Five “Cyber Hygiene” Tips for Businesses and Individuals

By Thomas Ritter

At the Republican National Convention in Cleveland last year, a security company set up several public Wi-Fi hotspots around Quicken Loans Arena to see exactly how people behaved online. Thousands of users accessed these Wi-Fi hotspots; more than two-thirds had their identities exposed, 10 percent shopped on Amazon or another site and 1 percent accessed banking records.

The company did not keep any of the records. But imagine if a hacker did this.

This test proved the need for good information security, whether for your business or for you as an individual.

As an attorney specializing in information security, I counsel companies and individuals on what I call “Cyber Hygiene” — best practices to protect your data and your privacy.

Below, I have listed five cyber hygiene tips for both businesses and individuals.

Five “Cyber Hygiene” Tips for Businesses

Businesses are primarily concerned with protecting data they store, including vital proprietary information as well as customer data.

  • Understanding all the technology touching your network and storing your data — The first step is to develop a complete inventory of all technology that connects to your network or store’s company or customer data. The list should include devices — desktops, laptops, smartphones, etc. — as well as any third-party apps — Dropbox, a variety of android and iPhone apps, Paypal, merchant processors, etc. — your company uses. I mention third parties because so many companies are moving files “to the cloud” for cost savings and convenience purposes. I’m not saying cloud services are bad; we use them at Thompson Burton. Rather, what’s important is to understand how these third parties handle your information and the security measures they employ in doing so. Most of the time, a true understanding of what third parties are doing only comes by way of reading the incredibly monotonous and ever-boring “Terms and Conditions.”
  • Encrypting devices so they lock when people use the wrong password — Many laptops and smartphones come with built-in encryption that will prevent any unauthorized access. For someone to decrypt any of your devices, they need a required password. If the appropriate security measures are in place, a person entering the wrong password too many times will completely erase the device’s data. For example, an iPhone will erase all data after 10 failed attempts. Using this service greatly reduces the likelihood that someone can access data if the device is stolen.
  • Create an incidence response plan — I’m a firm believer in “hope for the best but plan for the worst.” A response plan ensures that everyone knows what to do to keep your business up and running if your company is the victim of a data breach or hack. The plan should account for different degrees of issues. For example, finding malware on your website is very different from stolen data, which contains customer Social Security numbers. For most companies, the decision on whether or not they need to follow data breach notification requirements specific to a victim’s state often never even occurs to them.
  • Backup data regularly and have a parallel business plan — Here’s a question: What would happen to your business if employees could not access their electronic files or connect to the company network for a week? Most businesses would struggle — and some would maybe even cease to exist. This is likely to happen if you have a serious enough data breach that requires the involvement of law enforcement. What happens if law enforcement requires your business to turn over control and access to its data and network for the entirety of the investigation? This is admittedly a worst-case scenario, but a backup of your network and its data helps circumvent this potential nightmare.
  • Have outside legal counsel on call when a breach occurs — Contacting an attorney upon the immediate realization of a breach provides you some additional protection should litigation arise. For example, an attorney’s involvement in the decision to engage a security consultant helps reduce the likelihood the consultant’s work will be discoverable in litigation. An attorney can also help you navigate the maze of federal, state and industry laws applicable to your case.

Five “Cyber Hygiene” Tips for Individuals

For individuals, the primary concern is protecting one’s privacy from hackers.

  • Stop using easy passwords and writing down your passwords — It’s impossible to live without passwords. I encourage my clients to use password software, such as LastPass or 1Password, in order to store all passwords in one place so you don’t have to try and remember all of them. You only have to remember one master password for your password software versus memorizing complicated passwords for each online account. I also recommend creating strong passwords for your email, online banking accounts and social media accounts.
  • Changing the password and login when you buy new devices for your home — Many new devices that you buy for your home connect to your Wi-Fi network. These devices have default usernames and passwords — e.g. admin and 1234 — widely known and discovered by hackers who use them to access the devices and possibly your Wi-Fi. Changing the defaults provides you with an extra level of protection.
  • Use multi-factor authentication for important data — Multi-factor authentication (MFA) is a two-step process where you log in with your password and then enter an additional code sent via text to your phone. The only way someone could break into an account with MFA enabled is by having your password and the device that receives the additional code at the same time. That is highly unlikely. I recommend using MFA if possible for the data you want to protect most, such as financial records, email, etc.
  • Know when to use and not use public Wi-Fi — Public Wi-Fi, like the example I mentioned above, is convenient but also one of the biggest threats to personal privacy and data exposure. A decent hacker can watch what you are doing on public Wi-Fi and even find ways to copy the passwords you use. It’s fine to visit news or sports websites while on public Wi-Fi, but you never want to access any website that requires more invasive information like usernames or passwords. The use of free Wi-Fi opens you up to a world of potential hacking vulnerabilities.
  • Updating software with security patches — Google, Microsoft, Apple, Facebook and all technology companies invest massive amounts of money towards the protection of their customers’ information security. Those companies cannot do their jobs if users fail to update their software with the latest security patches. It’s easy to turn on automatic updates so your devices update whenever a new patch is released.

