“Regarding social media, I really don’t understand what appears to be the general population’s lack of concern over privacy issues in publicizing their entire lives on the Internet for others to see to such an extent… but hey it’s them, not me, so whatever.” Axl Rose

Yes, that quote is really from Axl Rose. 

As in Axl Rose, the lead singer of Guns N’ Roses.

When the frontman for the “most dangerous band in the world” starts talking about data privacy, you know the issue is part of the cultural zeitgeist.

Tie it in somehow

Big tech companies have a big problem

Machine learning happens when software programs “teach” themselves by using algorithms to extract and analyze a lot of data. And you may not realize it, but advances in machine learning have changed everything about our digital experience.  

Voice-recognition assistants like Siri and Alexa use machine learning to recognize commands. 

Social media and streaming platforms use it to recommend connections and content. 

Banks rely on machine learning to detect fraudulent activity and identify scams. 

Machine learning allows educational software to customize sessions for each student.

Basically, machine learning makes our lives markedly easier. But this ease comes at a tremendous cost.

Because machine learning requires a tremendous volume of incredibly detailed and frequently updated user data, technology companies tend to conveniently “forget” about privacy, leaving discussion of their privacy policies and programs until the last afternoon of a weekend retreat at the end of the year.

And so, often without even realizing it, technology leaders set themselves up to fail.

Privacy (by Design, that is.)

Were you thinking about privacy when you founded your startup? 

It’d be great if the answer was a wholehearted “YES!” but even if you’re just now joining the party, there’s still lots of ways to make privacy a guiding light for your tech company. Where do you start? Consider Privacy by Design.

Privacy by Design, a concept originated by the former Information and Privacy Commissioner of Ontario, Ann Cavoukian, operates on seven core principles: 

  • Being proactive, not reactive 
  • Making privacy the default setting 
  • Embedding privacy into design of all things 
  • Fully functional privacy 
  • End-to-end security 
  • Visibility and transparency for all stakeholders 
  • Respect user privacy

While Privacy by Design is actually required for website developers under the EU’s General Data Protection Regulation, it’s also important for tech companies to consider. It provides the opportunity to refocus products, operations, services—really, anything in the scope of their business—on their user’s right to privacy. It doesn’t need to be any more complicated than having an finance department that handles payroll or a marketing department that sends out email. 

When done correctly, it’s just part of the process. 

Social media section

You’d think after watching Mark Zuckerberg get hauled into a Congressional hearing after the Facebook/Cambridge Analytica scandal that other social media CEOs would make privacy a priority. But so far, they seemingly haven’t.

Clubhouse, the newest social media app taking the world by viral storm, is a prime example of tech companies putting profits before privacy.

Clubhouse is a free, audio-only app that is kind of like an old-school conference call, except that anyone in the world can join in on conversations hosted by experts on topics ranging from cryptocurrency to Real Housewives to immunology. Going from two million users in January 2021 to 10 million by February 2021, Clubhouse is so popular you have to be invited by a current user to even access the platform.

At first glance, Clubhouse seems like it would be a privacy dream. No video. Nothing is recorded. Hosts can kick trolls out of their rooms, block people from joining, keep people from speaking…it feels like Twitter and Facebook had a baby, gave it a flip phone instead of a smartphone, and set strict house rules for inviting friends over. 

But the reality is much more complicated.

Right now, Clubhouse allows new users to invite two friends to join the app. But to invite those two friends, users have to give Clubhouse access to all their contacts. 

All of them. 

Let’s say you, a privacy-savvy consumer, decide to join Clubhouse but are smart enough to protect yourself and your friends by not sharing your contacts. You don’t invite anyone. That doesn’t mean you’re safe lurking anonymously in the back of Clubhouse chat rooms. Once you sign up, Clubhouse notifies everyone who has you in their contacts that you are there, even if they aren’t in your contacts.

Facebook has updated their privacy settings and given its users more options for protecting their profile. Instagram now allows ‘Grammers to manage which and how many photos the app can access. Twitter allows you to change the privacy settings for each tweet. All three apps require an email address, and while they offer phone number verification, you don’t have to give them your phone number to use the platforms.

Clubhouse has none of those options.

