Business Liability Legal Tips for Entrepreneurs Risk Management
April 24th, 2016
The Internet of Things (IoT) & What Every Entrepreneur Should Know to Minimize Cybersecurity Risks
In several recent presentations I have talked at length about the internet, cybersecurity, data breaches, and what we as entrepreneurs can do to protect ourselves and our businesses (including our clients).
I continue to collect information and resources on this topic, and wanted to present some quick info here, including safety tips that if you implement today, will help you minimize your risks online by up to 85%. That would feel good, wouldn’t it?
As part of my ongoing licensing requirements (yes, I have a traditional law practice as well), I am required to take continuing legal education classes. I am an information absorber (information-hoarder is really the correct term), so even though to most people CLE classes may sound like a bit of a chore, they are actually a super enjoyable way for me to pass my time!
That said, some CLE classes are a bit more engaging (i.e. eye-opening) than others. And I just completed a handful of hours at the end of last year on the topic of cybersecurity and the impact on data breaches to businesses. To say that these classes were eye-opening would be an understatement. Additionally, I pay attention to what online experts have to say about how we can protect ourselves. (I pay particular attention to presentations put on by the FBI and very high level government officials on the topic of cybercrime and data security – just today I listened to a Tim Ferriss podcast with Marc Goodman, an FBI futurist and crime expert, which reminded me to publish this post. You can find Tim’s podcast on itunes here). As online entrepreneurs, we should be taking extra precautions to protect our online data and that of our clients and customers, and at minimum should be taking the precautions that are reasonable and readily available to all of us.
Before we get to the very important list of actionable precautions you can implement immediately to protect yourself and your business by up to 85% (or more), let’s first set the stage for why these precautions are so very important:
LET’S SEE HOW YOU DO ON THIS SHORT MULTIPLE CHOICE QUIZ: (get out a piece of paper and write down your best guess!)
1 – How many businesses (of any size) experienced a data breach of some kind last year?
a) 90% b) 10% c) 64% d) 37% or e) 50%
2 – What percentage of video cameras (i.e. on smartphones, computers, tablets, or wired/networked devices of any kind) are unprotected (i.e. totally without a password or any protection)? (This includes home and business video/monitoring systems/ baby video monitors & nanny-cams)
a) 50% b) 35% c) 20% d) 15% or e) 18%
3 – In the next 25 years, how many “things” are projected to be added to the IoT (internet of things)?
a) 100 Million b) 2 Billion c) 20 Billion d) 200 Million or e) 200 Billion
4 – In the worldwide fight against crime, what is being used by law enforcement at various levels as a tool to help make split-second decisions about whether someone should live or die?
a) facial recognition tools (like you see in the movies) b) cell phone tracking or c) google images
5 – What is the average time between a data breach occurring and an individual or business learning of the data breach?
a) 19 days b) three weeks c) 418 days d) 7 months, or e) 39 days
Are you ready for the answers?
1. e) Approximately 1/2 of all businesses experienced some kind of data breach last year. (This number has steadily risen the past several years). Data breach or cybersecurity insurance is currently the fast growing insurance product (jumped from 10 to approximately 26% in 2014 alone);
2. b) 35%. Between 30 and 40% of ALL video cameras (smartphones, computers, tablets, home video monitoring systems, baby monitoring devices, business video monitoring systems & nanny cams) have NO password or security of any kind preventing unauthorized access. An additional 30-40% have the original password that is provided with the manufacturer’s paperwork or instructions, largely available on the web. **In ONE week last year, 76,000 camera systems were hacked & streamed live on the web, which included many personal scenes from the insides of people’s homes. (The horror!)
3. e) Up to 200 BILLION new “things” are projected to be added to our internet of things. The analogy provided with this figure is like going from a network the size of a golf ball, to a network the size of the sun (i.e. a tsunami of technology). We are in the infant days of the internet, and most of us have no concept of how life is expected to change as a result of this drastic increase alone. We are now essentially in a technological arms race.
4. c) Google images! Yes, that’s right folks. Just remember, all of the photos that we post to Facebook or other online sites, even if we think they are private, should be uploaded with the assumption that they are going to be accessible to everyone. Everyone. Post cautiously.
5. c) 418 days. Yes, you read that right. 418 days of our websites, our personal accounts, all of the information that passes through our computers or wired devices being monitored, collected, and used before we even learn that a breach has occurred. Does that freak-you-the-heck out?
Here’s the thing: Most of us do not sit around and use our best subversive thinking skills to guess as to how our data, images, or other information might be harvested and then used in a malicious way. And yet, this is just what criminals do EVERY DARN DAY.
There are repeat criminals and masters of cyber-hacking (in fact there are whole towns and villages of people like this), in addition to those with subversive thinking who end up becoming criminals through their online actions, who spend a large portion of their waking hours coming up with all sorts of ways to use other people’s video cameras, websites, accounts, the internet right under our nose, and all of our connected devices to dredge and then utilize every ounce of data that they can find, including to perpetrate more attacks. (Check out “Hackerville,” Romania, some of the worst botnets in the history of the internet, (including one responsible for sending out 39.9 billion spam message per DAY, and another controlling up to 50 Million computers and networked devices at a time), or the Crown Casino Scam where a patron hacked the Casino’s video monitoring system which helped him walk away with $33 Million in a very short period of time, and finally “Dread Pirate Roberts“, the pseudonym for a darknet market named “Silk Road” which netted its owner $110 Million over the course of a couple years (in which the site transacted over a billion dollars in black market transactions over the internet). Do you find this stuff unbelievable? Well, unfortunately, you better believe it.
When it comes to online risks, businesses, high-profile individuals and governments are particularly at risk. But the reality is that ALL users of the internet are at risk. Cyber attacks are often aimed at large numbers of people, or online users all at once. All of the cybersecurity breaches that occurred at large corporations last year and were smattered regularly in the news were often reported on a “business by business” basis, where instead, the reality is that these breaches happened at a massive level and often at the same time, affecting 1/3rd of ALL OF US.
Cybercrime is a 400-Billion-Dollar-per-year industry. Yes, $400 Billion per YEAR.
So what do we do about it? How do we protect against what feels like an eventuality if not an absolute short-term certainty?
Get out your notepad again, and take notes, because you will want to take action ASAP. Some of these action items are obvious (i.e. common sense actions) that many people still don’t implement (raise your hand!), while others will take a bit more effort (though not much, so no excuses!).
The more obvious actions:
- Don’t use the same password for all of your online accounts. Use password tools like 1Password, KeePass, or LastPass to secure your passwords AND enable two-step authentication whenever possible;
- Don’t open strange links or attachments, especially when they are from the Prince of Any Country (yes, you’ve heard this before);
- Keep the software on your computer, smartphone and tablets up to date (don’t ignore the update notices!);
- Keep your website themes, plugins and other related software up-to-date;
- Don’t use social media on a work computer, or from any device networked to your digital business records or critical files (and this means prohibiting employees from doing the same thing – social media websites of all kinds are some of the easiest ways “in” for hackers and employee use of websites including connecting work or business-related devices to public networks is the number one cause of cybersecurity breaches for businesses with employees);
- And when on social media, absolutely do not participate in any of the games or quizzes – these are highly loaded with malware, worms, and viruses (and do you really need to know what breed of dog you would be, if you were, uh, a dog?);
- Use the internet and share personal information (including images) sparingly or cautiously;
The easy but not as obvious actions:
- Put sticky notes or tape over the built-in cameras on your computer when not in use;
- Power down your phone when not in use;
- Power down your computer when not in use;
- Make regular back-up copies of all of your data, devices and external hard drives (one third of all hard drives fail every year – this means you should have three copies of everything at all times);
- Only connect external hard drives to your computer when you need to access the data (do not leave them connected);
- Do not connect to public networks, but especially if you are a business person who travels, always use a VPN (virtual private network) in public places, including when you stay at hotels;
- Do not use the Admin account as the primary or main account on your computer (where you keep all of your business and/or personal files); you should have an Admin account and you should separately create a User account for your day to day use for personal and/or business files, so that in the instance malware makes it on to your computer in your daily use, it does not have automatic access to the Admin password that is required to change system files;
Additional Website safety precautions (in addition to powering off machines, and keeping website files updated, as mentioned above):
- Install basic protections – for example on a WordPress website you might use Wordfence Security, Login LockDown, and Anti-Malware Security and Brute-Force Firewall (or similar protections) as a first line of defense;
- If you use 3rd party services to help run your online / digital business, check with them directly to find out what precautions they use to protect the data of you and your clients;
- Check with your host to make sure that basic website protections are taken against “Denial of Service” attacks (which are frequent). To provide you with more information, I am copying a post from my friend The Grumpy Developer that he shared recently in an online group to which I belong, in case it would be helpful for you (PS. I can’t vouch for the accuracy of the statistics he provides although I assume he knows his stuff; this information should be helpful, nonetheless):
So I know WordPress is hands down the most popular site tech used here. And with good reason. Its an amazing piece of software with lots options, plugins, themes etc.
However, because of this fame, its a huge target for hackers too. While I’m NOT a security freak at all, the truth is, there are tons of automatic scripts that just automatically attack sites all over the internet. (and yours too I’m SURE). It’s nothing personal.. they just attack everything and look for weaknesses.
99.999999% of the time they can’t get in, so no harm right? Well not exactly. The act of knocking at the door, even if its locked, over and over and over again can cause your site to slow down or even crash. They’re called DOS attacks (denial of service).
Many people will blame the host or site for this. Maybe even pay for more expensive hosting when not needed.While WordPress security is a BIG topic and complicated, there is one super easy thing to do that will block 99% of all types of attacks. Blocking access to the xmlrpc.php file.
If you’re not sure, ask your host if they are already protecting you against this. If not, add this (or ask them to add this) to your “.htaccess” file. It will keep you safe from these DOS attacks.
#########################
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
If you are of the more security is better persuasion (or you have a strong online presence, a business that is going gangbusters, or you do a lot of travel), you might also consider:
- Establishing a relationship with a computer forensics, IT guru, or cybersecurity specialist (and have them on speed dial);
- Using pseudonyms when you travel, or when you hire transportation (to, um, avoid successful kidnapping schemes where kidnappers simply google the names on various cardboard or other written signs held by private transportation companies/ cabbies / etc, and then intervene in order to take advantage of a high-profile or more well-to-do traveler – yeah, unfortunately not kidding with this one);
- Use “throw away” or back-up temporary devices with limited data and limited contacts included in them when you travel (and NEVER leave electronic or wired devices in your hotel, not even in a safe, the combinations of which are often given to local police, especially in China);
- Put tape over your hotel peep-hole (often used with small video camera monitors, or peep-holes reversed);
- Again, use only a VPN, and do not connect to public or hotel wireless or other networks; and
- Use an email encryption system to place additional protection on all of your email correspondence which is one of the least protected ways of transmitting data – i.e. not ever private.
Even if you only do the things in the VERY FIRST bullet-point list above (PLUS create the second user account in addition to your Admin account on your computer, and use the second user account as your day-to-day account), you will have taken steps to protect yourself against 85% of the most common threats to the average internet user. As business owners or entrepreneurs, I personally believe we should step it up a notch, which is why I have provided some additional, relatively easy action items that should help keep you (and your business) as safe as is reasonably possible.
Of course, I am no internet security expert. And this is in no way a comprehensive list of available protections or precautions. But I do care about the subject, and these tips should help you lay your foundation for your cybersecurity plan. (Then the key is to follow it!) In a separate post I will talk specifically about the various risks addressed in this article from a legal perspective. However, next up will be your data breach plan, so you know what to do if a data breach does eventually occur.
And if this has helped you, please share this article with any colleagues or friends in business who might benefit from this information as well. Here’s to buckling up in business!
_______
For more information related to this post, see the following articles…..
DISCLAIMER: THE INFORMATION PROVIDED IN THIS POST MAY CONTAIN LEGAL INFORMATION, BUT DOES NOT CONSTITUTE LEGAL ADVICE. NO RELATIONSHIP, INCLUDING ATTORNEY-CLIENT RELATIONSHIP, HAS BEEN FORMED AS A RESULT OF THIS POST. YOU ARE ADVISED TO SEEK THE ADVICE OF AN ATTORNEY LICENSED IN YOUR STATE IF YOU HAVE ANY QUESTIONS.