November 3, 2020

Good morning, everyone!

Top Three Ways to Protect Yourself Online – for free!

Here are three easy ways to protect yourself, your family, your identity, your company data and your customers’ data – all for FREE!

• Keep software and firmware up to date. If you do get tricked into clicking on a bad link or opening an infected attachment, that malware cannot do its job if it’s designed to exploit a software vulnerability that your device doesn’t have – because you installed the patch, you smart thing you! Installing updates as soon as they are available is the best way to secure your devices.
  
  
• Use 2FA whenever available. Two-factor authentication is fabulous for two reasons: (1) If the bad guys steal your credentials, or guess your password, they can’t log into your account without that extra step (a code sent to your phone via text or an app, a code generated by a third party app), and (2) if you get a message from an online account saying “here’s your code” and you didn’t just try to log in to that account from a new device, you know that someone else did! And you know that you need to change that password right now (on that account and any other accounts where you used the same or similar password).
  
  
• Change default passwords. Whenever you buy a new device, whether it’s a wireless router or a smart camera or a “connected” appliance, whatever, the first thing you want to do is change the default password (Secure Your Stuff!). Most botnets start searching for new victims by looking for devices that are using the (known) default passwords. You can find the default password on a sticker on the device, or on a card in the box, or you may have to look it up on the manufacturer's website. This is worth the effort!

How much do you know about your organization’s security requirements?

Many businesses are unaware of the regulatory and/or compliance standards for data security applicable to their industry. So here’s a brief primer:

GLBA

Not just banks, but any commercial enterprise that offers financial products or services to consumers. This includes financial planners and advisors, tax preparers, tax and estate attorneys, accountants, commerical businesses that offer owner financing for purchases, insurance agents, etc. All these organizations are subject to the privacy and security requirements of the Gramm-Leach-Bliley Act (GLBA). The Federal Trade Commission has numerous resources on its website which explain the requirements of GLBA.

PCI DSS

Anyone who accepts credit cards for payment needs to be compliant with the PCI Data Security Standard (PCI DSS) (full document) I recommend starting with the Quick Reference Guide. NOTE: Many small businesses mistakenly believe that having quarterly scans arranged by their merchant bank makes them PCI compliant. This is not true! There are 12 requirements in the PCI DSS and quarterly scans satisfies only one of the 12.

HIPAA

Health information is subject to the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) anywhere that health information is stored – not just doctors and hospitals, but insurance agencies, law firms, therapists, and even the Human Resources department of your organization if you have employees’ health information for purposes of health insurance, workman’s compensation, etc.

Basic Safeguarding Rule

If you do work for the federal government, even GSA, which involves anything other than providing COTS (“commercially available off-the-shelf”) products, you are subject to the requirements of the “Basic Safeguarding Rule” (FAR 52.204-21).

DFARS

If you “store, process or transmit” any covered defense information, even as a subcontractor or supplier to a prime or subcontractor of the Department of Defense, you are subject to the requirements of the DFARS clause 252.204-7012.

CMMC

Defense contractors and their suppliers will soon be required to achieve independent third-party certification of their information security under the new Cybersecurity Maturity Model Certification rule, even if they don’t handle Classified or even Controlled Unclassified Information. You can learn more from our website and CMMC Update.

FERPA

If you are an educational institution, you are subject to the requirements of the Family Educational Rights and Privacy Act (FERPA), and furthermore are strongly encouraged to implement the controls at NIST SP 800-171

If none of these apply to your organization, Lucky you! In this case, I would point you to the NIST Small Business Cybersecurity Corner, which has a lot of good resources that apply to any type of business, and of course the canonical standard for security is the CIS Top 20 Critical Security Controls.

Feeling overwhelmed? I can help!

As always, I could talk a lot more about this stuff! Come back next week for the next installment. :)

December 3: Ethical Duties: Practical Strategies for Safeguarding Client Information (1 hr ethics CLE)

December 10: Ethical Duties: How Technology is Undermining Attorney-Client Confidentiality (1 hr ethics CLE)

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab of our new website.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!