GDPR — Large Fines — Larger Confusion?

This May marked the oneyear anniversary of the EU’s General Data Protection Regulation (GDPR), perhaps the strictest set of privacy laws to date. The regulation includes landmark consumer rights when it comes to data privacy, including right of access, broadened consent requirements, and the right to be forgotten. Since going into effect, the GDPR has caused a huge debate among business and cybersecurity experts. Where some herald it as a new dawn for consumer privacy, others consider it too big a burden for businesses.

So, one year in, how have things played out so far?  

Breach Notification 

Before the GDPR, the EU had no overarching laws requiring companies to report data breaches. Instead, it was up to individual member states to enact such lawsSince the GDPR, however, things have changed. According to the DLA Piper GDPR Data Breach Survey, nearly 60,000 breaches were reported between May 2018 and February 2019. These breaches ranged from minor, such as emails sent to the wrong person, to massive data dumps effecting millions of people.  

Fines Imposed

The DLA Piper report also shows that 91 fines were imposed under the GDPRAccording to the European Data Protection board, combined fines totaled £55,955,871. However, this number can be misleading. Included in that total is the £50 million fine imposed on Google this January.  

Since those reports, however, there have been a number of even larger fines levied against companies. Just this month, the UK’s ICO proposed £183.39m fine against British Airways and a £99.2m fine against Marriott International for past data breaches.  

Business Still Confused

At the same time, businesses (primarily mid-size companies)  who want to comply but don’t have the resources of the large firms are having a difficult time keep up with the regulations and mapping out the right procedures to stay compliant.  Just today, MSN published an article about a researcher convinced one in four companies to give him data on his fiancee (with her permission) to show that GDPR compliance attempts can actually lead to breaches in and of themselves.

Takeaway

This year has shown that, when it comes to consumer privacy, the GDPR is taking its role seriously and businesses are uneven in their ability to comply. But it’s still early days. French regulator Mathias Moulin emphasized in February that this “should be considered a transition year,” as lawmakers continue to nail down certain details of the new law and tie up loose ends.   

While it seems the number of breaches reported and fines imposed will continue to increase, one of the big questions in the coming years will exactly effective these fines are in changing the culture around data privacy. Time will tell. 

Cyber Criminal Minds

Cyber Criminal Minds

Nigerian prince email scams — also called 419 scams — are some of the oldest forms of cyber-attacks around. It’s easy to think that they’re just old news, now more the punchline of a joke than something that could actually happen. But the truth is, these scams continue to be highly successful. In fact, Americans lost $703,000 in 2018 by falling for them.  

How they work

The most famous examples usually involve a too-good-to-be-true investment opportunity or an urgent plea to help get money out of the country in exchange for a piece of the sum. However, as people started to catch on to the scam, the scenarios they scammers use began to change.  

But in whatever form, 419 scams generally follow a specific format. It starts when the victim receives an email (and more recently texts) out of the blue. The scammers will quickly try to build the trust of the victim, sometimes using official-looking documentation or even impersonating someone you know, with the goal of eventually getting the victim to disclose their bank account number and other personal information. At this point the scammers can access the bank account and withdraw any amount of money they want. 

The Better Business Bureau highlights a few of the most common form these scams take today: 

Beneficiary of a will

In this case, the victim receives an email claiming they were named the beneficiary of some long-lost relative who has left them large sums of money or valuable property. The email will request personal information to confirm the victim’s identity and of course ask for bank account information so they can transfer over the funds.  

Fake cashier’s checks – targeting online sellers

In this variation, a person selling something online is contacted by someone who wants to purchase an item. The scammer then “accidentally” sends a (fake) cashier’s check or money order for far more than the agreed upon price and asks the seller to transfer back the difference. Often, the scammer will claim they urgently need their money back so the seller will transfer the money before the bank can verify the check is a fake.  

Donation solicitations

Lastly, this scam involves the victim receiving a request for a donation to help fight against a corrupt government or violent group of criminals. The email will specify how urgent the need for money is and so request a money transfer for more immediate help.

Why they’re so successful 

Given how widely known this type of scam is, it’s a bit of a wonder that people continue to fall for it. But along with the fact that they’ve changed up the scenarios there are a couple of good reasons they continue to work. After all, they wouldn’t be so common if they weren’t successful 

Scammers are highly organized

We often think of scammers as some loner hunched over their computer in a dark room. But when it comes to 419 scams, there are entire organized crime circles devoted to carrying out these attacks. A 2019 CrowdStrike report breaks down how these scams are structured. At the top, a crime boss directs an entire team of “spammers, catchers, and freelancers” to carry out various aspects of the attack. Spammers acquire email lists and operate advanced mail systems. The catchers monitor the responses to the spam campaigns and make first contact with victims….in order to advance the scam. Freelancers perform additional duties such asacquiring and developing infrastructure and creating fake documents.” 

They exploit social vulnerabilities

Instead of looking for technical vulnerabilities to plant malware or other malicious software, the scams instead focus on our social vulnerabilities. Simply put, they look for ways to play on our emotions. 