For the best “cyber hygiene” practices and legal updates on relevant privacy and data protection topics, you can follow Thomas on twitter at twitter.com/cybersecureatty.

 

Thompson Burton’s New Cyber Security Practice

By Thomas Ritter

Here are two words that should scare any business: business interruption.

The thought of losing control of your business for a day or a week is enough to keep any executive awake at night.

Business interruption is almost a guarantee when a company experiences a data breach or other cybersecurity problem. Every interruption comes with significant mitigation costs, including hiring experts to alleviate problems, lost productivity, the threat of lawsuits and much more.

Helping businesses, especially smaller businesses, manage their cybersecurity risks is why I have started a dedicated cybersecurity practice at Thompson Burton.

The practice includes three primary services:

  • Understanding the confusing patchwork of regulatory requirements
  • Drafting and reviewing security policies
  • Providing legal counsel when a problem occurs

The first two services fall under what I would call “preventative medicine.” For any business in possession of sensitive customer information and data, preparation is instrumental to prevention. The last service is the triage, or crisis response, for when a cybersecurity problem occurs.

Regulatory Requirements

The two biggest issues in cybersecurity are data protection and privacy.

There is no single legal framework for businesses to follow. Rather, businesses must comply with a complex and often overlapping set of cybersecurity-related laws and regulations. Whether it’s HIPAA for healthcare companies, GLBA for financial institutions, the FTC Act, or some other law, there is a lot to wrap your head around.

For example, most companies affected by a data breach assume that the applicable state law arises out of the location of its headquarters. Instead, the more important question is: Where are the company’s affected consumers located? If a company’s breached, the company must follow the notification laws of every state where an affected individual resides.

At Thompson Burton, we make this confusing and arduous process of understanding and sorting through the applicable laws and regulations easier.

Security Policies

Once you understand the regulatory requirements, it’s important for a business to have a security policy in place. This security policy memorializes the business’ modus operandi of information security procedures and the plan for any incident response.

As an attorney, I’m always assessing potential liability. In any context, a business saying it will do something and then failing to adhere to its own standards can implicate significant liability if caught. Security policies are no exception.

Legal Counsel When a Problem Occurs

The challenges with cybersecurity will only increase. It’s impossible to watch or read the news without some daily reference to a data breach or hack. For companies, it’s not a matter of if a cybersecurity breach will happen, but when.

Oftentimes, the biggest misconception by businesses is the “I’m too small to be a target” mindset. This is categorically false for several reasons. Most hackers don’t coordinate an attack based upon a specific target, but instead check to see which businesses’ doors remain unlocked. Of arguably greater concern, the actions of employees oftentimes allow a hacker to stroll right through the proverbial front door. Thompson Burton can help small businesses identify weaknesses and train employees to practice good “cyber hygiene.” (I will publish a blog post about this topic soon.)

The biggest benefit of having an attorney on-call who understands your business is the preservation of privilege in the event of a data-breach investigation. Through things like attorney-client privilege and work-product doctrine, an attorney can help coordinate and protect a company’s remedial efforts from potential discovery.

About The Author

Thomas Ritter is an associate attorney at Thompson Burton PLLC. He assists a variety of businesses, from well-established to new start-ups, on meeting regulatory compliance. Follow him on Twitter at twitter.com/cybersecureatty for the best practices and legal updates on relevant privacy and data protection topics.

 

 

Thompson Burton Named Finalist for NBJ “Best in Business”

I’m proud to share that Thompson Burton has been named a finalist for the 2017 Nashville Business Journal’s “Best in Business” awards. The firm is one of seven finalists in the category for businesses with 1-25 employees.

The NBJ determined the finalists after taking nominations from the public and having a judging panel of past winners choose finalists based on profitability, community involvement and other metrics.

I want to congratulate the other finalists. It’s wonderful to be in the company of many great Middle Tennessee businesses.

Thompson Burton is also proud to be the only law firm among the 29 finalists in all categories. Walt and I shared a common vision for a different type of law firm when we founded Thompson Burton five years ago. This recognition reinforces that the firm is doing the right things.

Most importantly, I want to recognize the entire Thompson Burton team. Everyone has embraced our vision and helped make the firm the success it is today. They are the reason that we enjoy coming to work every day and have a bright future ahead.

The winners in each category will be announced at an awards luncheon on March 7. Wish us luck.

Twitter Feed