Culhane Meadows’ co-founder Heather Haughian was recently interviewed by Authority Magazine for a segment of a series on data privacy and cybersecurity. Heather discusses what companies need to know for optimizing their data privacy and cybersecurity practices.

Here are excerpts from Heather’s interview:

The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. 1. That cybersecurity is an ever changing landscape so everyone understands that living with the status quo is never acceptable….. plus, we’ll never get bored. I might not sleep at night worrying about the next cyberthreat that’s out there, but at least it will be interesting learning about it and trying to protect against it. Cybersecurity is often times about solving different types of puzzles, and I love puzzles!
   2. As a huge proponent of STEM (and especially WOMEN in STEM), I’m excited that the cybersecurity industry is absolutely booming, and there are so many opportunities for growth for anyone either already in this area or looking to get into it. I would venture to guess that the unemployment rate for cybersecurity specialists is close to nil.
   3. I get to wear a white hat in all that I do with cybersecurity. There is a bigger purpose here — to protect our customers’ data and the integrity of our systems and often times what we teach in the cybersecurity area helps our attorneys and staff in their personal lives as well to not get hacked or not fall prey to the many many phishing schemes and social engineering attacks that they experience in their work environment and their personal lives. As someone who moonlights as a fitness instructor, I can tell you that it’s a lot easier to get folks to understand the benefits of NOT clicking on an unfamiliar hyperlink than it is to convince someone that lifting weights is just as important as spending time on the treadmill or bike. The instant feedback of possibly having your bank account drained when something goes wrong, as there is with cyber scams, definitely gets people’s attention.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I think the latest statistics still show that the overwhelming majority of cyberattacks that result in breaches are due to human error (that statistic can be as high as 90%). I don’t foresee that changing any time soon, so if folks are not investing in training their personnel and if they don’t have support from the leadership of their respective companies, THAT will continue to be their biggest threat to cybersecurity.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Given my role as a data privacy and security attorney, I frequently advise my clients on data breach responses and mitigation efforts. I think so many of the data breaches that I see our clients experience have some very common themes or takeaways: (1) human error where someone falls for a phishing or social engineering scheme; (2) lack of multi-factor authentication that allowed for hackers to easily break into the clients’ systems; and (3) lack of controls over user credentials once they leave the company.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

• • Multi-factor authentication (“MFA”) is a *must have* cybersecurity tool for any organization. No one should be accessing data on your systems by merely entering a username and password. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN, e.g., Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Authy, Yubico, etc. Our firm uses Microsoft Authenticator.
  • Microsoft Advanced Threat Protection (ATP) — it’s a cloud-based email filtering service that helps protect an organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard an organization with the following: (a) sophisticated scanning of attachments and AI-powered analysis to detect and discard dangerous messages; (b) automatic checks of links in email to assess if they are part of a phishing scheme and prevent users from accessing unsafe websites; and © device protection to prevent devices from interacting with ransomware and other malicious web locations. ATP also includes robust reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in an organization.
  • Malwarebytes Endpoint Protection — to protect against malware, viruses, hackers, ransomware, and other established and emerging cyberthreats as it has the ability to: (a) provide always-on, real-time threat detection and automated scans; (b) Proactively identity new threats with Anomaly Detection Machine Learning; © lock threats out of our network with seven-step Multi-Vector Protection;(d) root out hidden threats with proprietary Linking Engine Remediation; (e) trace attacks back to the source with threat analysis and forensics; and (f) clean infected systems remotely with Cloud Platform.
  • Data Loss Prevention Tool — Microsoft’s data loss prevention capabilities allows us to (a) set specific data prevention policies to identify, monitor, and protect sensitive information such as social security and credit card numbers; (b) set encryption rules to prevent an email from being forwarded, copied, or pasted into other programs; © set up email archiving and preservation policies to help ensure data is properly retained with continuous data backup and compliance; and (d) enforce BitLocker device encryption on all Windows devices to help protect against data theft or exposure if a protected device is lost or stolen.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

It is a huge misperception that you have to have a huge cybersecurity team in order to take steps to deal with cybersecurity issues. For SMBs, there are so many vendors out there today with excellent tools that will provide a great deal of cybersecurity for SMBs that do not have their own cyber team. Most SMBs can utilize the support of a cybersecurity consultant to advise them on the best way to implement these off the shelf software cybersecurity tools and to help set up a monitoring and reporting system for potential cyber threats.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

• • You know you are entering the right password, but it’s not working (b/c someone has already reset your password after hacking you) and you get locked out of your accounts, like your social media account.
  • Your computer starts acting strangely or really slow, e.g., popup messages, antivirus warnings, new toolbars in your internet browser, or the mouse cursor moving by itself
  • Your anti-virus/anti-malware is disabled, and you didn’t disable it.
  • You start to see unexpected software being installed
  • Your internet is suddenly running very slow

