BY FREDA MIKLINGOVERNMENTAL REPORTER
On November 20, the business leaders for responsible government section of the South Metro Denver Chamber hosted experts in cybersecurity to guide local leaders in dealing with the existential threat of cybersecurity breaches.
Jennifer Kurtz, cyber program director at Manufacturer’s Edge, a nonprofit that promotes the state’s manufacturers, and a graduate of the FBI’s cyber security program, opened the program by sharing that since 2005, 11.7 billion records have been breached. She said there are 165 million compromised accounts on Linked In, which is where many identity thieves get personal data to use to make them sound legitimate.
Kurtz talked about the inherent conflict between security, ethics, and privacy, citing the obstacles of cost, convenience, culture, and contradictions. She said she has no apps on her iPhone, believing that, “If it’s free, it’s not a product. You are.” On privacy, she shared the popular notion that, “When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
Patrick Hellman is vice president and chief security officer for Arrow Electronics, a Fortune 109 company with 20,000 employees in 400 offices in 54 countries. He said Arrow requires its employees to use at least 16 characters in their passwords, but doesn’t make them change them frequently because they’ve found that people will bypass that requirement by using predictable patterns.
Hellman said cyber attackers are usually from Russia, China, and eastern Europe, but they are now outsourcing to Nigeria and Vietnam. He said, “The Chinese are good, but the Russians, who are usually part of organized crime, are very good.” Once they infiltrate an email account, they focus on deleted emails to get information because people don’t pay attention to deleted emails. He said the latest area where attacks are being made is payroll, where criminals mine data, then send fake emails directing that paychecks be deposited to a new bank.
Hellman told the group that the records from the 2017 Equifax breach and the breach of Capital One that occurred earlier this year have not yet surfaced. That will occur, he said, when the thieves decide the time is right.
Mike Greco, cybersecurity expert with the labor and employment law firm of Fisher Phillips, said companies must be prepared because, “You will be breached. You need to recognize it and have a lawyer handy.”
All the experts agree that a security breach should not be announced until you are certain that one has occurred. Then you need to consider what industry you are in and what statutes apply in determining who you must notify, considering that potential lawsuits might follow. Planning protects you against accusations of negligence after a breach happens. Having professionals already in place to give you advice is very important, especially ones that come with attorney-client privilege.
2018 All Rights Reserved. Villager Publishing |