You have to give Clubhouse your phone number. They say they’re working on it, but the app also doesn’t have great options for moderating/removing hate speech and dis/misinformation. On February 24, 2021, Clubhouse confirmed their security had been compromised and hackers had figured out how to live-stream feeds from multiple rooms. According to Business Insider, the Stanford Internet Observatory (SIO) found some of Clubhouse’s back-end infrastructure was transmitting audio and data traffic without encryption

Everything but the kitchen sink

We’ve gotten so used to companies taking data from us for everything that everyone, from users to Clubhouse engineers themselves, probably don’t even realize the risk this type of sweeping, all-encompassing data collection practice exposes everyone to. Consumers put themselves at risk of having their identities stolen, identifying information exposed, and accounts hacked.

And for businesses, freewheeling data and privacy policies can cause lasting and permanent damage. Take a look at American Express’ list of seven risks every business should plan for:

  • Economic
  • Financial
  • Reputation
  • Operational
  • Competitive
  • Compliance
  • Security

With increasing privacy legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), companies that don’t give their privacy program the same consideration as their human resource, financial, and legal policies are taking on risk in every single one of these categories.

The CCPA levies civil penalties of $7500 for intentional violations of its restrictions and $2500 for each unintentional violation. This means that if you wait to shore up your privacy policy and you get caught not being able to tell a consumer what data you’ve collected from them or if your users’ personal data is exposed after a hack, you can accidentally cost your company tens of thousands of dollars. The law also allows the California Attorney General to seek an injunction against and halt business operations of offenders.

While the CCPA is the first and most aggressive privacy law in the United States, it definitely won’t be the last. States across the country either have passed or are considering a multitude of privacy laws, including some that are more robust than anything California has enacted. Privacy rights are the wave of the future, and waiting to do something about it increases the risk you’ll fall afoul of regulatory requirements.

Is there another part of your enterprise that you’d leave so vulnerable?

Don’t leave your door unlocked, and don’t expect IT to lock all the doors either

In 2015, Apple CEO Tim Cook gave a speech about privacy and security. It’s a great speech that provides some key insights into a mind that is shaping the world’s tech future. Even five years later, there’s a quote that still stands out:

 “If you put a key under the mat for the cops, a burglar can find it, too.”

And since then, he’s spoken about the imperative for the digital marketing market to stop horning in on people’s privacy. At the Privacy & Data Protection conference in January 2021, he said:

“As I’ve said before, if we accept as normal and unavoidable that everything in our lives can be aggregated and sold, we lose so much more than data, we lose the freedom to be human. And yet, this is a hopeful new season, a time of thoughtfulness and reform.”

With this, Cook is highlighting how mission-critical privacy is for companies. When companies put sales and revenue growth ahead of privacy and security, they are taking on as significant a business risk as leaving their offices unlocked.

Luckily, you don’t have to be a privacy expert or a tech genius to take real steps to protect your company.

Prioritize privacy

Smart companies protect themselves by making their privacy program part of their core operations. Human resources, legal, financial, product and engineering, operations, and IT departments should be working collaboratively on workflows and processes that integrate forward-thinking data privacy policies across the entire organization. If you need help figuring out how to start, check out our privacy strategy, privacy compliance, and fractional privacy officer services. 

Train. And then train again.

Going along with the theme that every department should be part of developing your privacy program, it won’t do you any good to create the most amazing privacy program in the world if your employees don’t understand it. Privacy training doesn’t have to be full-spectrum seminars (but it can be!). Weekly email reminders, a quick agenda item in regular staff meetings, and small sections in a newsletter are all great ways to reinforce your expectations.

Less is more

One reason you need every department involved in your organization’s privacy work is you need to figure out exactly what data you need from users and employees to optimize your systems. And then you need to collect exactly that and nothing else. Limiting data collection decreases both your risk and your data storage costs while simultaneously making it easier for you to manage an agile response to changes in privacy regulations and best practices.

Sell it!

For some reason, even though they sacrifice privacy for sales and growth, everyone seems to forget that being privacy-friendly gives you a competitive advantage. You need to use it.

Remember that Tim Cook speech referenced earlier? Check out what else he said:

“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.