In some cases, they’ll try to pray on our greed. In other cases, they try to make us feel like a hero. As social psychologist Dr. Frank McAndrew explains, “we get the opportunity to feel good about ourselves by helping another person in need…After all, what could be more noble than helping an orphan in need or helping some poor soul recover money that rightfully belongs to them in the first place?” 

They start small

Another way these scams work is by starting with small requests. Often the scammer won’t ask for much at first, but over time will claim they need more and more. And there are even psychological reasons this is so effective. In an article for Psychology Today, McAndrew writes, “Changing course is cognitively difficult because not only is it an admission of a bad decision, it also means giving up any hope of recouping our losses.” 

 

Even if it’s not from a Nigerian princereports show that email scams are on the rise. Not only could they lead to financial loss but could even expose the sensitive information of you and your company. That’s why it’s important to learn to identify these scams in all there forms and be extra cautious about anyone —even if it comes from someone you know— asking you to send money or other personal information over email. Taking the extra time to verify what’s really going could be what saves you from getting tricked. 

Taking Control of Your Controls

Cybersecurity can be a big problem for small business. A report by the Ponemon Institute shows that the number of small and medium size businesses that experienced a cyber-attack in 2018 increased to 67%. And only 28% say they can effectively mitigate these treats. So, while small businesses are particularly vulnerable to attack, it seems they don’t have the training and resources to implement the type of security programs they need.  

However, there are a number of cost-effective steps small business can and should take that can greatly increase their security. The Center for Internet Security (CIS) offers a regularly-updated list of security controls that any size business can implement.  CIS controls are a set of 20 recommended cybersecurity actions put together by a broad range of government and industry experts. The controls are broken down into groups based on importance to help organizations prioritize a smaller number of highly effective actions.  

Not all controls are right for all business

One advantage of the CIS controls is that they are customizable to fit your organization’s needs and resources. To help with this, the CIS released a guide that identifies some of the controls most important for small business and can be implemented with little to no cost. Here is an outline of their recommendations: 

Know Your Environment  

In order to properly implement a cybersecurity program, the first thing you need to do is actually know what you need to secure. It is therefore essential to understand three basic things: the value of data you have, what devices are connected to your network, and the software that is in your systems. Conducting an inventory of your data and software alongside regular scans of devices on your network will go a long way toward preventing attacks.  

Protect Your Assets 

The CIS outlines two approaches small business should take that will greatly protect their outlines. The focus is not just on implementing technical security measures, but also on training employees to prevent accidentally damaging your systems.  

The first step is to secure technical baselines. Often attacks will exploit weakness in applications running on your systems, so it’s important to ensure all operating systems and applications are updated with the latest security patches and are securely configured. The CIS also recommends using anti-malware software to regularly scan your environment. Most systems will include built in anti-virus software, but there are also plenty of low-cost alternatives available. 

When it comes to educating your employees, the first step is to train the entire staff on identifying phishing schemes and phone call attacks. These can target employees at any level of an organization, so its essential everyone is properly trained. You will also want to implement more targeted trainings by identifying users with access to sensitive information and educating them on proper cybersecurity behaviors.  

Prepare Your Organization 

The last step the CIS recommends all small business take is to prepare for the possibility of a cyber-attack or data breach. While the idea is to prevent these from happening in the first place, it’s important to have systems in place should the unexpected occur. 

To mitigate the damage of data loss the CIS recommends performing automated weekly backups of systems that contain important information and to ensure at least one of your backups is not accessible through the network. 

The CIS also recommends conducting periodic incident response simulations. It’s essential to identify and train those within the organization who will serve as lead in the event of an attack and to run through possible scenarios. You will also need to familiarize yourself with state and federal regulations to understand what notification requirements you need to adhere to. 

 

Of course, this shouldn’t be understood as a comprehensive guide for small businesses. It contains only a small subset of the complete 20 controls but represents what the CIS views as a barebones guide that small businesses can implement with only small cost to them. Check out the full report for more details on these steps as well as a list of small or no cost programs the CIS recommends to help with implementation.  

Once you’ve set up these simple security procedures, you might want to take a look at the full list of CIS controls to see what additional steps you can take to create the most effective cybersecurity program you can. Don’t be a statistic on next year’s Ponemon report.  

Risky Business

Cyber security is a catch-all term, but your approach to it doesn’t have to be. Not all organizations need to be utilizing the same types of security controls. An organization processing payment cards, for instance, will need to implement different security procedures than a small business collecting names and email address for lead generation.  

Simply put: The level of security your organization requires depends on a variety of factors. If you just implement one security system across your entire network, you may end up overprotecting certain information while underprotecting others. 

This is why a risk assessment is so important. Identifying and evaluating your current cybersecurity risk will not only ensure you have adequate security controls in place but will also help you understand how you can properly direct your resources.  

The Basics of a Cybersecurity Risk Assessment 

Before starting, it’s important to sit down and set the parameters for the assessment. Make sure everyone understands the scope of the assessment, and that any priorities or constraints are well communicated. Once everyone is on the same page, you can begin the assesment itself.  

