Ransomware Continues to Be Top Threat to Small Companies

According to a new report by Datto, Inc. (its third annual Global State of the Channel Ransomware Report), ransomware continues to be the top cyber-attack experienced by small- and medium-sized companies.

Some managed service providers were surveyed in Singapore, the Asia-Pacific region and across the globe. Fifty-five percent of them said their clients had experienced a ransomware attack in the first six months of 2018 and 35 percent said those clients had been attacked multiple times in the same day. Unfortunately, 92 percent of the respondents predict that the number of ransomware attacks will continue at the same or an increased rate in 2019.

The report further states that antivirus software alone is not protecting businesses from these attacks. Eighty-five percent of those surveyed said the affected clients had antivirus protection in place; 65 percent said victims had email and spam filters in place, and 29 percent reported that victims also had pop-up blockers that did not block the ransomware attacks.

How did the ransomware get through these protections? The report states that employees continue to be the downfall, and that employee education is the primary defense. Clients were victims of ransomware attacks due to successful phishing attacks, as well as employees clicking on malicious websites, web ads and clickbait schemes directed at small businesses.

This is more evidence of the importance of educating employees on how to identify phishing attacks, and the risks associated with malicious websites and web ads.

Phishing Attack Causes Breach at Southwest Washington Regional Surgery Center

Phishing attacks continue to hit health care providers and experts say the attacks will become even more frequent in 2019. As previously reported, the largest breach of health care information was recently settled by Anthem, which involved almost 80 million individuals’ information, all caused by a phishing email sent to one individual at Anthem [view related posts here and here].

One employee’s click on one phishing email can compromise large data sets, which emphasizes the need to educate employees and give them tools to recognize phishing emails.

Unfortunately, this is what happened to one employee at Southwest Washington Regional Surgery Center in Vancouver, Washington. According to officials there, hackers launched a phishing scheme and one employee at the surgery center clicked on it. The hackers were in the system from May 27-August 13, 2018, with access to some of the surgery center’s patients’ information, including names, addresses, Social Security numbers, drivers’ license numbers, credit card information, and medical information.

Following the breach, the surgery center updated passwords and enhanced email access protocols, which companies may wish to consider implementing before an incident.

Buy a Beer By Using Your Fingerprint? You Can in Seattle

What’s worse than standing in a huge line to get into the stadium to watch your favorite team? Standing in another huge line to get your favorite beer. CenturyLink Field, home of the Seattle Seahawks and Sounders FC, now offers the option of entering the stadium and purchasing food and beverages using biometrics fingerprint scanning technology. Fans can create an account with Clear® and then they will be able to use that technology to both gain entrance to the stadium and to purchase food and beverages at concession stands.

This latest Internet of Things (IoT) technology application follows the announcement in July that we wrote about here regarding the use of biometrics for entrance into Major League Baseball stadiums. Clear® is the same company that offers iris scanning technology that is in place in more than 35 airports around the country.

New technology, especially IoT tech, presents new privacy challenges and biometrics is no different. Using the technology in a venue such as a large stadium or airport offers the opportunity for a streamlined customer service experience. The challenge is to ensure that biometric data is secured and protected from hackers and other threats. Clear is Safety Act certified and states on their website that they transform biometrics into an encrypted code that matches your fingerprints and irises to your unique code. The Transportation Security Agency (TSA) states on their website that they are committed to protecting the privacy and security of any biometrics data collected as part of their facial recognition/biometrics testing process. See their FAQ in the form of myth busters chart with a side by side comparison of myth v. fact for its use and testing of biometrics technology.

So what does this mean for privacy and security concerns? A good starting point is to learn about the technology and how it works. Biometrics is not limited to fingerprint and iris scanning and can encompass a wide range of options all unique to individuals. Biometrics can also be incorporated into two-factor identification. Using biometrics technology to get through an airport or to buy a beer in a stadium is a certainly a choice, not a requirement. But if you’re in Seattle, you can now use that fingerprint and go grab a beer.

IoT Sensors Collect Real Time Oceanographic Data

The Australian Institute of Marine Science is using an IoT drifter manufactured by Myriota to collect oceanographic data in almost real time. The drifters connect to low Earth orbit (LEO) satellites, so they are not using traditional mobile telephone networks, and avoid connectivity issues.