Apple doesn’t need privacy to differentiate itself. They launched our modern, smartphone culture, made everyone a photographer, forever altered software development and distribution, and changed the way we access the internet. But they are smart enough to see that while everyone is willing to invest in developing the next generation of big data tech, far fewer companies are willing to put their resources towards protecting that data. 

Google Chrome controls 69% of the browser market and has a much higher usage rate than Apple Safari, but Apple was first to eliminate third-party cookies. They require software developers to include privacy labels detailing what type of data is collected for every app sold in the App Store. In short, Apple’s forward-thinking privacy policies have allowed them to continue changing their industry, even as other companies catch up technologically.

Your company can be like Apple. You can go beyond what is legally required to give your consumers maximum control of their personal information. And then, like Apple, you can control the conversation. 

Keep your eyes on the prize

Don’t get lost in the race to create and sell the best tech. Make sure you remember that your consumers are not your product. Their trust is the product that will make you perpetually profitable.

If you need expert help matching your privacy program goals to what is actually happening in your company, get in touch today and let Red Clover Advisors show you how easy and affordable privacy compliance can be.

Privacy compliance is a long road. Luckily, you don’t have to go it alone.

Privacy management software can help you set up a robust privacy program. But without a privacy expert, you will be driving blind.

If privacy laws had a relationship status, it would be “It’s complicated”

If you’re reading this article, chances are you know at least the basics outline of today’s data privacy landscape. Maybe you are already compliant with the European Union’s General Data Protection Regulation (GDPR), or maybe you’re in charge of managing a California Consumer Privacy Act (CCPA) compliance program. 

Maybe you are really on top of things and are heading up a project to be ready for the 2022 California Privacy Rights Act (CPRA) rollout.

But even if these acronyms don’t mean anything to you (yet), you recognize that companies need strong data privacy programs to stay competitive in the marketplace.

The California State Legislature and the EU General Assembly were the first governing bodies to pass modern, aggressive privacy laws, but they definitely won’t be the last. Right now, dozens of states are considering California-esque bills that will continue the trend of giving consumers more control over how their personal information is collected and used online well into the next decade. 

While the laws vary across jurisdictions, there are some common themes including:

  • Expanding the definition of what’s considered “sensitive personal information” beyond names, birthdays, and SSNs by adding things like your phone number, health information, sexual orientation, religion, political affiliation, etc.
  • Giving consumers a way to deny permission to have their sensitive personal information collected, shared, or sold
  • Requiring companies to provide transparent and understandable privacy and cookie notices at or before the time they collect personal data
  • Mandating companies take reasonable security measures to protect consumer data
  • Levying harsh civil, even criminal, fines and punishments for noncompliance or if data breaches result in consumers’ personal information being exposed

So if you’re here and reading this, you know enough to know you probably need help to manage it all.

The United States is a melting pot — and so are its privacy laws

Unlike the EU, which took a unilateral approach to defining privacy law for all member states—although it should be noted that member states do have unique laws pertaining to data privacy on top of them—the United States has adopted a sectoral approach to privacy, meaning that unless the data is part of a federal regulation like HIPAA, privacy and data protection laws are by and large driven by individual states.

Because so much of our nation’s economy and tech infrastructure comes out of California, most large corporations complied with CCPA regulations. This new best practice standard shifted consumer expectations, leading to a domino effect of mid-and small businesses following suit.

But other states are now working on their own laws, making internet privacy the wild west, with each town having a different sheriff.

And the digital world isn’t going anywhere anytime soon. In 2020, consumers dropped a cool $861.12 billion in e-commerce sales with U.S. merchants alone. The Internet of Things continues to drive technological advancements. 

Companies increasingly need a data privacy expert to guide them through the unmarked places on the map.

Enter Privacy as a Service (PaaS).

PaaS is your own personal privacy butler

Batman’s butler, Alfred Pennyworth, makes Batman’s life so much easier. Working quietly behind the scenes, Alfred keeps the Batmobile tuned up, the suits ready, and the gadgets loaded. He is the reason Batman can swoop down into the Batcave and rush out to save Gotham without thinking twice.

If you do business in multiple jurisdictions, have a complicated privacy program, or manage large amounts of personal data, PaaS (also known as Data Protection as a Service or DPaas) can be your Alfred.

