Catch up with Single Path
Technology is constantly advancing. And so are we.
Cyber security concerns have been around for as long as there has been cyber-anything. The first computer virus was found infecting computers in the early 1970’s and the first malware author was convicted in 1988. Those early infections were primitive compared to today’s hacking threats, which continue to grow more complex and sophisticated. While it’s vital to be prepared against any contingency, no matter how remote, we consider these to be the top cyber security threats for 2019.
Ransomware has grown by 350% according to a report by Dimension Data, and accounts for 7% of all malware. It has been reported that ransomware costs American businesses north of 75 billion dollars a year, with most attacks never publicly disclosed. The biggest increase in ransomware is expected to take the form of Cryptojacking, also known as “Cryptomining malware.” We discussed the problem of Cryptojacking in a recent blog post, in which we described how hackers can hijack computer processing power to mine cryptocurrency. We expect these cyber security threats for 2019 to continue to grow.
Software Subversion Expanding
As Security magazine reports, “While exploitation of software flaws is a longstanding tactic used in cyber attacks, efforts to actively subvert software development processes are also increasing.” In other words, the software you download may be infected, giving hackers a back channel into an entire network. Malware has even been detected in open source software libraries. Another variant is this: hackers may offer software that is spelled slightly different than a popular application (such as adding an “s” or leaving out a letter), with the only other difference being the inclusion of malware. So be careful what you download, even if it’s from a seemingly trusted source.
One of the top cyber security threats for 2019 is due to the expanding resources available to cybercriminals. Historically, many cybercriminals have worked alone, or in small groups. That’s starting to change. The proliferation of hacker forums and chat groups have launched a robust black market where cybercriminals buy and exchange malware, botnets and other criminal resources. The availability of these rogue offerings means that even inexperienced, or less able, hackers can launch sophisticated attacks. These “malware-as-a-service” opportunities will only continue to grow, which will result in an increased number of cyberattacks, especially in regards to identity and credit card theft. If you think the threats are numerous now–and they are–an aggressive and nearly overwhelming wave of attacks may be on the horizon.
Synergistic Threats Increasing
GandCrab has been in the news frequently. Discovered in January, GandCrab is a ransomware Trojan horse, encrypting files on a computer and then demanding payment to decrypt them. Just recently, the group behind GandCrab has targeted users visiting adult websites, asking for money to keep silent about their potentially embarrassing visits. This, however, is just a ruse to mask their real intent. When a user clicks on the email link, he or she inadvertently installs the GandCrab ransomware onto his or her computer.
GandCrab has grown to be so large, they are actually soliciting cybercriminals to partner with them. As McAfee reported, “At the end of September, the GandCrab crew started a ‘crypt competition’ on a popular underground forum to find a new crypter service they could partner with.” This will let the GandCrab organization expand its criminal activities in new, unforeseen, ways.
In 2019, many experts, including Security magazine, predicts attackers will continue to combine tactics to create multi-faced, or synergistic, threats. To combat them, organizations will also need to synergize their defenses.
Social Media Misinformation Mounting
The proliferation of Russian-originated Facebook pages influencing the 2016 U.S. presidential elections has been well documented by news sources across the world. So it shouldn’t be a surprise that cybercriminals are eyeing social media as offering rich opportunities for criminal enterprise, with posts and pages displaying an impressive degree of professional-looking design for dishonest purposes. Botnet operators are able to test messaging just like a marketer, including the use of hashtags, to determine the success rates of their misinformation.
Social media platforms are aware of the potential abuse, and are focusing their resources on stopping it, but with so many users, and so much data available on sites, criminals will further focus their resources on these big-scale platforms.
Protect your business from the Cyber Security Threats for 2019
These five cyber security threats for 2019 are just the tip of the iceberg. There are many more threats out there, many of which we may not even be able to imagine yet. The only thing an organization can do is to be prepared with smart, sophisticated technological resources and by adhering to best Internet safety practices. Consider Single Path your partner in anti-crime. Single Path Security Offerings run the gamut from employee training to insider threat solutions. We’ll help you be prepared for the cyber security threats for 2019 and also those still to come.
