Why All the Confusion With the Equifax Data Breach? 9 Steps You Need to Know to Protect Yourself


It has happened again. This time 143 million people have been impacted by this cyber breach. Why is this breach more confusing than the other data breaches and what does that mean for you?  With the Home Depot breach, the information compromised was our credit card information allowing for fraud. With Yahoo, the information compromised were your email, passwords, and contents in your email allowing for scams, fraud and phishing.

With the Equifax breach, large amounts of PII (personally identifiable information) including date of birth, social security number, home address, and phone number have been exposed. It’s possible cyber thieves can open lines of credit, bank accounts, get a driver’s license and new credit cards in your name. Identity theft can come in multiple forms from thieves being able to cash your personal checks or pick up medical prescriptions. Recovering from identity theft can take months or even years.

Equifax also has not been very forth coming regarding the details of the breach and has folded under public pressure over the weekend, and Monday to do more for consumers, leading to misinformation and increasing confusion for consumers.

Here are the facts on how to protect yourself with the Equifax breach:

  1. Sign up for 1-year free credit monitoring and identity theft insurance with Equifax. Equifax is offering their own service for free. That may not inspire trust, so you may want to pay for additional credit monitoring after the free year expires or use an alternative source altogether (Experian, TransUnion). If you do sign up for this, you are most likely waiving your right to sue Equifax. 
  2. Check to see if you have been impacted at equifaxsecurity2017.com. Though it may not be reassuring to do this considering Equifax has not proven its ability to protect your information. Other experts state that possibly inputting your information into the website could expose you to greater risks, but it is the way to confirm if you have been compromised. Though it is not the best and it caused some confusion Friday morning because the sites security ID was not being recognized by Google Chrome, it’s the only way to know if your information has been impacted.
  3. Watch your finances for unauthorized charges. Watch credit cards, bank statements, medical bills, insurance bills and new credit card applications. If you get a notice from the IRS stating you owe taxes, contact them immediately to confirm it or report it as fraud.
  4. Take this identity theft protection quiz with Legal Shred. It’s a quick and easy way to educate yourself on how to prevent identity theft.
  5. Re-evaluate your passwords. When you change your password try to have at least 12- 18 characters including capital letters, lower case letters, numbers and symbols. Think of a passphrase to use versus a password. Never share passphrases with anyone. It’s also best to use a password manager like Last Pass that can create passwords for you.
  6. Check the other two main credit monitoring companies: Experian (1-888-347-3742) and TransUnion (1-888-909-8872). Confirm there were no unauthorized charges in the past. You can also call Equifax (1-800-349-9960).
  7. Review the resources at the Identity Theft Resource Center. There are numerous resources on this site. This can also be a great way to encourage teens think about how to protect their information and reduce the opportunity of identity theft.
  8. You can authorize a credit freeze. This means placing restrictions on who can view your credit report (lenders, potential employers). Equifax is offering this free for 30 days. Whether it’s done through them or another provider, it is a good thing to do.
  9. Check your annual credit report. Go to annualcreditreport.com. Equifax, Experian and TransUnion are also required to give you one free credit report a year. Take advantage and check your credit report once a quarter using each of these resources.

Lastly, breathe. This is the new normal. Remember, security is everyone’s responsibility. Control what you can control with good personal security hygiene habits.

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security & risk management expert she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com.


Your Email Was Hacked, Now What? 9 Prevention Tips You Can Implement Today


In the last few weeks several people mentioned they were hacked: both personal and work email. I wanted to share few tips that could not only prevent this from occurring, but help you respond to it.  We frequently hear about how to prevent breaches of large companies, however its just as important that we limit exposure of our personal accounts. Many times, it’s through our personal email or social media accounts that we compromise our business accounts leading to breaches.

When this happens, the first question I usually get is: how did this happen? The truth is it can happen in multiple ways: a compromised website link, another affected email account within your network at work, public WiFi network, or your phone was compromised. It can be hard to pin down exactly how it occurred; the goal is to prevent it in the first place. Here are 9 tips to keep in mind and incorporate into your daily habits. Whether you are on vacation or working from a coffee shop, if you follow these tips, you will limit you risk tremendously.