PaaS is a software platform that offers products and services to help you operationalize your company’s privacy program. It can be a real lifesaver for companies that don’t have a dedicated privacy team.

Privacy management groups like OneTrust build solutions that use advanced machine learning to help you build a program that complies with whatever privacy regulations affect you while simultaneously helping you be smarter about your data collection. 

Assessments and mapping and permissions, oh my!

Here is what PaaS can do for you:

  • Conduct privacy impact/data protection impact assessments for automating privacy processes
  • Map your data and help you collect a data inventory (data inventories, required by many new legislations, make it possible for you to remove/correct consumer data more easily and accurately)
  • Identify and predict risk and other weak points in your processes
  • Create and deploy privacy notifications, cookie consent banners, etc. with the standard contractual clauses required by law
  • Establish least-privilege access permission structure
  • Manage app consent processes on mobile devices
  • Automate breach incident actions and notifications
  • Onboard vendors and mitigate the risks they pose
  • Establish compliance with laws and regulations across multiple jurisdictions

It’s important to note that, while as close as cousins, PaaS programs are not the same thing as cybersecurity. The best privacy programs integrate privacy solutions into their larger cybersecurity plan.

But Alfred can’t be Batman…

I rarely tell clients that investing in privacy management software is a bad idea. 

But I also rarely tell them it’s all they need.

Anyone who has tried to get Siri or Alexa to answer a nuanced question knows that machine learning and AI has its limitations. Privacy management software is critical for companies to set up automation that can help with the privacy process, but if you don’t have a privacy expert guiding you through the process, well, you might as well hand the Batmobile keys and the Batarang to Alfred and send him off to save Gotham from the Joker.

The Joker (hackers, data thieves, and general internet bad guys) will win.

But if you combine the technology from the Batcave (privacy management software) with the experience and knowledge of Batman (your privacy expert), then you are in good shape.

Let’s leave the Batcave and talk about what this would look like in the real world.

Data Inventories

Data inventories are a big part of privacy programs, but let’s face it—they can be a big undertaking. However, the right software can cut down on the legwork by finding and documenting data. 

This alone is hugely helpful, but it doesn’t cover all your bases. You still need to determine the legal basis for data collection for GDPR. Or if the data has been sold under the scope of CCPA. Or if you can even collect and use that data in the first place. 

These kinds of questions are why privacy professionals are a critical resource for businesses. They have technical expertise and industry insight that can help you get answers—and solutions—to these questions. 

Social Media 

Facebook, Instagram, Twitter, and LinkedIn have historically been free advertising channels for businesses. But events like the Facebook/Cambridge Analytical scandal have made consumers much less likely to share personal information online.

The GDPR and CCPA control what categories and types of personal data a business can store about its users, but not all of the ramifications are clear yet. 

For example, it’s totally normal for a social network to host digital advertising. If a user clicks a link in one of those ads, now the app and the advertiser have the consumer’s information. Was the consumer adequately notified before the advertiser started collecting data? Is the activity considered the sale of data under CCPA? How should that be disclosed to the consumer?

The same principle works in reverse. If you have buttons for users to share your blog post or infographic on their social media accounts, are you confident you don’t have any exposure regarding whatever data that app collects from them? 

Notifications

The laws regarding privacy notices and cookie consent are constantly changing. Now that Apple and Google are eliminating third-party cookies, so are industry best practices. A privacy expert can help you maximize the functionality of your privacy management software so that your notifications are accurate and in line with industry standards so that you stay ahead of your competitors. If you do this, your privacy program can be a differentiating factor instead of just a cost center.

Individual rights requests

One of the most complicated parts of CCPA is the individual rights request provision. Under CCPA, consumers have the right to see what data you’ve collected about them and correct it if it’s wrong or delete it altogether.

A privacy management software can help you map the data so you can find it easily and quickly, but it can’t train your employees on how to execute a request. It can send notifications, but it can’t parse nuanced data to see if the request is valid. For that, you need a privacy expert. 

Privacy isn’t a one and done

Privacy is complex. So is software. And the implications of the wrong choice can be overwhelming! Don’t feel like you need to manage your company’s privacy program on your own.