You take all the recommended cybersecurity precautions. You back up. Your staff is trained on processes. You have firewalls in place, passwords that are hard to decipher, and the most recent security patches in place. Yet, you still worry. You’re not alone. According to a recent survey, businesses ranked cyberattacks as their #1 threat, with data breach a close second. But if you are victimized by a cybersecurity incident, what do you do now? If you have a business continuity plan in place, the answer to that question is easy: follow the business continuity plan.
A business continuity plan is not the same as a disaster recovery plan, although they have a lot of similarities. As CIO magazine explains, a BC plan is about “maintaining business functions or quickly resuming them in the event of a major disruption,” while DR “focuses mainly on restoring an IT infrastructure and operations after a crisis.” In other words, DR is specific to IT, while a business continuity plan is concerned with the continuity of the entire organization (we discussed the six things you needed to include in your disaster recovery plan in an earlier article).
When you create your business continuity plan, make sure you take into account these six criteria:
- Conduct a business impact analysis
As Ready.gov reports, your business continuity plan should start with a complete analysis of the consequences of a business disruption and can include:
- Lost sales and income, or delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
Your Business Impact Analysis should also detail various risk scenarios and prioritize the order of events for restoration.
- Get everyone involved
If you are making the assumption that IT security is solely the responsibility of the IT department, think again. Your entire organization should be working together to protect its data and systems. Consider holding a brief workshop on IT security, create a business continuity management committee with members within and outside the IT department, and consider the impact and recovery on each member of your staff.
One crucial area of involvement is with your leadership team. As reported by Disaster Recovery Journal, it’s important for executives to support a culture of collaboration and to be transparent. “If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.”
- Establish work-arounds
Ready.gov paints this scenario: “Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now?”
Developing manual workarounds eliminates uncertainty. For example, listing contact personnel (along with phone numbers and contact information) and providing specific details, such as how to document transactions manually, gives your team direction. You may need to reassign staff or even bring in temporary assistance if systems fail. How will you do that? Plan it all out now in your business continuity plan.
- Keep data on the cloud
The best way to ensure your business can continue to run, is by backing up all your data on the cloud. A cloud service ensures that an organization’s critical data and processes are secure off-site. An organization can then quickly ramp up their systems in the case of a disaster. If you’re not already on the cloud, check out our earlier posts, 12 Reasons to Move Your Business to the Cloud and 9 Facts to Know About the Risks of Moving to the Cloud, and How to Manage Them.
- Ready crisis communication efforts
How prepared is your organization to quickly and effectively respond to and communicate with the public—and each other–during or after a cybersecurity incident? If you are hit by a breach, you may need to issue statements to the press, customers, partners, vendors and staff. We recently posted an article about emergency communication preparedness, in which we stressed the importance of drafting some templates that cover various scenarios. As we wrote: “it’s faster and easier to tweak a message than to write one from scratch for a multitude of mediums, and even multiple languages, if needed.”
- Test your business continuity plan
The time to ensure your business continuity plan is effective is before you need it. Is it comprehensive? Are there gaps? For example, are contact phone numbers correct? Are you able to restore data from the cloud without significant barriers or challenges? Since the network may be down, are there hard copies of the business continuity plan, and are they distributed to all the members of the team?
As suggested by CIO magazine, testing options for your business continuity plan include a table-top exercise in a conference room with the team looking for gaps, a structured walk-through or “fire-drill,” often with a specific disaster in mind, and disaster simulation testing in which an actual disaster is simulated involving all the equipment, supplies and personnel (including business partners and vendors) that would be needed.
- Call Single Path
While all the steps above are important there’s a seventh step that may be just as vital: call an outside partner like Single Path. As experts in cloud services, IT security solutions and more, Single Path works with businesses, schools and other organizations to protect them from cyberattacks and help them recover when they’re hit. Planning, monitoring and adhering best practices go a long way to protecting your customers or clients, team members, vendors and your own business. Calling a partner like Single Path, and getting your business continuity plan published, are important first steps.