Here are 9 top prevention tips to keep you from being hacked:

  1. Passphrases: When you change your password (try to have at least 18 or more characters). Think of a passphrase to use versus a password. Never share passphrases with anyone, including co-workers.
  2. Updates: Complete the latest security updates on your computer (and phone) when prompted.
  3. Try to not use public WiFi networks: If you do, use a VPN (virtual private network). Try Express VPN or IPVanish VPN. When working remotely or on a personal device, use VPN software to access corporate email. Avoid accessing company email from public WiFi connections.
  4. Attachments: Never open attachments or click on links in email messages from unknown senders.
  5. Password Managers: Change passwords often. I recommend every 60-90 days. Utilize tools such as 1 Password and LastPass to either help you remember passwords or to create passwords for you.
  6. Confidential information: Try to send as little sensitive information as possible via email, and send sensitive information only to recipients who require it. Limit who you cc and bcc on these emails.
  7. Anti-virus: Use spam filters and anti-virus software. There are various apps you can download for your phone including Norton and Mobile Security and Anti-Theft Protection among many others.
  8. Large attachments: Don’t attach large files to an e-mail; anything over one or two megabytes shouldn’t be sent via e-mail. Limit the number of files you attach to a message to five or fewer. Save attachments to your hard drive and then delete the e-mail message containing the attachment. Don’t open unexpected attachments or those sent by unknown parties. Scan files with an antivirus program before opening an attachment.
  9. Hacked: If you are hacked or your password is compromised, check any related accounts (for example, if you have a PayPal account connected to your compromised email account, or the company bank account linked to that email account). Continue to be weary of links on emails, even if it comes from trusted source.


Jessica Robinson, is a writer and Founder & CEO of PurePoint International. As a cyber security & risk management expert she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at www.the-purepoint.com

7 Steps to Defend Against the Ransomware WannaCry’s Potential Phase Two Attack

7 Steps to Defend Against the Ransomware WannaCry’s Potential Phase Two Attack

As of last Friday, Kaspersky recorded 45,000 detections of the variant malware in 74 countries. There were 1600 infections in the US, 11,200 in Russia and 6,500 in China. Victims were asked to pay $300 (and rises to $600 before destroying files) to remove the infection from PCs. Windows based systems are affected as a result of preexisting vulnerabilities. “WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked, that initiates a WannaCry infection.”

It was expected this attack would worsen over the weekend, but Friday afternoon, in England, a 22 year old cyber researcher was able to accidentally locate the kill switch by registering the web domain name of the Ransomware.

It has been revealed that there are more variants of the replicating worm that do not include a kill switch and more malware infections are expected this week.

To prepare for the week:

  1. Malware Prevention – Make sure your anti-virus and anti-malware are updated.
  2. Redundancy – Ensure your data is backed up consistently throughout the day. The more often your data is backed up to a separate server or cloud source the less vulnerable you will be to ransomware (paying the amount asked for).
  3. Security Configuration – Microsoft has fixed the vulnerabilities. Install security patches for MS Windows.
  4. Network Security – Install updates and reboot for MS Windows. Monitor all system networks, test security controls and limit user privileges.
  5. Training and Education – Remind teams to be very careful about what emails they open and what links they click on.
  6. Mobile and Home Security – Install updates on your personal computer and mobile devices. Keep business email communication and data on company devices and personal devices separate.
  7. Incident Management – Establish a disaster recovery plan to respond to incidents and report criminal incidents to law enforcement.

Jessica Robinson is CEO of PurePoint International which focuses in bridging the gap between physical and cyber security.


Security in a Changed World: Cybersecurity Officially Meets Physical Security in the NY DFS Regulation

Security in a Changed World: Cybersecurity Officially Meets Physical Security in the NY DFS Regulation

Cybersecurity experts have long espoused that cybersecurity is an enterprise-wide, board-level concern, and not just an IT problem.  As evidenced by its new cybersecurity regulation, one of New York State’s top regulatory bodies fully agrees with that sentiment.  The first-in-nation mandate from the New York Department of Financial Services (DFS), which regulates financial institutions (including banks and insurance companies) doing business in New York, will require companies to take a comprehensive approach to cybersecurity, protecting the confidentiality, availability and integrity of nonpublic information and information systems.  But in addition to focusing on just the expected areas of information security, access controls and data privacy, DFS expressly called out “physical security and environmental controls” as a key area to be considered when developing a cybersecurity policy.