Using a privacy management software can dramatically simplify your life, but if you don’t do it right, you’ll have a false sense of security. To have full confidence, you need to combine your PaaS program with the expert advice and knowledge of an expert. This expert doesn’t have to be a full-time employee. You can hire a consultant or cross-train another employee. 

Whatever you choose, remember to do regular checkups to make sure your program is keeping up with constantly changing legislation.

At Red Clover Advisors, we are experts in data privacy programs and training. If you need help picking a privacy management program, implementing the program you’ve picked, or maximizing your PaaS, drop us a line.

In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.” 

This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”

Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.

Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.

Because in today’s world, data=$$$$$.

All the bad actors

Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware. 

These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.

As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.

Ransomware — the internet’s highwayman

Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments. 

Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.

Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion. 

There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.

Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.

Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand. 

The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.

Double extortion ransomware

Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.

This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.

Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.

Protect yourself against highway robbery

The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses. 

Note: Keep Solar Winds in the back of your mind. We’ll come back to it.

Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up. 

Train your employees

There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.

The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:

  • What phishing emails look like 
  • Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
  • How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
  • What can happen if they download unapproved/not whitelisted software and/or apps
  • When it’s appropriate to give a program administrative permissions

Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards. 

The important thing in establishing a privacy culture is consistency and clarity from the top down.

Backup your data

Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout. 

Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.). 

One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.

One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”

Use robust security software

I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong. 

You need a comprehensive, behavior-based security solution.  Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.

By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.

Re-evaluate your permissions structure

Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago. 

There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks. 

Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.

Have a recovery plan

You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.” 

Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.

Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should: 

  • Identify the personnel needed to manage a breach
  • Include detailed documentation on your network infrastructure
  • Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
  • Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
  • Set clear recovery time objectives (RTO) and recovery point objectives (RPO)

You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change. 

The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.

Back to SolarWinds

Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations? 

They used employees across all levels of each organization.

Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.

SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.

Things to remember in a stickup

Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:

  • Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
  • Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
  • Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc. 
  • Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it. 
  • Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
  • Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data. 

Stand and deliver…yourself

When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.

And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices. 

We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.

Avoid return-to-work security risks.

After a forced retreat to semi-permanent work-from-home status, many executives are now considering calling back their workers into the office. There are no doubt health risks that have to be taken into account when mapping out what this return-to-work process looks like.

However, there’s a bigger liability hiding in the shadows, nearly invisible to the return-to-work plans at the forefront of most executives’ minds. It’s the silent killer that has the potential to take your company down for good.

This disaster waiting to happen? Not addressing security issues.

It became common knowledge that cybersecurity needed to be prioritized during the lockdown, especially with phishing scams on the rise and problems with popular video sharing app Zoom plaguing users.

But what many executives don’t realize is returning to full-time office life presents major security issues. But this is dangerous without making appropriate updates, upgrades, and policy changes.

Companies must step up to the challenges of the time, setting up processes and procedures that cover both work-from-home scenarios and working-from-the-office norms. After all, company hardware has been off-network and personal hardware may be storing company (and client) data. And there’s a good chance this will continue, with the new norm most likely trending towards a mix of work-from-home and work-from-the-office.

To help you understand the number of security implications for moving your workforce from home back to the office, we’re covering critical areas you need to know to address every angle of risk. This will help you maintain safety in the areas you can’t see and highly impact your business success.

The Return-to-Work Security Checklist

There are three areas you need to consider when addressing the risks of returning your team to a physical office location. Once these areas are implemented in full, there should be nothing standing in your way to return to a normal way of operating, albeit slowly.

1 – Policies & ProceduresThe Remote Work Guide

During the rush to move all employees to work-from-home status, perhaps you taped together a plan for operations, bypassing existing measures in order to maintain productivity.

If this sounds familiar, you’re not alone.

But the quick fixes and Band-Aids employed in the fast-paced move to a work-from-home setup now must be reevaluated in light of returning to work. Even if you eventually created remote work policies and procedures, they won’t cover the new cybersecurity issues you’ll face for returning to work.

Either way, now is your opportunity to kill two birds with one stone: Combine work-from-home and return-to-work guidance into one policy and procedures standard.