Flash drive. Thumb drive. Jump drive. USB stick. Whatever you call it, most of us have at least one of these ubiquitous, simple devices. The very first USB drive—called the DiskOnKey—held a whopping 8MB of data. Today, they not only hold countless gigabytes, but they may also hold numerous USB security risks; so can charging ports, memory sticks and other common devices.
Beware the USB
Malware or a virus can be loaded into a flash drive, which can then automatically infect a machine when the user inserts the stick into it. Back in 2014 some security researchers showed how easy this was; and things haven’t changed much. Researchers have shown how malware from a USB stick can take control of a computer, upload files, track browser history, infect software and even provide a hacker remote keyboard control. In many cases the problems can’t be patched, infected files can’t be cleaned, and the infection almost impossible to detect.
Shared Data, Lost Data
Flash drives are convenient, but their size also makes them USB security risks. Recently, IBM banned workers from using them for work, along with any removable memory device. As reported by the BBC, IBM cited the possibility of “financial and reputational” damage if staff lost or misused the devices.
IBM is being cautious, and for good reason. A few months ago, the University of Toledo made news when a faculty member lost a flash drive filled with social security numbers (as reported by the Toledo Blade). In 2017, an insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing sensitive health information of more than 2,200 people was stolen from its IT department.
Even deleting the information from a USB drive isn’t always effective for USB security, as the devices can leave traces of files behind, or even full copies, which an expert hacker can recover.
Using a flash drive isn’t the only USB security risk. Many modern laptops can now be charged through the USB port, a tremendous convenience but one that can leave a machine open for attack. Much like thumb drives, these small USB chargers are borrowed and shared, and lost and replaced. Like USB chargers, they can also be booby trapped to inject malware, root kits and other malicious infections into a computer, allowing the hacker access to files and data.
Getting the Drop on USB Security
Not every trick is high tech, as shown in this simple ploy: a hacker drops an infected USB drive on the ground, which is then picked up and used, infecting a computer. According to an article by digital news company Mic, researchers dropped a few hundred USB devices around the University of Illinois, even going as far as attaching keys or a return mailing address to some of them. Incredibly, 48% of the 300 devices they dropped were picked up and plugged into a computer.
USB devices aren’t the only portable devices that can put you at risk. Have you ever left a laptop on the table at a coffee shop while you stood in line, or ran to the restroom? Even if your laptop is where you left it when you return, that doesn’t mean it hasn’t been compromised.
A test of Google’s Chrome browser showed how easy and fast it is to steal passwords from an unguarded screen. One reporter for the Guardian says he tried exactly that: and stole 52 passwords in 57 seconds. If your computer doesn’t have a master password, it’s a simple procedure to access every web password you have.
USB Security and the GDPR
Recently, the GDPR (General Data Protection Regulation) was implemented for Europe, with a whole new set of rules regarding privacy protection and sharing of information. We reported on this in great detail in an earlier blog post. One interesting aspect of the GDPR is in regards to USB drive compliance. Keeping customer information safe and secure, with only limited employee access to this data, is at the heart of the GDPR. The failure to use an encrypted USB stick to transport data can be considered a breach of protocols and result in hefty fines.
Instead of relying on antiquated USB devices to share files, most companies should switch to cloud computing, which allows for safe storage and accessibility of files across a secured network. We wrote a blog post recently in which we listed a number of practices small-to-medium sized businesses should implement immediately, including amping up their cyber security, going to the cloud, and finding the right tech partner to assist them in setting it all up.
As security experts, Single Path is that “right partner” for many organizations. We know a thing or two about USB security, and even more about network security and data security. We help our clients implement proactive infrastructure patch management, provide a security risk assessment and much more. We also offer a full slate of managed cloud services, giving you access to the best cloud technologies without high initial costs or ongoing investments in upgrades.
What’s making that icy feeling of dread crawl up your spine? Is it from a Halloween ghost haunting your supply closet? Or the fear that your fax machine has been taken over by evil spirits? Assuming those evil fax spirits are hackers trying to crash your network security, that last guess might not be so far-fetched.