The drifters monitor ocean conditions, including water temperatures, currents and barometric pressure, all of which are important for weather tracking patterns and safety for the marine industry. The goal is to retrieve this information on an hourly basis.

When developing the IoT drifter, Myriota considered data security since all IoT devices, including marine drifters can be hacked and compromised. According to the CEO, “We had to really work very hard to solve a problem not just of data payload encryption—that’s fairly straightforward—the real challenge is the authentication and privacy aspects of the link so that you can’t, for example, have an attacker getting home metadata attacks on your IoT system.”

IoT devices are in an ecosystem and when they are connected to other devices and networks, a compromise could jeopardize the entire ecosystem. Embedding data security into IoT devices at the manufacturing stage is necessary for the success of the product and the IoT ecosystem.

How Much Data Does Your Car Collect? Here’s a Reminder

People don’t think of their cars as IoT devices. Our cars are increasingly more connected by Wi-Fi, what does that mean for data collection about the driver? Our cars are collecting much more data than you think. [view related posts here and here]. Cars can collect information related to where you’ve been, what you’re listening to and what kind of coffee you drink. From brakes to windshield wipers, most new cars have up to 100 points that generate data. Not to mention, these cars have the power of about 20 personal computers and can process up to 25 gigs of data every hour, with some of that data sent back to the car manufacturer in real-time.

Why does this matter to the consumer? Car manufacturers are turning your data into revenue by reselling blocks of location information to advertisers. Further, car manufacturers hope to provide data received from your car’s onboard cameras and sensors to mapping companies or apps that monitor traffic conditions in the near future as well.

Additionally, the systems in some cars also track whether you are weaving, swerving or harshly braking—this data could one day be sent to your insurance provider, which could impact your premiums—for better or for worse.

The next time you turn your car on, remember that our vehicles are now data hubs collecting all sorts of information about us and our habits.

Test Your Incident Response Team (a/k/a Tabletop Exercises)

I have been conducting a lot of tabletop exercises lately, so it seems timely to mention the concept now for those who many not know what they are or how to get one scheduled for your organization.

What is a tabletop exercise and why is it relevant to your business? I am not sure who originally coined the phrase, but we have been conducting them for over a decade. They are quite informative, and teams at companies find them to be very instructive on how to prepare for and respond to a security incident. I have never walked out of a tabletop exercise without a to do list for me and the incident response team. It’s always a great experience.

If you are thinking about putting one together, there are a couple of things you may wish to consider:

  • Get your incident response team in place first. Know who is on it, what their roles are and have a kick-off meeting to discuss roles and responsibilities before you conduct the tabletop.
  • Bring in an outside consultant to assist—that way the scenarios are unknown to the team and they can’t prepare. This makes the session more genuine, since you can’t prepare for an actual incident and the facts are always different.
  • Include legal counsel in the tabletop as legal counsel serves a crucial role in incident response. Counsel provides advice from start to finish and must be involved—to discuss the importance of what can be included in discovery in the event of litigation following the incident, mistakes that have been made in the past that can be avoided, what laws and regulations are applicable depending on the circumstances, timing of including law enforcement, insurance questions and attorney-client privilege.
  • Use real life scenarios that capture the biggest vulnerabilities of the organization. The whole point of a tabletop is to prepare for the real incident. Try to determine scenarios that are most relevant to the organization’s risks so the preparation is most valuable.
  • Consider a half-day session instead of just an hour. It is very hard to really delve into all of the issues that come up during an incident in a short amount of time. I find that half-day sessions, where the team can grapple with several scenarios is the most effective.
  • Use scenarios that compromise different types of data within the organization and are caused by different threat vectors. The response may be different if it is employee data rather than customer or vendor data.
  • Keep a to-do list throughout the session so at the end of the session everyone on the team knows what their follow-up items are and a timeline for getting them done before the next session.
  • Start with one session. Just start. Then you can schedule additional sessions going forward. Most companies have at least one session annually, but I find that once you complete one session, additional sessions are scheduled for the next year biannually or quarterly as the team finds it so valuable and informative.

Just like testing your back-up plan is essential to respond to a ransomware attack [view related post], testing your incident response team is important to practice for an incident so the team is prepared and everyone understands what their roles and responsibilities are when it happens. As I always say to clients–it is no different than a sports team (say, the Boston Red Sox) practicing before games so they can win the World Series. Companies that practice incident response do much better when the real thing happens.