Identify Threats 

The first step is to identify what potential threats your organization faces. In general, threats can be categorized as either adversarial or non-adversarial. Adversarial threats include both internal and external entities acting with malicious intent. You will want to identify possible sources and capabilities of such threats. Non-adversarial threats generally include unintentional acts from employees or admins that expose system vulnerabilities.  

In addition to threat actors, you want to identify the types of threats those actors pose. This includes anything from installation of malware and targeted phishing attacks to unintentional data leaks and misuse of information by an authorized user.  

Identify Vulnerabilities  

After identifying the threats your systems could face, the next step is to understand to what extent your systems are vulnerable to those threats. Such vulnerabilities include holes in your technical controls such as out of date software or security patches, mismanaged user access privileges, under-trained employees, and even the physical security of your data center.  

Determine Likelihood and Impact of Threat 

Now that you’ve determined possible threats and your vulnerability to them, it’s time to categorize the likelihood and impact of those threats. Determining the likelihood of a threat will depend on a number of factors, not only including your current vulnerabilities but also whether certain threats target your specific industry. Financial institutions, for instance, are common targets of business email compromise schemes, so are likely to experience phishing campaigns.  

Along with calculating the likelihood of a threat, you’ll need to understand the impact or potential harm each threat poses to your organizations, employees, and customers. You can determine the impact of a threat by analyzing what systems would be effected, the sensitivity of the information involved, and whether the threat could spread to other areas.  

Calculate Risk  

Having completed the previous steps, you’ll be able to calculate the risk each type of threat poses. There are a number of methods you can use to calculate risk, but the simplest is to weigh the likelihood of each treat against its potential impact. You can then arrange potential threats by the level of risk each poses and prioritize actions to prevent them. 

Final Notes 

While all organizations should devote time to assessing their cybersecurity risk, it may even be required by state, federal, or industry regulations. PCI-DSSfor example, requires yearly risk assessments as a part of their compliance validation reports. Both HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act) also require some form of risk assessment. Be sure to check which regulations apply to you. 

Lastly, for more details on conducting a risk assessment, we recommend checking out the National Institute of Standards and Technology’s (NIST) Guide for Conducting Risk Assessments. We’ve outlined the basics, but NIST’s report contains further details on each step and a variety of charts and tables on threat types, quantifying likelihood and impact levels, and more.  

A Pineapple Walks into a Coffee Shop: Cyber Protection on the Road

Vacations are a time to kick back and forget about the worries of everyday life. But that doesn’t mean you should forget about what cybersecurity risks you’re exposed to. In fact, traveling can present unique cybersecurity risks. Whether you’re at the beach or even just at your local coffee shop, carrying sensitive information on the go can open you up to additional vulnerabilities.  

Here are some tips to keep in mind when traveling

Backup data and update your software before you go

Packing shouldn’t be the only thing you do when preparing to travel. Before you go, be sure to back up your data and update the software on your devices.  

There is a lot to keep track of when you travel, and sometimes things get lost. Creating a backup of important information will ensure you can recover anything important on that iPad you left in the seat pocket of the airplane.  

Checking for any software updates on your devices is also essential. Keeping your systems and apps up to date will ensure you have latest security patches and help defend against malware attacks.  

Be careful about using public wi-fi

Whether at the airport, hotel, or coffee shop, public Wi-Fi might not be as secure as your connection at home or in the office.  These can be good spots for hackers with “pineapples” — wifi devices which intercept traffic and can perform “man-in-the-middle” attacks where you connect to the pineapple thinking you are connecting to the public wifi and the pineapple logs all your traffic (keystrokes, websites visited, login info, etc).

If you have to use vulnerable connection, avoid accessing sensitive accounts or anything containing personal information. Only use sites that begin with “https://” when online shopping or banking. Using your mobile network connection is generally more secure than using a public wireless network. However, your best bet for any public Wi-Fi is to use a Virtual Private Network (VPN). VPN’s will hide your IP address and reroute your connection through a private server.  

Disable auto-connect

Often, your devices will automatically scan and connect to available networks or other devices. This could lead you to unintentionally connect to an unsecure network, which bad guys with pineapples can use to gain access to your devicesMake sure to turn this feature off on all devices and always double check that you’re only connected to devices and networks you trust. 

Don’t use public computers

Using public computers at a hotel work center or an internet café can pose some serious risks. You can’t be sure the computers are up to date and have proper security software installedThere have been a number of cases where public computers contain malware that logs your keystrokes. This can be used to steal passwords, card numbers, and any other sensitive data you might enter into the computer.  

Lock and guard devices

We often think about information getting stolen by someone who remotely hacks into our device. But it’s also possible for this to happen if someone steals the device itself. Along with keeping a close eye on your belongings, make sure you use password protection, fingerprint authentication, or other types locks for all your devices. This will help prevent someone from accessing sensitive information in the event your device gets stolen.  

Scan for malware when you get home

Even if you follow all these tips, you can’t always be 100% certain that you weren’t exposed to some sort of attack. After you get home, use an anti-virus software to run a full scan of your device to ensure there isn’t anything fishy lurking anywhere.