The Threat of IoT to Network Security
With the influx of Internet devices, many of which we wear or use daily, the security issues related to the Internet of Things are growing. Garner analysts predict that more than 25% of all cyberattacks will involve IoT devices by 2020. We detailed IoT in a previous blog post, where we discussed how hackers can infiltrate network security through your HVAC system, Smart Watch and more. Here are five more spookily surprising devices that can be hacked and compromise network security.
- Your Fax is Lax
The problem with many electronic devices is that their manufacturers just aren’t paying very close attention to security. Even if you have a newer fax machine or printer, it may still use security protocols established in the 1980’s. More than 45 million fax machines are in operation worldwide, many as part of all-in-one printers. Healthcare organizations in particular use fax machines for the vast majority of their communication.
According to an article from Healthcare IT News, a hacker would only need a fax number to launch a malicious attack. The attacker could then transmit an image with an embedded code that would allow them to take over the fax machine. That might not sound horrible, until you realize “They would then be able to download and deploy other tools to scan the network and compromise devices.” In other words, the Fax machine becomes the portal into a network, and its data.
- A Call For Help
Employees use their mobile phones almost as often as their computers, if not more so. It’s easy to forget that these devices often have complete network access and can be used to compromise network security, too. We’ve warned about this before; an earlier blog post on BYO devices for businesses, and another one about BYO devices in schools explain the need to establish an organization-wide BYOD policy, creating cloud back-ups of data and the importance of antivirus and malware protection.
But hackers can also use a non-mobile phone system to access a network. According to workplace technology company Ricoh, hackers can get past some phone system security protocols with little effort, and then can:
- Eavesdrop on conversations
- Tap into your VoIP line to make high-volume spam calls to foreign countries
- Flood your server with data, using up bandwidth and causing your connections to be shut off. This may be followed with a ransomware demand.
- Infect your system with viruses and malware. Just like office computers, your internet phones are vulnerable to programs that can track keystrokes, steal passwords and destroy information.
- Hackers are Eyeing Your Surveillance Cameras
Ironically, the security cameras designed to protect your business, could end up hurting it. And that’s spooky. While it’s convenient to watch security footage off-site, anything you can watch at home, hackers can watch too. Hackers can also take over the cameras to record videos or do their own surveillance of your workspace, sell camera access to other parties interested in doing that, make systems unusable or threaten to sell their use unless a ransom is paid, or even use the cameras to furtively steal credit card numbers from customers. Internet security company Trend Micro reports that one web forum claims, “as many as 2,000 exposed IP cameras are said to be connected to cafes, hospitals, offices, warehouses and other locations.”
- Getting a Smart TV may not be so Smart
A haunted television for Halloween? Sort of. A recent Consumer Reports article (February 7, 2018) details how millions of smart TV’s have security flaws that can be easily hacked. A hacker can change channels, play offensive content or crank up (or down) the volume. While they probably can’t steal anything too valuable, this still can be “deeply unsettling to someone who didn’t understand what was happening.”
- A Coffee Jolt
The threat of someone hacking your coffee maker seems very, should we say, eye-opening? A recent article in the online journalistic mag The Conversation discussed how hackers can infiltrate cars, toys, thermostats, medical implants and yes, coffee machines. “A hacker who succeeds in communicating with one of these device can then conduct any number of possible attacks. They could disrupt communications, which would be irritating in the case of a coffee machine, but potentially life threatening in the case of a medical implant.”
Your Partner Against Crime
These hacking examples are just the tip of the iceberg (or perhaps the ice-cold fingertips of a Halloween skeleton). At Single Path, we’re security experts and our Security Offerings cover a vast menu of services. We can perform a desktop security risk assessment, implement a proactive network security plan and ethical hacking/employee training, implement next generation firewalls and establish email/content filtering. The threat of hacking doesn’t have to be Halloween-level frightening—at least not if you call Single Path.
