The Most Positive Cybersecurity Trend I Have Seen in Nearly 20 Years!

business-1989131_1920In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.

As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.

My practice has been divided into three distinct areas over the last several years:

  1. Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
  2. Reactively, by leading companies through the cyber incident response and data breach response process (e.g.,  as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
  3. Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.

For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.

This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.

But in the last quarter of 2017, this has changed.

The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.

What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.

I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Tips for Staying #CyberSecure While Shopping Online for #CyberMonday

Cybercriminals need shopping money for the Holidays and one of their favorite times to get yours is when you are shopping on #CyberMonday.

Use these tips to help stay #cybersecure while shopping online for #CyberMonday and at any other time:

  1. Credit or debit? Use credit cards, not debit cards, for your online shopping. Debit cards are tied directly to your bank account so if there is a problem, your money is gone. With credit cards, it is borrowed money, plus, if you have a problem with the merchant or order, the credit card company can act as your intermediary in the dispute. If possible, have one credit card that is used solely for online shopping in case you need to cancel it.
  2. Secure Internet connection. When shopping online, it is best to avoid free WiFi or other forms of open WiFi in public locations. When you are out, it is best to use your own data plan or, if you must use public WiFi, use a VPN to help minimize the risk of having your information stolen.
  3. Credible merchants. Only shop at online merchants that are credible and well-established. Anyone can put up a website in a short amount of time, make sure you know you’re dealing with a trusted merchant with a history of doing business.
  4. Scams – too good to be true (merchants). Be wary of deals that seem too good to be true and do not get too greedy because if a “deal” seems that good, it almost certainly is and the person behind the scam is either outright stealing your money or they are trying to steal your information.
  5. Saving information with merchant. While it is more convenient to save your personal information and payment information with the merchant, doing so also means that information is now stored in their database and can be compromised. It is best to not save your information with merchants.
  6. Scams – too good to be true (click here). Be wary of emails or social media posts that advertise deals that seem too good to be true and then tell you to “click here” on a link to see more information. Those are usually phishing emails that are designed for the sole purpose of getting you to click the link so they can either steal your information or deposit malware on your device. Cybercriminals can perfectly clone emails from legitimate merchants such as FedEx, PayPal, Amazon, and others so just because the email looks legit doesn’t mean it is — don’t click on the links!
  7. Scams — the sad story. While not limited to online shopping, a close relative to the “too good to be true” scam are the scams that play on your sympathy and generosity during the Holidays. An example of these is chain emails that tell of a tragedy that has befallen people and asks for donations. Criminals know how to play on our sympathies and use our emotions to manipulate us into doing things we would never do otherwise, such as sending money because someone asked for it in an email or social media post. Unless you know the people first hand, do not let your emotions overtake your judgment and stick with reputable charitable organizations with an established history.
  8. Good Cyber Hygiene. Whether for shopping on #CyberMonday or otherwise, it is best to always use good #CyberHygiene to protect yourself online. Here is a free Checklist for Good Cyber Hygiene.

For more discussion of these tips for staying safe while shopping online see 5 tips for Avoiding the Cyber Grinch this Cyber Monday! and Cyber Monday: Online safety tips from a cybersecurity expert.

SEE ALSO

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

FUD and Voting Machine Hacking: An Important Point and Important Lesson

This morning I am doing radio interviews as a Fox News Radio contributor. My topic? The DEFCON Voting Village demonstration of hacking voting machines that have been, or may currently be, used in US elections. Here are a couple of the news stories if you are unfamiliar: Hacking a US electronic voting booth takes less than 90 minutes | New Scientist and To Fix Voting Machines, Hackers Tear Them Apart | Wired

With all of the talk about hacking or rigging elections, this is a great topic to pique people’s interest for a radio interview but it can also generate a great deal of FUD. And, I really do not like FUD because it detracts from the real issues and lessons that we can learn from situations. So, there is one very important point and one very important lesson that I have tried to make during these interviews and that I hope will rise above the FUD:

IMPORTANT POINT: The voting machines used in this example were obtained from eBay and government auctions because they had been decommissioned. This means they were old. Unfortunately, some had been used in recent elections — which is a big problem — but generally speaking, we’re talking about outdated technology.

IMPORTANT LESSON: Voting machines are computers and, while (IMO) no computer will be secure they can certainly be more secure. We must be vigilant about the security of the voting machines and other election infrastructure that we use in our voting process and demand that current, state of the art equipment be used, where security is baked in from the outset and is continuously maintained as an ongoing process, from now on until further notice.

 

OCR Issues Cyberattack Response Checklist and Infographic

The United States Department of Health and Human Services’ Office for Civil Rights has just issued a checklist and infographic to aid healthcare organizations and their vendors in quickly responding to cyberattacks in compliance with HIPAA requirements.

WHDT World News Interviews Shawn Tuma about WikiLeaks’ CIA Vault7

See also: