5 Questions the NY Attorney General is Asking TransUnion and Experian, and the 5 Questions CEOs Should Be Asking Themselves (and Their Team)

 

Leading cybersecurity can be challenging as a CEO if you don’t know what questions to ask. A top down approach is necessary for an organization to be successful in creating a cyber security culture.

With the recent Equifax breach, many CEOs who haven’t paid attention in the past are starting to ask questions. The truth is, it doesn’t matter what industry you are in, or how many employees or clients you have, just the fact that you exist as a business owner, or entrepreneur, makes you a potential target. Just like being a consumer makes you a potential victim of a breach at every place you spend money.

As a CEO, if you have large B2B clients, irrespective of industry, then that can make you a potential target for a beach because a hacker may want to use your company to get to your client. According to a study by the Identity Theft Resource Center, as many as 42 colleges and universities were victims of cyber-attacks in 2014 alone. The number of U.S. data breaches tracked through June 30, 2017 hit a half-year high of 791. This represents a significant jump of 29% over 2016 figures during the same period. According to SANS, ransomware is the top attack threat to financial institutions (55%), followed by phishing (50%).

Additionally, if you do business with, purchase from or take money from a business that has been breached, that makes you vulnerable. Since 90% of breaches impact small businesses, as a CEO, you can’t escape cyber security, no matter how small you are.

In New York, where the Department of Financial Services enacted cybersecurity regulations for the banking, financial services and insurance industries, the current Attorney General, Eric Schneiderman, is not only investigating the Equifax data breach, but asking TransUnion and Experian what their cyber security strategy was before the Equifax breach and what they have done since the breach.

There are supposedly five questions that Schneiderman’s office wants answers to from Experian and TransUnion by Friday, September 21st:

What security measures did TransUnion (Experian) have in place to ensure the safety of private consumer information before it learned of the Equifax breach, including but not limited to administrative safeguards, technical safeguards, and physical safeguards, as well any best practices or certifications of compliance with any data security regulations or leading standards?

What steps has TransUnion (Experian) taken since learning of the Equifax breach to ensure that TransUnion (Experian) has not already suffered any similar intrusions?

What steps has TransUnion (Experian) taken since learning of the Equifax breach to ensure that it does not experience breaches going forward? Please address steps to prevent both malicious hacking as well as breaches caused by employee negligence.

What steps has TransUnion (Experian) taken since learning of the Equifax breach to help consumers implement additional protections for their private data in TransUnion’s (Experian’s) possession?

Will TransUnion (Experian) consider waiving any fees it currently charges for New York consumers who wish to implement and manage a credit freeze for their files through TransUnion (Experian)?

With the CEO of Equifax testifying before Congress on October 3rd here are 5 questions all CEOs should be asking themselves (before a breach):

What is my cyber security incident response plan for when a breach occurs?

If you don’t have a plan for what to do if there is a breach you are already behind. This also means you most likely don’t have a way to proactively detect if a breach is occurring. The fallacy that you have be a multi-billion-dollar company to be impacted by a breach is false. Living Social, during the same quarter that they announced their data breach revealed the company had a first-quarter operating loss of $44 million on revenue of $135 million. We are seeing solopreneurs lawyers who haven’t taken security seriously compromise their client’s information. Your Chief Information Officer (CIO), General Counsel, or IT team can help you address this question, but as the CEO you have you lead the way.

What are the compliance risks and are they systemic across every vertical?

What are the SOC and PCI challenges that your company many not be reviewing regularly? Do you have a lawyer, or a compliance exert to help you meet regulations for your industry?  This would also be a great question to ask your lawyer or General Counsel.

How long would our business halt if we had a breach?

In other words, how many hours could your team not access email? How many days? How many days could your company go without receiving, or giving, payment until it becomes a liability for the company. One hour? One day? Some companies take up to three weeks just to access email again after a breach. What would that do to your business? Business continuity is critical. As a CEO, you have to know how long your business will stop if there is a breach and how much that will cost you. What is your risk appetite? Your CIO and IT team can help give you an accurate response to this question.

What type of data do we have and who would want it? 

For some companies, they know exactly what data they have that is of valuable. Other companies think they have nothing of value to potential hackers. Does your company collect donor information, PII, user activity or user data? Do you store intellectual property from your company or another companies? Where do you keep your financial and employee data? What data do you have that could be valuable to a third party that you don’t even realize? For example, maybe your client’s customer base. As a CEO, you should know what your most valuable data is, how you collect it and where it is stored. Your CIO or IT leader can help you identify this information.

What is our cyber insurance policy?

We are slowly approaching the point where every business should have a cyber security insurance policy. Especially if you are a B2B company, in highly regulated industries, or if your total sales are over $1 million a year. Cyber insurance will pay for a crisis communications team to help you communicate to internal and external stakeholders. They will also pay for a digital forensics team to support with the response to the breach.  The smaller the company the harder it is to bounce back from a cyber breach. This is a great question to discuss with your corporate attorney.

 

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security expert, she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com.

Why All the Confusion With the Equifax Data Breach? 9 Steps You Need to Know to Protect Yourself

 

It has happened again. This time 143 million people have been impacted by this cyber breach. Why is this breach more confusing than the other data breaches and what does that mean for you?  With the Home Depot breach, the information compromised was our credit card information allowing for fraud. With Yahoo, the information compromised were your email, passwords, and contents in your email allowing for scams, fraud and phishing.

With the Equifax breach, large amounts of PII (personally identifiable information) including date of birth, social security number, home address, and phone number have been exposed. It’s possible cyber thieves can open lines of credit, bank accounts, get a driver’s license and new credit cards in your name. Identity theft can come in multiple forms from thieves being able to cash your personal checks or pick up medical prescriptions. Recovering from identity theft can take months or even years.

Equifax also has not been very forth coming regarding the details of the breach and has folded under public pressure over the weekend, and Monday to do more for consumers, leading to misinformation and increasing confusion for consumers.

Here are the facts on how to protect yourself with the Equifax breach:

  1. Sign up for 1-year free credit monitoring and identity theft insurance with Equifax. Equifax is offering their own service for free. That may not inspire trust, so you may want to pay for additional credit monitoring after the free year expires or use an alternative source altogether (Experian, TransUnion). If you do sign up for this, you are most likely waiving your right to sue Equifax. 
  2. Check to see if you have been impacted at equifaxsecurity2017.com. Though it may not be reassuring to do this considering Equifax has not proven its ability to protect your information. Other experts state that possibly inputting your information into the website could expose you to greater risks, but it is the way to confirm if you have been compromised. Though it is not the best and it caused some confusion Friday morning because the sites security ID was not being recognized by Google Chrome, it’s the only way to know if your information has been impacted.
  3. Watch your finances for unauthorized charges. Watch credit cards, bank statements, medical bills, insurance bills and new credit card applications. If you get a notice from the IRS stating you owe taxes, contact them immediately to confirm it or report it as fraud.
  4. Take this identity theft protection quiz with Legal Shred. It’s a quick and easy way to educate yourself on how to prevent identity theft.
  5. Re-evaluate your passwords. When you change your password try to have at least 12- 18 characters including capital letters, lower case letters, numbers and symbols. Think of a passphrase to use versus a password. Never share passphrases with anyone. It’s also best to use a password manager like Last Pass that can create passwords for you.
  6. Check the other two main credit monitoring companies: Experian (1-888-347-3742) and TransUnion (1-888-909-8872). Confirm there were no unauthorized charges in the past. You can also call Equifax (1-800-349-9960).
  7. Review the resources at the Identity Theft Resource Center. There are numerous resources on this site. This can also be a great way to encourage teens think about how to protect their information and reduce the opportunity of identity theft.
  8. You can authorize a credit freeze. This means placing restrictions on who can view your credit report (lenders, potential employers). Equifax is offering this free for 30 days. Whether it’s done through them or another provider, it is a good thing to do.
  9. Check your annual credit report. Go to annualcreditreport.com. Equifax, Experian and TransUnion are also required to give you one free credit report a year. Take advantage and check your credit report once a quarter using each of these resources.

Lastly, breathe. This is the new normal. Remember, security is everyone’s responsibility. Control what you can control with good personal security hygiene habits.

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security & risk management expert she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com.

 

Your Email Was Hacked, Now What? 9 Prevention Tips You Can Implement Today

 

In the last few weeks several people mentioned they were hacked: both personal and work email. I wanted to share few tips that could not only prevent this from occurring, but help you respond to it.  We frequently hear about how to prevent breaches of large companies, however its just as important that we limit exposure of our personal accounts. Many times, it’s through our personal email or social media accounts that we compromise our business accounts leading to breaches.

When this happens, the first question I usually get is: how did this happen? The truth is it can happen in multiple ways: a compromised website link, another affected email account within your network at work, public WiFi network, or your phone was compromised. It can be hard to pin down exactly how it occurred; the goal is to prevent it in the first place. Here are 9 tips to keep in mind and incorporate into your daily habits. Whether you are on vacation or working from a coffee shop, if you follow these tips, you will limit you risk tremendously.

Here are 9 top prevention tips to keep you from being hacked:

  1. Passphrases: When you change your password (try to have at least 18 or more characters). Think of a passphrase to use versus a password. Never share passphrases with anyone, including co-workers.
  2. Updates: Complete the latest security updates on your computer (and phone) when prompted.
  3. Try to not use public WiFi networks: If you do, use a VPN (virtual private network). Try Express VPN or IPVanish VPN. When working remotely or on a personal device, use VPN software to access corporate email. Avoid accessing company email from public WiFi connections.
  4. Attachments: Never open attachments or click on links in email messages from unknown senders.
  5. Password Managers: Change passwords often. I recommend every 60-90 days. Utilize tools such as 1 Password and LastPass to either help you remember passwords or to create passwords for you.
  6. Confidential information: Try to send as little sensitive information as possible via email, and send sensitive information only to recipients who require it. Limit who you cc and bcc on these emails.
  7. Anti-virus: Use spam filters and anti-virus software. There are various apps you can download for your phone including Norton and Mobile Security and Anti-Theft Protection among many others.
  8. Large attachments: Don’t attach large files to an e-mail; anything over one or two megabytes shouldn’t be sent via e-mail. Limit the number of files you attach to a message to five or fewer. Save attachments to your hard drive and then delete the e-mail message containing the attachment. Don’t open unexpected attachments or those sent by unknown parties. Scan files with an antivirus program before opening an attachment.
  9. Hacked: If you are hacked or your password is compromised, check any related accounts (for example, if you have a PayPal account connected to your compromised email account, or the company bank account linked to that email account). Continue to be weary of links on emails, even if it comes from trusted source.

 

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security & risk management expert she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com