Happy Hacktober! We’re already well into this, the 15th annual National Cybersecurity Awareness Month. NCSAM is a joint effort between the U.S. government and various businesses to raise awareness of cyber security, and emphasize the importance of protecting your organization with cyber security tools and education.
Make no mistake: the need for education continues and cyberattacks are still on the rise. According to data from the Department of Homeland Security, 600,000 personal and business accounts are hacked every day and 47% of all American adults have had their personal information exposed by cyber criminals. What’s surprising is that Millennials, despite having grown up in a digital world, are particularly vulnerable to cybercrimes, with 44% of them victims of online crime in the past year alone.
Get Smarter, Get Safer
The best protection is education. The principle behind Hacktober, which has remained the same since the beginning, is the need to promote proactive, smart behavior in organizations in order to foster a security-conscious culture. Fortunately, there are thousands of cyber security tools and resources available, whether for individuals, SMBs, schools or other organizations.
We’ve collected some of our favorite cyber security tools here. Some of these have been created specifically for Hacktober, and others are evergreen. We hope this list of resources can help you stay more secure.
Cyber Security Tools for Small Businesses
1. This Cybersecurity Awareness Toolkit for Small and Medium-Sized Businesses was published by the Cyber Security Alliance, Facebook and MediaPro specifically for National Cybersecurity Awareness Month. It includes a great deal of information on how to create your own internal company Hacktober awareness kit and, more importantly, tips on how to implement your own cyber security protocols.
2. This 30-minute online assessment tool from the Michigan Small Business Development Center (SBDC) helps small and medium-sized businesses evaluate their own cyber risks.
3. The U.S. Small Business Administration offers a free cyber security course for small businesses.
Cyber Security Tools for Schools
4. A resource library from the Higher Education Information Security Council contains cyber security tools specifically targeted for colleges and universities including brochures, banners and more.
5. k12cybersecure.com is a site filled with “a curated list of recent information and resources to help U.S. public K-12 school leaders and policymakers navigate cybersecurity and related issues.” There are lots of links to articles and reports.
Cyber Security Tools for Everyone
6. This 2018 Toolkit from the Department of Homeland Security was created for National Cybersecurity Awareness Month. This is a comprehensive report that includes government contact information, cyber security tips, a glossary of terms and a list of online cyber security tools.
7. The national STOP. THINK. CONNECT™ campaign is a “national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online.” The STOP, THINK, CONNECT website has materials you can display at your organization, plus videos and resources aimed specifically for small businesses and educators.
8. Staysafeonline.org is a website from the National Security Alliance that features a list of upcoming cyber security conferences, online safety basics, advice on how to get your organization involved in cyber security, and many other resources.
9. Create your own custom cyber security planning guide for your organization with the help of this cyberplanner tool from the FCC.
10. The U.S. Chamber of Commerce offers cyber security tools such as tip cards, videos and posters that provide business security essentials.
11. US-CERT (The United States Computer Emergency Readiness Team) provides “no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices.” They also offer a self-assessment package, information sheets, downloadable guides and more.
12. The National Institute of Standards & Technology developed a CyberSecurity Framework that recommends standards, guidelines and best practices to manage cybersecurity risk for organizations.
We know we promised 12 tools, a solid dozen online resources, but we have to add a few more—
13. While not specifically created for Hacktober, we’ve published many blog posts that detail cyber security across a wide range of topics including blog posts on Phishing Tactics (part 1 and part 2), How to Spot a Phishing Email, Why Password Security Is Important for Your Business, How to Create Your School Cyber-Threat Strategy, The Growing Threat of IoT, and We’re Only Human: The Importance of Security Awareness Training.
There are many more cyber security tools out there, and we hope you’ll find the ones listed here, or others, are exactly what you need to create a more secure organization.
The Best Resource: Single Path
Single Path is your cyber security expert, with both the experience and resources to protect your organization. We provide a comprehensive menu of security options including audits, penetration testing, vulnerability scans, data loss prevention, ethical hacking/employee training, managed security incident event management (SIEM), managed advanced malware protection, next generation firewalls and email/content filtering. We also can help you rebound from an attack or natural disaster with our incident response services. Of all the vast array of cyber security tools that protect your organization, one of the easiest steps to take is simply calling Single Path.
