0
Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Beckage is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   

 

2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  

 

3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  

 

4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   

 

5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 

 

6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  

 

7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      

 

8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    

 

9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 

 

10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 

 

 

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Dan Greene Cannabis & Tech Today ArticleDaniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Daniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Beckage CannaPrivacy and Incident Response Team Lead, Daniel P. Greene, Esq., CIPP/US, CIPP/E was published in Cannabis & Tech Today‘s Summer 2021 issue for his article, ‘The Cannabis Industry’s Growing Threat of Business Email Compromise.’

CongressBipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

Bipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

On Wednesday July 21, 2021, Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021 (CINA). 

Under CINA, federal agencies, federal contractors, and critical infrastructure companies (Covered Entities) would need to notify the Cybersecurity and Infrastructure Security Agency (CISA) within twenty four hours of discovery of a cyber intrusion or a potential cyber intrusion.  Moreover, under CINA, Covered Entities would need to provide regular seventy two-hour updates to CISA until the cyber intrusion has been mitigated.

Covered Entities who report to CISA under CINA will be afforded certain protections regarding their reports, including the report not being admissible as evidence into any resulting criminal or civil actions and being exempt to subpoenas, except for those directly coming from Congress.

CINA provides that Covered Entities who fail to report a cyber intrusion to CISA are subject to penalties determined by the Administrator of the General Services Administration (GAO), including but not limit to removal from Federal Contracting Schedules.  Additionally, CINA also provides that Covered Entities who fail to report cyber intrusions to CISA may be “subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”

Beckage closely monitors changes in laws governing cybersecurity incidents and breaches of system security, including those which affect government contractors and suppliers.  Beckage’s team of attorneys and technologists are especially entuned with both responding to a data breach and understanding what a robust cybersecurity program would entail.  Beckage will continue to monitor CINA as it makes its way through the Senate and an update accordingly.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Beckage closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Beckage’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2 3