The return-to-work portion should include:

  • Creating a cadence to aggregate and analyze return-to-work information.
  • Performing a risk assessment and a gap analysis for each facility.
  • Executing a safety plan based on risk assessment and mitigation.
  • Establishing communication protocols.
  • Evaluating cyber hardening policies.
  • Incorporating business continuity planning and compliance issues.

In addition to these, your policies and procedures should cover two other critical areas: password resets and new employee onboarding and training.

Password Resets

The reality is, your employees may have fallen into unknowingly bad cybersecurity habits during their work-from-home stints. This includes the possibility they’ve shared their laptops and passwords with family and friends. They may have re-used the same passwords when downloading software or setting up devices at home, too.

You must make it clear in your policies and procedures that passwords for all company devices and software must be reset before returning to a physical work location.

New Employees

If you’ve hired and trained new employees during the work-from-home exodus, you must provide training about how office life works when it comes to cybersecurity. This will be different in most ways from how you’ve trained them to work from home. Include company security policies pertinent to working in the office in your policies and procedures. And make sure you emphasize this portion to new hires entering your physical location for the first time.

2 – Rogue Devices and SoftwareCybersecurity tips for small businesses

Hardware and software can be a security blindspot when returning to work. It will be essential to update operating systems and software, as well as complete an inventory of personal and corporate devices being brought back into the workplace.

Steps you should take to do this include:

  • Run a scan on your network to identify new, unknown devices.
  • Train employees to avoid using personal devices at the office when possible.
  • Enforce device control to block unauthorized USB and other peripheral devices.
  • Revoke unnecessary software licenses and transition staff back to using resources provided on-site.

By taking these actions, you’ll ensure the safety of your company information, employee information, and client information when returning to work.

Software Patches

There’s a good possibility that your team has inadvertently welcomed viruses and other software risks onto their work and personal devices while working from home. There was no way to prevent this from happening, but there is a way you can stop these malicious bugs from infecting the rest of your software and devices.

Create a thoughtful plan for testing machines, identifying patch requirements, and updating the devices before an employee sets foot in the office. This will significantly decrease the risk of infecting your entire network and other devices with a virus from just one.

3 – Facilities & Team

You may be overwhelmed with the changes that have to be made and the monitoring that has to be done before an employee sets foot back into your physical office location again. Thus, this third step in lowering security risks: Determining which facilities and teams will come back to work first.

Making sure all cybersecurity risks are handled individually is easier when there are a slow trickle of returning workers. Allowing all employees to come back at the same time will likely overwhelm your IT department, increasing the risk of a cybersecurity breach or an accidentally harmful action by an employee who hasn’t received policies and procedures training yet.

Limiting what facilities and team members return to work first will ease the burden and decrease liability for security issues. You should plan accordingly.

Conclusion: A Roadmap for Managing Rapid Change

There’s no doubt change has been – and will continue to be – rapid and substantial in 2020 when it comes to work environments. One thing remains the same, though: Maintaining the security of information online and keeping everyone involved safe from cybersecurity threats.

Your best course of action in order to remain in control when environments change rapidly is having a plan in place. Use the lessons from the beginning of this year to inform the creation of a roadmap for work-from-home and work-from-the-office. The latter is most likely here to stay, so you’ll need a plan for it that works now and is scalable for the future.

Note: A privacy roadmap is a living document, not to be created at one point in time and used for the entire future of your company. Seismic shifts have taken place in the last 12 months in regards to privacy legislation, team working environments, and technology. When change is the only constant, you need a privacy plan that is scalable and flexible.

Having a plan can help your business manage future crises in the least amount of time, effort, and expense… and with the least amount of pain.

Most importantly, invite your employees into the plan. Give them clear, transparent communication about the information you have, the information you don’t, and what you’ll do as a company to lower cybersecurity risks for them.

Red Clover Advisors has been a strategic partner in creating work-from-home and workplace policies and procedures for companies across the country. We help you create a comprehensive plan covering cybersecurity, privacy regulations, and data protection unique to your company and team. To get started with your own roadmap, reach out to set up a free consultation with our experts today.

Disclaimer: Red Clover Advisors does not provide legal advice. The information within this article is meant to offer sound business advice. Businesses should seek final legal direction from counsel before publishing any policies and procedures.

Schedule a free consult!