Business organizations and schools are under cyber attack. Just this past week, it was reported that the FBI uncovered a phishing email scam aimed at stealing funds from New Jersey state employee online payroll accounts. The emails requested employee login credentials, which the criminals could then use to redirect an employees’ direct deposits. A similar ploy was recently directed at school employees in Atlanta, and the FBI Internet Crime Complaint Center (IC3) has issued a public warning about phishing email payroll fraud.
Learn how to spot a phishing email in our latest blog post.
Contact Single Path. With Single Path Security offerings you have access to a wide range of collaborative and customized protective services. Let us help you avoid being victimized. After all, falling prey to a phishing email scheme is a mistake, but doing nothing to prevent it from happening may be an even bigger one.
Hurricane Maria was the worst hurricane to hit Puerto Rico in nearly a century, with winds reaching almost 200 miles per hour amid torrential rains and flooding. The disaster left millions of people without power, hundreds of thousands without access to basic necessities and 10,000 people homeless. The world watched with concern and compassion.
But when School Superintendent Jim McKay and Single Path’s Bill Spakowski saw the news, they decided to make a difference.
As superintendent for School District 117 in Antioch, Illinois, Jim McKay had helped send supplies to Houston after Hurricane Harvey. But he knew, this time, supplies were not enough. He needed to do more.
Jim knew the devastation would impact families and children most, and he also understood the vital role schools play in a community. “My mind is with kids,” said Jim McKay. “It’s with helping. When I heard kids in Puerto Rico were not being served, and maybe not being able to attend school for months, I knew I had to do something.” Jim reached out to other area school districts and business and community leaders. Jim had worked with Single Path to set up his own district’s 1:1 learning environment just a few months earlier, so Bill Spakowski of Single Path was near the top of his list of people to call. As Jim suspected, Bill jumped at the chance to help.
Puerto Rico already had considerable education challenges. An estimated 30 percent of Puerto Rico’s students receive specialized education, twice the average on the U.S. mainland. According to the New York Times, only 10 percent of seventh, eighth and 11th graders achieved proficiency in a standardized math test in 2017. Escuela Rafael de Jesús, an elementary school in Rio Grande, Puerto Rico, was faced with similar challenges, even before the hurricane. This district serves 300-400 students of mostly low-income families (86% of them receive a free or reduced lunch) and a great number of special needs kids. They didn’t have the funds to recover from the hurricane on their own, at least not without a miracle. Jim, Bill and the group they named “Relief Through Leadership” became the school’s angels.
The amount of money and equipment Relief Through Leadership raised was impressive, and reflects the environment of caring and giving that both Jim and Bill advocate in their respective organizations.
Donated supplies and technical assistance from Single Path were married by similar efforts from other organizations. The group solicited no tax dollars. Volunteers who went to Puerto Rico paid for the trip out of their own pockets. And the amount of donations, work, and organization, was staggering. For example, local schools donated desktops and notebooks. CDN logistics trucked four pallets of computers from Lake Villa, Illinois to Miami. Carnival Cruise Line shipped those pallets to San Juan. The Mayor’s Office delivered the equipment to the school. And everything was donated. “We were one of the few volunteer groups that were able to crack the sea-transport challenge,” admits Jim McKay.
Jim, and his group of volunteers, which included two people from Single Path and eight school superintendents, flew down to Puerto Rico and got to work. Bill and his colleague not only helped set up two hundred computers, including desktop classroom computers and Chrome Books, but they joined the team spending time (and sweat) scraping paint from ceiling and walls and repainting the school building with paint purchased by Single Path.
Before the hurricane, their school library only had two computers. Now, Rafael de Jesús has its own computer lab. Said Jim McKay, “These computers changed their world. Literally.” He added, “In the world of education, the opportunities are significantly less if you don’t have access to the Internet. With technology, kids today are able to learn and grow so much faster. And we were able to go in and give them the chance to learn and grow in way they couldn’t have before.”