Overview of the Regulation 

Broadly speaking, financial institutions that are New York State chartered or licensed are directly regulated by DFS. Although the DFS cybersecurity regulation contains certain exemptions from enforcement, including for covered entities that do not exceed certain thresholds regarding number of employees, gross annual revenue and year-end assets, DFS’s regulatory scope extends to financial institutions domiciled outside of New York State, and even outside of the US. DFS maintains a publicly available database of entities it regulates, which is accessible here. Unless a covered entity falls within an exception, it will be covered by the new cybersecurity regulation and will have to certify compliance beginning in 2018.

Physical Security and Environmental Controls

In the age of constant cyber security attacks and IoT (Internet of Things) companies are more exposed than ever when it comes to the vulnerably of their data.  In the financial sector, as a high value target for malicious and state sponsored attackers, the threat is real that to obtain specific data the goal of a cyber-attacker would be to breach multiple forms of entry via social engineering, phishing, and physical security and environmental controls. According to SecurityScorecard’s 2016 Financial Cybersecurity Report:

  • 75% of the top 20 U.S. commercial banks (by revenue) are infected with malware, according to SecurityScorecard’s2016 Financial Cybersecurity Report.
  • 95 percent of the top 20 U.S. commercial banks (by revenue) have a Network Security grade of ‘C’ or below.
  • 75 percent of the top 20 U.S. commercial banks (by revenue) are infected with malware and a number of malware families were discovered within these banks, including Ponyloader, and Vertexnet

The new DFS cyber regulation now requires a CISO, or an individual who takes on the responsibility of that role, in most financial institutions. But the CISO role in the financial services industry, as in all industries, will not reach its full potential if there is not a holistic perspective of enterprise risk management, including full collaboration with physical security and crisis management leaders within the organization. All leaders should be communicating weekly on company strategy, vulnerability updates, security incidents, attempted breaches, and current investigations. Being on the front lines of physical and cyber security has never been more critical. Bridging the gap between physical and cyber security consist of 7 critical steps:

  1. Right strategy and protocols, efficient collaboration and information sharing: Have an integrated enterprise strategy that is executed from the top down. Information sharing and collaboration among the leaders of the IT, cyber security, physical security and crisis response teams is an imperative. This also includes the third party vendors of these teams. Collaborating on specific security incidents and elevated threats can identify a potential threat and certainly aid in a response to a risk.
  2. Pay attention to network and perimeter detection alarms: This includes the network security alarms that monitor network intrusions, as well as monitoring physical intrusion detection systems, digital video, temperature, HVAC, environmental, lighting alarms or sensors.
  3. Investigate perimeter vulnerabilities and hacks: All alarms, network or physical security related, should have a threshold that triggers when a specific alarm needs to be investigated. This requires consistent monitoring and evaluation of controlling entry to the physical property, assessing the legitimacy of a possible intrusion, reviewing if an intrusion was physical, technical or operational, and communicating to the appropriate channels.
  4. Conduct vulnerability tests: Network, physical perimeter, fire suppression system and other alarm sensors should be conducted regularly. Reports with follow up action steps, audits and monitoring for further remediation should be included.
  5. Containment of breaches: Segment company data on the network. If one area of a system is breached, then segmentation will ensure that the breach is isolated to that one area. Proper access controls, ID badges, and environmental design will assist in containing an attempt of a physical breach. Containment of a breach, physical or data, is a critical part of any security strategy.
  6. Have a good Vendor Management Program: This is an official requirement of the new NY DFS regulation. To see why this is important, institutions need to look no further than the Target Corporation breach, which was initiated by phishing attack on one of Target’s HVAC vendors. Having clear assessment and guidelines, as well as follow up audits that include physical and cybersecurity and consistent monitoring, is key.
  7. Train your employees: Train employees on best practices so they can identify physical and cyber security red flags. If they don’t work directly on these teams, they should know what to look for and who to contact if they believe a breach occurred. If they do work in security, a security guard at a data center for instance, they should be trained to promptly follow the appropriate protocol for identification and remediation of a security incident.

As recognized in the NY DFS regulation, physical security is a key component of every financial institution’s overall cybersecurity program.  The deadline for development of a cybersecurity program and policies under the regulation is August 28, 2017, so covered entities are urged to take immediate steps to assess their risks and remediate compliance gaps in order to achieve timely compliance with the regulation.

Jessica Robinson, CEO of PurePoint International which focuses in bridging the gap between physical and cyber security.

Judy Shelby, Insurance & Technology Advisory Services Leader in Cybersecurity at BDO.