clicking on a malicious link. For example, even if the link goes to your bank of choice, it’s best to leave your account and log in through a trusted portal.

Have you been making any of these common cyber security errors? If so, it’s about time to take action and implement the provided tips to protect yourself from online attacks.

Share your experiences in the comment section.

 

 

 

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Encryption, Hacking, Malware

Tagged

93% of phishing emails are now ransomware

Posted on June 7, 2016 | Leave a comment

ransomware-100646738-primary_idge
As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today.

As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.

That was up from 56 percent in December, and less than 10 percent every other month of last year.

And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015

The anti-phishing vendor also counted the number of different variants of phishing emails that it saw. Ransomware accounted for 51 percent of all variants in March, up from just 29 percent in February and 15 percent in January.

The skyrocketing growth is due to that fact that ransomware is getting easier and easier to send and that it offers a quick and easy return on investment.

Other types of cyberattacks typically take more work to monetize. Stolen credit card numbers have to be sold and used before the cards are canceled, for example. Identity theft takes even more of a time commitment.

With ransomware, however, victims tend to pay quickly. Instead of hunting through company networks for valuable data, exfiltrating it, processing it, and monetizing it, ransomware criminals can just sit back and watch the money flow in.

“If you look at the price point of paying the ransom, it is rarely more than 1 or 2 Bitcoin, that’s $400 to $800, maybe $1,000 depending on the exchange rate,” said Brendan Griffin, Threat Intelligence Manager at PhishMe. “That’s a relatively low price point for a small to medium business.”

The amount is low enough that it’s often easier to victims to pay up rather than struggle to recover the data by other means.

And the new, easy-to-use ransomware tools and services are not just attracting criminals who would previously run other kinds of scams, but also bringing new players into the business, he said.

Locky and TeslaCrypt, two common varieties of ransomware have seen significant growth, but not all types of ransomware fared as well. CryptoWall, for example, seems to have fallen out of favor, PhishMe reported. In October and November of last year, CryptoWall accounted for 90 percent of encryption ransomware samples. In March, nearly 75 percent of all samples were Locky.

Soft targeting

In addition to the spike in the number of ransomware emails, one variant that’s seeing increasing popularity is the “soft targeted” phishing message.

It’s somewhere between a business compromise email or spearphishing attack, which is targeted at one specific executive, and the general-purpose spam email that goes out to everybody.

The soft targeted phishing email targets people in a particular job category, but may include some customization, such as the name of the recipient in the salutation.

“This has been a creeping trend for a while now,” said Griffin.

For example, a popular type of phishing email is the resume email, which supposedly has a resume from a job applicant in the attachment.

Recipients who don’t work in human resources or other jobs where they hire people would either ignore it, or forward it on to the appropriate person at the company. Other job functions can be targeted as well.

“For example, our vice president of finance received a message that said it was an important message for the vice president of finance, and had his name in the first line,” said Griffin.

Other common types of soft targeted phishing emails are billing, shipping and invoice-related messages.

According to Griffin, soft targeting increases the likelihood that someone will fall for a phishing email.

If you don’t know the person sending you the email take extra precaution.

 

Leave a comment

Posted in Data Breach, Encryption, Hacking, Security

Tagged ,

How to Ensure Your Social Profiles Will Never Get Hacked

Posted on June 3, 2016 | Leave a comment

Facebook notifications

Getting hacked can cause an unlimited number of problems for you and your reputation. The last thing you need is to see your profiles fall into the hands of someone else. The key is not to act when it happens but to act before it happens. This guide is going to show you everything you need to know about preventing your social profiles from getting hacked.

The Password Issue

To begin with, you need to make sure that you are crafting the right passwords. A weak password is the front door into your social media accounts. Many hackers will use the brute force method, which is where they simply attempt to guess your password. Automated software will continually try different combinations until it finds something that works.

The only way you can defend against this is through using upper and lower case letters, along with numbers and symbols. This password should be changed on a regular basis. Just make sure that you don’t come up with a password that you yourself can’t remember.

When storing your passwords, you should make sure you have adequate storage methods. Don’t keep them in a place online or offline where they can be immediately accessed.

The key here is to share your passwords with the smallest number of people possible. They should be kept on a strictly need to know basis.

Sign-In Technology

You may not have heard of sign-in technology before. It’s a fairly recent invention and it allows people to access your social media accounts without knowing the password. The way it works is that employees click the sign-in software and it will automatically allow them to access the social media account in question.

This technology will only be able to be accessed on certain company computers. This will allow you to keep all information centralized with one person. That means you always have one or two people to take full responsibility for the company’s passwords.

It doesn’t cost a lot to utilize this technology. There are many software bundles that will provide free services like this. It only takes a few minutes to install this technology on your computer.

The Most Common Path – The Email Hack

Despite the fact that spam detectors have become more proficient than ever before, hackers will still use emails in order to capture people’s information. As soon as you click on the offending link, you will be redirected to a page that looks remarkably similar to a genuine page. Once you enter your information, the hacker will capture that information. They may even attempt to install Spyware on your computer.

The emails that reach your inbox will contain links that you have to click on; usually in relation to a compromised account.

So how do you know whether something is genuine?