Radio City Music Hall Welcomes Drones to its Stage this Holiday Season

One-hundred (100) Intel drones will hit the stage this holiday season at Radio City Music Hall to perform with the Rockettes in the production of the Christmas Spectacular. The Intel Shooting Star mini drones will create a light show using choreographed movements to create holiday-themed silhouettes in a new finale scene called “Christmas Lights.” Executive Vice President of Productions for The Madison Square Garden Co., Victoria Parker, said, “We are thrilled to announce that Intel has joined our creative team. Intel’s innovative technology and unique expertise helps propel our ambitious vision into reality with the first-of-its-kind large-scale drone performance in a theatrical setting.”

Intel will perform at approximately 200 shows at Radio City Music Hall beginning this month and ending in January.

Hartford City Council Proposes to Oversee Law Enforcement Use of Drones

In Hartford, Connecticut the police department plans to deploy drones throughout Hartford neighborhoods, however, the Hartford City Council seeks to oversee the use of drones by law enforcement including the type of equipment they use, monitoring of their use and data retention practices. Police Chief David Rosado said, “This ordinance, as currently proposed, would significantly slow our progress in utilizing new technology to enhance public safety. We have and we will continue to work with city council members and other stakeholders as we try to come to a consensus on how best to move forward.”

This proposed ordinance not only affects the use of drones for surveillance, but requires all city agencies to obtain permission for all current and new methods of surveillance, including license plate readers, body cameras, video and audio recording systems, facial and voice recognition software and gunshot detection hardware.

Currently, Hartford police officials estimate that there are at least 30 programs, more than 900 cameras throughout the city and 325 officers with body cameras beginning this year. The Hartford City Council’s ordinance requires the police to seek approval for all existing programs within the next 120 days. The Council will then make a decision on the request within 180 days and if approval is not received, the police must halt their use of the technology.

Hartford’s Mayor, Luke Bronin, said, “We are committed to ensuring that there are appropriate policies in place to protect privacy, and we’ve also heard loud and clear from many residents and neighborhood groups who have urged us to put technology to use.”

The proposed ordinance is currently under review by the city’s attorney, Howard Rifkin.

Privacy Tip #165 – Scammed Through MoneyGram? You Might be Eligible for a Refund

Criminals have been able to get individuals to wire funds to them for years. It is an old scam that still works. One of the companies that have been used by criminals in the past for wire fraud is MoneyGram, which was sued by the Federal Trade Commission (FTC) in 2009 and required to put measures in place to prevent wire fraud.

According to a press release by the FTC and the Department of Justice, MoneyGram has agreed to settle with the DOJ and FTC for $125 million for failing to implement measures to prevent people from being victims of wire fraud. The FTC says that MoneyGram failed to adequately vet their agents, train them to spot fraud, record fraud complaints and monitor for fraud, which led to millions of dollars of fraudulent transfers to go through its system.

In addition to the settlement of $125 million, MoneyGram will put additional measures in place to prevent fraud. The DOJ and FTC will work together to come up with a process of refunding individuals who have been the victim of fraud through MoneyGram.

Takeaways:

  • If you have been the victim of wire fraud through MoneyGram, you may be entitled to a refund—go to ftc.gov/MoneyGram to get more information on the refund process
  • Continue to be cautious about paying anyone through a wire transfer request via telephone or email
  • Independently verify any wire transfer through another means other than email or a cold call

Wire fraud continues to be a money maker for criminals. Be aware of the fraud and protect yourself from being a victim.

French Data Protection Authority Issues Guidance on Interaction of Blockchain Technology with GDPR

Last month, the French data protection authority (the CNIL) issued initial guidance addressing issues that applications utilizing blockchain technology should consider in order to comply with the European General Data Protection Regulation (GDPR).

As recognized by the CNIL, there are certain natural conflicts between GDPR and blockchain technology. A critical feature of the blockchain is its immutability – the fact that once information is entered into the public ledger regarding a transaction, that information cannot be changed or removed from the ledger. The benefits of providing a transparent and permanent public ledger will have to be reconciled with the data subject rights granted by GDPR, including the right to be forgotten and principles of data minimization. Blockchain applications also raise thorny questions about whether participants in the network are acting as data controllers or processors, subject to the GDPR’s requirements. Additionally, how can a worldwide network of computers involved in data processing activities comply with GDPR requirements related to cross-border data transfers outside of the EU? Continue Reading

LexBlog