Depiction of cyber network around America, lock in the middle of the country, with California Consumer Privacy Act written on side.

Implementing California Consumer Privacy Act (CCPA): Part 1

This is the first in a series of posts about the implementation of the California Consumer Privacy Act (CCPA).

As someone who works in cybersecurity and privacy and who lives in California, I’ve been closely tracking CCPA since it was passed. The state statute, protecting consumers’ rights to access, request deletion of, and opt out of the sale of their personal information, went live in January. At the time, I conducted what I thought of as an initial experiment, to see what would happen when I requested my own data—which companies were prepared to send it, how much they would send, and how promptly they would respond. I approached Verizon, Facebook, Comcast, Google, LinkedIn, Ring, Amazon, YouTube, and Intuit, as well as some data brokers that are registered with the state, among others. 

Continue Reading

Young women using smartphone with social media concept hovering above phone screen.

Making the Best of Social Media

I’ve been concerned about this issue for some time now. As a resident of California, I’m entitled under the California Consumer Privacy Act (CCPA) to ask about the data that companies have mined from me. Recently, I did just that. Even though I closely follow cyber risk and privacy topics for a living, I was stunned by what I received in return. Both the sheer volume (we’re talking dozens of pages of spreadsheets) and the depth of the data points (e.g., the current phone numbers of friends I have not called since high school) rudely reawakened me to the reality of how our personal data has been commodified, sold, and traded without our full knowledge.

Yet, perhaps out of denial (“it won’t happen to me”) or cynicism (“they already have all my data”), too few of us take the steps needed to protect ourselves. It’s never too late to mitigate risk and doing something is better than oversharing your personal information with strangers and big data companies.  Here are some easy ways to reduce your vulnerability across social media platforms:

The risks of social media use are real and frightening: Identity theft, phishing, and now deepfakes can be perpetrated with the information we’ve willingly exposed about ourselves. From just a few small clues, a threat actor can target you or your business, open a credit card in the name of your child, or commit wire fraud.

Continue Reading

MSBs and Ransomware: Staying Ahead of the Compliance Curve

A Q&A with Winston Krone of Kivu

Ransomware is on the rise, and so, too, is the chance of having to pay a ransom to recover critical data, yet this practice remains a gray area for regulatory compliance. One way that businesses can mitigate the potential of regulatory risk is to respond to cyber extortion attacks by using vendors who have registered as a money services business (MSB), which not only demonstrates compliance with the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) but also helps law enforcement find and prosecute criminals. Last year, Kivu registered as an MSB—and was reportedly the first full-service ransomware response vendor to do so. We spoke to Global Managing Director Winston Krone about how this decision benefits Kivu and how it could help other businesses to follow suit.

Continue Reading

COVID-19 Preparedness: Updating Incident Response Plans for Pandemic Scenarios

A Q&A with Ron Raether of Troutman Sanders

In the wake of the COVID-19 pandemic, the traditional workforce has largely transformed into a work-from-home workforce, raising novel cyber security issues for organizations—particularly given a wave of attacks capitalizing on newfound vulnerabilities. One way to prepare for the current reality is to update cyber incident response plans with provisions for a remote response. We talked with Ron Raether of Troutman Sanders about making these needed updates.

Continue Reading

Closed blue circuit card connected to a CPU with a bright padlock symbol in the top.

Can You Imagine the Future of Ransomware?

Over the past 18 years at NetDiligence, we’ve often been asked about the future of ransomware. And the truth is that even after 18 years in this space, no one can fully predict what will happen.

Even when ransomware became more widespread during the 2000s, no one could have imagined the current magnitude of the threat of cybercrime. Ransomware incidents have skyrocketed in recent years, becoming the number one cause of loss within the cyber risk insurance industry.

Continue Reading

Cybersecurity and Privacy Risks During the COVID-19 Pandemic

The COVID-19 outbreak has necessitated the creation of a mobile workforce practically overnight. Yet this sudden change raises cybersecurity and privacy issues that companies must now reckon with. The webinar “COVID-19 Emerging Issues: Managing Cyber Risks of a Remote Workforce and Global Privacy Concerns,” presented by NetDiligence and Arete Incident Response on March 24th, addressed this rapidly evolving reality.

Continue Reading

Hacking-theme concept image with 0s and 1s on a computer screen.

What Is a Ransomware Attack and How To Deal With It

Ransomware is a type of malware designed to block access to a computer system until a sum of money is paid. Typically, a ransomware attack starts with an innocent-looking email with an infected link or fake document attached. In fact, the average company received a whopping 90% of their detected malware through email, according to Verizon’s 2019 Data Breach Investigations Report (DBIR). Unfortunately, phishing emails are getting more clever every day. For example, you might get a message that looks like it’s from a known delivery company, asking you to click to get the status of a package.

A lot of people will click because we all come across emails like this on a daily basis. But if it’s ransomware, clicking will cause the malware to execute/install and then spread throughout the network, encrypting all your devices and data and blocking you out. Once your system is completely encrypted, a message will appear on your screen with the extortion demand. It might go something like this: “Your network is now owned by us. You are locked out. In order to regain access, you must pay a certain amount of bitcoin and here are the instructions to do it.” There are many variations of this message and many include an exact deadline.

Continue Reading

Deepfakes: A Rising Cyber Threat

Deepfakes: A Rising Cyber Threat
A Q&A with John Farley of Gallagher

One of the most dangerous cyberattacks emerging on the threat landscape is also among the most difficult to detect or prevent. Deepfake technology enables perpetrators to mimic the voices and images of real people and it has significant consequences for companies, individuals and the democratic process. John Farley, managing director of the cyber liability practice of Gallagher, gave us an update on this concerning development.

Continue Reading

Digital cybersecurity and network protection concept with lock over a laptop backdrop.

Ransomware Trends in 2020 Call for Increased Cyber Readiness

As IT systems and data play increasingly important roles in business, opportunities for cybercriminals continue to grow. For the first time, the annual Allianz Risk Barometer Report found cybercrime to be the number one concern for companies around the globe.

The increase in concern over cybercrime coincides with a rise in the number of ransomware attacks—and the dollar amount of payouts. A quick search of ransomware attacks in 2019 reveals that some 55 percent of SMBs in the United States were forced to pay hackers following an attack. 

Continue Reading

What Insurers Need to Know About New York’s SHIELD Act

What Insurers Need to Know About New York’s SHIELD ActA Q&A with Laurie Kamaiko of Saul, Ewing, Arnstein & Lehr LLP
Going into effect in its entirety on March 21, 2020, the New York SHIELD (Stop Hacking and Improve Electronic Data Security) Act updates previous data security laws while creating more obligations and potential concerns for companies and their cyber insurers. We asked Laurie Kamaiko of Saul, Ewing, Arnstein and Lehr about this legislation and how insurers can prepare for its implementation.

Continue Reading

No more posts.