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

For those organization with the budget to really understand and be able to comply with regulations like the CPPA and GDPR, ensuring such compliance can be a competitive advantage with sales and business referrals increasing as a direct result. We expect that to be the same for the CCPA also as recent surveys show that 85–90% of U.S. consumers are very concerned about the privacy of their personal information/data and view privacy as a human right. Unfortunately, the main competitive advantage that these laws may bring about is continuation of the trend of a winner-take-all economy. Bigger companies have the budget to contend with the ever-changing legal landscape, and small companies — even if well-intentioned — are left to make do with small budgets while worrying they will come across the radar screens of regulators. Our firm’s Data Privacy and Security Team has counseled many smaller clients as they seek to comprehend the complexity and interplay of these laws, but for those without a budget to implement the required regulatory changes, knowing what they need to do isn’t much comfort.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The biggest mistake I see companies make is to ignore the human factor. You can have the most state of the art cybersecurity tools, but if you have failed to adequately train your employees — early and often — then you will fall prey to so many cybersecurity attacks aimed at nothing more than tricking people into clicking on a bad link or opening an infected attachment.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Absolutely there has been an uptick. You have companies that have been suddenly thrown into a remote working environment without the real capability to actually work remotely. So they are finding the fastest solutions they can to get their employees up and running in this new normal of a remote work force. Many times the fastest solutions are not the most secure, so security breaches will occur. And even with the tightest security systems specifically built for remote working, one factor that companies fail to consider is the security of the wi-fi network being used to access their company’s systems. For those employees who hop on the wi-fi at Starbucks to access their company’s systems, the vast majority are likely not using a VPN to secure that connection. For those employees who use the wi-fi in their home offices, the vast majority are not likely to have properly secured their wi-fi routers because most lay people do not even know how to access their wi-fi router settings to be able to activate the proper security settings.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Just like in the world of broadband, it’s all about “the last mile”: that is to say, a company can spend huge amounts on systems security, only to be foiled by a wayward employee who clicks on an attachment with malware. It’s all about the training.

2. Know your data sets and who has access to what data from what location. It’s impossible to assess the application of various laws in a cross-border context without this information.

3. If you have a limited budget, concentrate on worst-case scenarios. Don’t spend thousands dealing with low probability/low risk threats that are easy to perceive (e.g., breach of customer contracts), while ignoring company-endangering practices that no one has sufficiently examined because nothing bad has happened yet (e.g., sending texts or faxes that violate TCPA or other laws that permit class action lawsuits).

4. Have (or engage) a person who can ask the right questions about technology marketed as secured or encrypted before implementing with customers. It’s all too easy to create non-secure interfaces with customers if one is simply relying upon vendor assurances of security.

5. It may be a lot of effort to transition to new technology enterprise-wide, but it’s probably cheaper in the long run than policing the security gaps between combinations of legacy systems layered over time. This should be looked at on a case-by-case basis, but is more likely to be true in organizations handling large amounts of sensitive data, as newer systems will be better designed to create secure interfaces with “the rest of the world” such as with customers and key vendors.

A few examples of security incidents we have seen that could have been prevented….

• • Client did focus on training their employees but once a year, so one of their employees (a sale rep) allowed malware in through an email he should not have opened or clicked on. This allowed the hackers to send emails out as him. The hackers also obtained company letterhead and sent out an invoice to a the client’s customer using the employee’s email address with the wire instructions to hackers’ bank account. Customer paid the invoice. Client was not paid. Customer furious about the entire situation.
  • Target company for proposed acquisition failed to update its privacy and cyber security compliance for 2 years. Due diligence on behalf of the client (acquirer) identified so many privacy and security deficiency risks, the client decided against acquiring the other company. One week later, the email account credentials of the former target company’s CEO were stolen by hackers in Eastern Europe entering through the target company’s online intranet web portal.
  • Client global developer of mature video games marketed a new game for EU and US kids under age 10 without assessing EU and US children’s privacy laws compliance obligations including parental consent content and mechanisms. Client obtained huge global kids entertainment contract for new game. Client attempted to retrofit mature game software for EU and US children’s privacy compliance to fulfill contract. Retrofit was not possible in time to fulfill the children’s contract and the client’s entire game division regrettably was unable to survive the COVID-19 business downturn and closed.
  • It used to be that storing old data on tape or in boxes in warehouses cost a lot of money, and companies paid attention to the cost of storage and had budget incentives to get rid of it. So they didn’t keep data that they didn’t need or should no longer have. Now that the cost of storing data in the cloud is low, companies don’t make the effort to purge old data (or even to know what data they have). So keeping that data now means a higher risk of breach. The LOW cost way of preventing disaster is to not keep the data that is no longer needed by the company (or that was never needed by the company).

For the entire article, click HERE.

---

About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.

---

The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.