Ransomware. Email phishing. These are among today’s top cybersecurity threats. Recognized every October, National Cybersecurity Awareness Month began as a collaborative effort between government and private industry groups to spread the word, about some simple steps, to protect yourself from these insidious online threats.
Malware, ransomware and online fraud have been dramatically increasing.
Cyber threats affect everyone, from individuals and private businesses to public-sector organizations and critical service providers like your local utility company and hospital. It’s not just large organizations and the highly-publicized data breaches we keep hearing about in the news, like the major Anthem, Equifax, Yahoo and Facebook breaches. Every time you’re online, there’s a threat of being victimized, sometimes by human bad actors, sometimes by non-humans or bots, sometimes because somebody just wasn’t paying attention and opened something bad. The single biggest cause of data breach is because someone opened something they shouldn’t have. Online threats are real and everywhere. And there are a few steps you can take to avoid the most common pitfalls.
Right now, the laws surrounding cybersecurity, privacy and breach notification here in the U.S. exist on a very patch-work basis across the states, some have more detailed and stringent laws than others. And at the federal level, cybersecurity and data protection have largely been industry-specific regulations, with no single federal data protection law like the General Data Protection Regulation (GDPR) enacted a few months ago in the European Union. California and New York have also recently enacted strong data protection regulations and more states are likely to follow suit. There’s no perfect answer to whether new cybersecurity laws here or abroad will put meaningfully limits the growing number of cyberattacks. But regardless of what legal or technical developments do, or don’t occur, individuals and businesses alike can, and need to, protect themselves from these growing online threats. And if the worst was to happen, it’s important to be prepared to recover from a cyberattack, as quickly and cost-effectively as possible.
Now, more than ever, it’s critical to STOP and THINK, before you CLICK.
The biggest online threats over the past few years continue to be email compromise (typically through phishing attacks) and ransomware attacks. Not only has the number of attacks increased this past year, so has the sophistication of both human and non-human actors, with large-scale phishing attacks available at extremely low cost and ransomware available as a service (Raas), the FBI reporting over 300,000 complaints to its cybercrimes unit this year alone, totaling over $800 million in losses. Congress also reported over 300 billion of losses nationally due to cyber theft just this past year. More than ever, every U.S business and individual with internet access needs to know what you can do to avoid these growing online threats.
Anyone can be a victim of online crime with devastating personal, financial or commercial consequences, from identity theft to stolen personal, health or other confidential information, disruption (and in some instances locking-down) computers or entire network infrastructures. In some instances, requiring expensive breach notifications with business reputations at stake, the single biggest cause of cyberattack is because someone clicked something they shouldn’t have.
While this blog isn’t intended as a definitive answer-all to cybersecurity, there are a few common-sense rules every internet user should keep in mind to avoid the most common pitfalls when online. Take a minute before you open it. Keep security programs and patches up to date. Use encryption, secure password logons and phrases and multi-factor authorization, whenever possible, and change them regularly. Public or shared Wi-Fi should be avoided. For businesses, training everyone in your organization on best practices to protect the privacy and security of your network and customers is not only a great idea, many times it’s a regulatory mandate. Most of these problems occur because of a poor understanding of how computers work or good computer hygiene, not understanding how attacks occur, not knowing or understanding the ethical or regulatory rules, visiting a site that’s infected or opening a link that well, was probably obvious, but someone hadn’t taken a moment to stop and question the source, before opening. All too often, if someone had taken a moment to stop and think, before clicking, the problem could have been avoided.
Email phishing and ransomware attacks have become increasing pervasive problems in many industries with healthcare, technology, financial and government sector organizations among hackers’ favorites. But individuals and small businesses have also increasingly been targeted by ransomware, resulting in a computer being “locked” until the “ransom” is paid. And there’s no guarantee the data will even be there or be uncorrupted, if you do pay the ransom. The FBI recommends not paying the ransom to deter crime.
What would you do if you were hit with ransomware? It’s important to know the answer, and what your legal and ethical obligations are if you have regulated personal, health or other confidential information on your system or devise. (Please visit our earlier Blog, “You’ve Been Hit with Ransomware, Now What? And Do You Have a Duty to Report?) So, whether you’re a small business owner, a large, highly-regulated organization or an individual using a home computer, there’s a lot you can, and should do, to help avoid these costly, pervasive problems.
Recognizing the problem is the most important part of fighting the problem. So, before you open it, STOP & THINK, before you CLICK. Many of these problems can be avoided.
__________________________________________________________________________
This blog is not and is not intended as legal advice. The information provided is a general overview of the topic only and an attorney should be consulted for advice on any specific issues.
The author is legal counsel and chief data protection officer to a number of highly-regulated industry clients and frequently writes and speaks on privacy and data security issues.
If you’d like more information on this topic and what you can do to avoid these ever-growing online threats, we’d be glad to help you design and implement a privacy and information security awareness program at your organization.