There are two ways to do this. First of all, you can mouse over the link and in the bottom right of your browser it will show you the full link. There will always be a slight change in the URL that will reveal it as a link you should avoid. But the best way to check if an email is genuine is to access the relevant website manually, like you would normally.

One other option you have to get around this entirely is to use a platform like Sprout Social or HootSuite to access your social media accounts through a third-party platform. It acts as a shield so your accounts cannot be hacked directly, since you are never accessing them directly.

Your Computer’s Security Arrangements

You can have the strongest password in the world. None of that is going to matter if your computer or network is vulnerable to attack, though. There are hackers who can install software on your computer that can allow them to take control of it remotely.

Then they can use things like sign-in technology against you because they can click the buttons without your input. Install the best anti-virus system you can, update it regularly, and be willing to pay for the best. This is not an area where you should compromise.

How will you protect your social media accounts from hackers today?

 

This article was written by Abdullahi Muhammed from Business2Community and was legally licensed through the NewsCred publisher network.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Malware, Security

Tagged , ,

How to Protect Personally Identifiable Information from Ransomware Attacks

Posted on June 3, 2016 | Leave a comment

Cybercriminal
Personally Identifiable Information (PII) is defined as any information that can be used on its own or combined with other information to identify, contact or locate an individual. This can include information maintained by an agency that could be used to discover or trace an individual’s identity. Some examples of PII include your full name, date and place of birth, social security number, mother’s maiden name, or biometric records. PII also includes information that can be linked to an individual such as medical, educational, financial or employment information.

Why do Cybercriminals Want my PII?

Cybercriminals are making a great deal of money by selling your PII on the dark web and those who purchase the data use it in identity theft. Your PII can be used to file false tax returns, open lines of credit or to make fraudulent purchases under your name.  This is just a few examples of what cybercriminals can do with your PII. The price for pieces of your PII has come down significantly over the last two years. In late 2015 Trend Micro reported that the price for PII has dropped from $4 to $1. There are supply and demand economics at work in the criminal world, too.

 “There’s actually a big surplus of PII currently available in the cybercriminal underground. This has caused its price to drop significantly, from $4 last year to $1 this year,” the study found. – Trend Micro

It doesn’t seem like cybercriminals are making a lot of money at $1 per record when you are considering just your own PII.  However, cybercriminals are infiltrating large companies like Anthem and stealing millions of records at a time. Millions of records stolen at even $1 a record is a large sum of money. Cybercriminals can make more money selling PII from one major breach than you have probably earned in your lifetime.  Not too bad for a day’s work.

Credit Cards, EBay Accounts – Going Once, Going Twice, SOLD !

CreditcardsCredit card numbers, eBay accounts, and mobile phone accounts are also being sold on the dark web for a significant profit for cybercriminals. Login credentials for bank accounts are going for $200 to $500 per account. The larger the available balance of a bank account, the more money a cybercriminal can demand for it. Mobile phone accounts are selling for $14 per account and PayPal and EBay accounts can go for $300 each.

What is interesting about Trend Micro’s report “Dissecting Data Breaches and Debunking the Myths” is their finding that the main reason for a data breach is not due to cybercriminals at all but in fact a product of the user. 41 % of data breaches were the result of a user losing or having their device stolen, while 25% was due to hacking and malware.

It’s important that companies scrutinize and secure the sensitive information that is stored on their employee’s devices like mobile phones, laptops, and flash drives. If any of these devices are lost or stolen, they become an easy way to steal data.

Doesn’t Ransomware Only Encrypt Data?

It is true that so far ransomware variants have encrypted data and held it ransom. Having PII stolen in a ransomware attack has not happened yet, but I believe that is the next evolution of ransomware.  Once the cybercriminals have copied your data offsite, they can demand a ransom over and over again.

I believe the next variant of ransomware will encrypt your data locally and in addition, will use exfiltration to copy your data offsite and hold it for ransom. If cybercriminals get your PII, they can collect the ransom from you to decrypt the data and further profit from selling the PII on the dark web.

How Can I Protect my PII?

There are a number of things you can do today to protect your PII. I recommend all businesses who collect and store customer PII to read the DHS guidelines for dealing with PII.

Thoroughly Inspect All Emails Received

Ransomware attacks are primarily delivered through email campaigns where the cybercriminals spoof a fax delivery, bank statement or utility bill.  Clicking on the link or attachment starts the crypto ransomware infection, and the end user doesn’t even know they are infected until after the ransomware has encrypted their data. Only after the data is encrypted do you get at least two pop-up messages with the ransom demand.

Encrypt Data on Devices

Do not transport any data that contains PII unless that device has been encrypted. Do not remove sensitive PII from the workplace unless instructed by a manager. Never leave sensitive PII in hard copy unattended and unsecured.

Use Two-Factor Authentication

Two-Factor Authentication is an excellent security mechanism that adds another layer to your complex passwords already in use. With Two-Factor Authentication, a user not only has to provide their password but they also need to input another component which is usually something that the user knows, something that the user possesses or something that is inseparable from the user. For example, you might use a product like Google Authenticator.  After supplying your account password, you will get prompted for a six digit code supplied by the authenticator app. The App generates a new and unique random code every 30 seconds.

Good luck and stay safe out there with you “Private Information” !!

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Hacking