Jim McKay remembers how surprised the mayor, local leaders and the school’s staff were when he and his group arrived in Puerto Rico. “Honestly, when I talked to their principal back in February I don’t think she believed me,” he said. “Talk is cheap. But when we showed up she, and other faculty members, were nearly overcome with emotion.”
Neither Jim nor Bill feel their job is done. Today, Puerto Rico is still impacted by the lingering effects of Maria. While travelling through the island, Bill noticed the blue tarps still covering the roofs of many homes, and the debris of destroyed or damaged buildings that may never be replaced or restored. More than a quarter of Puerto Rico’s schools have closed since the storm and many were without electricity for months. Hundreds of thousands of people have fled the island permanently, including many doctors and educators. Much of the relief the island has received, including a significant percentage of its educational funding, has been lost to waste, corruption and questionable spending practices. That’s why Relief Though Leadership plans to continue donating directly to the school, visiting annually, providing equipment and even new classroom furniture. Both Jim and Bill feel that acquiring and donating two thousand computers a year is a realistic goal. They also hope to set up a connected learning environment between local Illinois schools and Escuela Rafael de Jesús.
The time and energy provided by Relief Through Leadership is about more than making a difference today. It’s about the kids who will be the future of Puerto Rico. Said Bill Spakowski, “It’s about giving back and helping to develop the next generation of leaders. We’re a company that cares about making a difference, and truly cares about students.”
You can view a video showing some of the before and after images of Puerto Rico and Escuela Rafael de Jesús, and the relief efforts by Relief Through Leadership here. To learn more about Single Path, contact us.
Single Path, in conjunction with Cisco, recently hosted a presentation by renowned cyber security expert Bryce Austin. Bryce shared his experiences while at Target during their breach. The discussion also included valuable information on creating a cohesive tactical plan for a “post-breach” scenario. After the event, we all headed up to a United Center suite to have some fun and watch the Chicago Blackhawks take on the Minnesota Wild.
In April of 2016, after four years of debate and preparation, the EU Parliament approved the GDPR (General Data Protection Regulation). This landmark regulation was designed to protect data privacy, access and provide a way for EU citizens to seek damages should they suffer from misuse or breach of their data.
This regulation affects any company that does business with EU citizens, regardless of where that company is located. Among its components are:
- Mandatory breach notification. Data processors must notify their customers and business partners within 72 hours of becoming aware of any data breach.
- The right for customers to obtain confirmation on how and where their personal data is being processed, and for what purpose
- The right for customers to have their personal data “forgotten” or removed from electronic data (under certain conditions)
- The right for customers to receive their own personal data, and a right to “data portability,” or the ability to easily transfer information between service providers
- Privacy by Design. Data protection protocols need to be in place before a company collects personal information, and also limits who at the organization can access that data.
- Data Protection Officers. Certain companies must appoint an officer in charge of all data protection and privacy issues, and follow certain internal record keeping requirements.
What you need to do now
According to research and advisory firm Gartner, most companies are not ready for this change. In fact, Gartner predicts that more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
Unfortunately, if a company doesn’t adhere to the GDPR regulations, they could face a HUGE fine. Here are a few areas you’ll want to take a closer look at:
Are you a controller or a processor?
The regulation breaks out responsibility for protecting data into two roles: controllers and processors.
Which one are you? A “controller” is the person, business or public authority that “determines the purposes and means of the processing of personal data.” The “processor” is the person or organization that processes the personal data on behalf of the controller. In other words, the controller is the one who uses the information and the processor gathers it on their behalf.
Or, in an example given in an article on the website gdpreu.org, “If Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.”
Some companies are both. You may want to seek legal advice to ensure your role is properly defined.
Audit your data
Per a recent article on informationweek.com, auditing your data, while time-consuming, can have numerous benefits. The article suggests you “Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it.” Since information may have to be deleted, shared and immediately accessible, enabling a single view of all information, and where it is stored, can be a vital time and cost-saving measure.
Conduct a Privacy Impact Assessment (PIA)
You will need to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is protected adequately. As shared in an article at gdpr.com, “The PIA should be conducted throughout the development lifecycle of a system, but especially before you even start collecting the data. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data.”
Remember, it’s not just about having a secure system. The real trick is in controlling who has access to the information and how it can be used. As stated in the same article quoted above, “security is about who has access to the data, privacy is about what you do with the data you have access to. Assuming security is good, the main risk will be the way in which you use the data.”
Let an expert help
At Single Path, we’re well known for “providing accountability for technology from the start.” Our team will work with you to put the processes and protections in place to ensure you are compliant with the GDPR, and any other regulations or requirements. From storage to security, we have the experience and resources to collaborate, educate and connect you with the tools you need.
Don’t risk a large fine from a lack of compliance. Let Single Path help you take the steps now to ensure you’re ready by May 25.
As nearly everyone knows, Equifax recently reported a data breach, which has put more than a hundred million people at risk. As the Federal Trade Commission puts it bluntly, “If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.”
The facts are undisputed. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Yet Equifax didn’t inform the public until September 7th. Within a week of that announcement, both Equifax’s Chief Security Officer and Chief Information Officer were fired, Equifax became a source of anger from the public, a source of investigation by the U.S. government, and a source of ridicule on late night television.
As Wired Magazine stated in an article dated September 14 titled Equifax Officially Has No Excuse, “Capping a week of incompetence, failures and general shady behavior in responding to its massive data breach, Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March … As the security community processes the news and scrutinizes Equifax’s cybersecurity posture, numerous doubts have surfaced about the organization’s competence as a data steward.”
Even Worse, It was Entirely Preventable
According to Equifax itself, the data breach was due to a flaw in the Apache Struts Web Framework, a widely used enterprise platform. Equifax discovered the bug months before the breach occurred, yet did nothing to fix it. This decision is surprising, as the remedy to fix it was a relatively simple procedure. Equifax was provided clean and simple instructions on what to do. Instead, they chose to do nothing.
At best, the refusal to fix this major flaw was negligent. At worst…well, that’s still to be determined.
Once Trust Is Gone, It’s Gone
Since this ongoing fiasco was first made public, how many people are excited about the immediate prospects of Equifax? Its stock lost more than 35% of its value within days of the news coming out, and has remained significantly lower than its pre-breach levels. Meanwhile, the Department of Justice is looking into criminal charges against high-level Equifax executives who sold nearly $2 million in stock before Equifax released the data breach information.
While it is too early to determine the long-term future of Equifax, if it has one, individuals and municipalities have filed numerous lawsuits (including one by the city of Chicago on September 28 of behalf of its citizens, following in the footsteps of San Francisco which filed suit just two days earlier; more cities are expected to follow) and politicians are calling for more investigations. As the lawsuits go through the system and people’s lives are disrupted—this breach affects nearly everyone who has had a credit report run—the news of Equifax’s lax security standards and insufficient response will only linger, as will public outrage.
Are You the Next Equifax?
While it’s true a breach can affect any business at any time, arrogance and a refusal to protect your data will only hurt your business’s rebound and make the prospects for its success questionable. Recent and well-publicized data breaches from Target, Home Depot and others have demonstrated that open communication can go a long way to restoring public trust; a path that Equifax has so far seemed reluctant to follow, at its own risk.
But openness after the fact is only one step—the best step is to be proactive and do all you can to avoid a breach in the first place. That means not only ensuring appropriate safeguards, but also backing up data in case you are hit by a malicious cyber attack that compromises, erases or prohibits access.
As we detailed in a recent blog post about cypersecurity attacks, “formulating a multi-layered plan including continual back-ups and implementing best practices, such as employee education, is of paramount importance.” This includes back-up protection, strong email security, artificial-intelligence-based security and more. In short, you not only need to protect your customers, but yourself. Safeguarding information rewards your customers’ trust but also ensures your company doesn’t miss a beat in the event of a cybersecurity breach.
Learn more about how Single Path’s Security Offerings can help you create a cyber strategy and protect your data and your reputation.