Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
In this issue:
Month's News in Review
Upcoming Speaking Events
TCE Strategy in the News
Must Read Articles This Month
Cybersecurity Tip of the Month
This Month's News in Review
Hello! Lots of interesting cybersecurity news transpired in the past month. Let’s get to it:
GDPR and the FTC Both Bare Their Teeth
I was in London last September when British Airways (BA) announced their website breach that disclosed 380,000 financial records. It made front-page news, and as always happens with today’s big headline, it quickly became yesterday’s news. This breach was not unique from a technical standpoint – the tool used to hack their website, Magecart, has claimed over 7,000 successful website attacks. What made this attack unique was that GDPR had taken effect the previous May, and it was the first major breach since GDPR became law.
The next major breach came a few months later, when Marriott disclosed that the details of 383 million guests were breached, and that the cybercriminals had been in Marriott’s systems for 4 years. Let that sink in for a minute…383 million guests. That’s 5% of the planet’s population.
Fast forward to this month. The Information Commissioner’s Office (ICO), a British regulator, announced that it intends to fine British Airways $239 million for the breach. Previously the largest GDPR fine was under $1 million, which is an amount that most large companies spend on letterhead. $239 million is enough to get any company’s attention. The very next day, Marriott’s GDPR fine was announced at $123 million. It appears that regulators are trying to demonstrate that GDPR has more than teeth. The law has fangs.
How sharp those fangs are remains to be determined. Both fines are sure to be appealed, and likely appealed again after that (although the extent that these fines can be argued/appealed is not completely clear – exactly where “the buck stops” when it comes to GDPR fines is being written as we go).
In case this wasn’t enough to display that cybersecurity and privacy fines are ramping up, the FTC announced a settlement with Facebook for $5 billion for “persistent privacy violations.” Just as surprising, Facebook’s stock jumped up 2% on the news, as investors appeared to be pleased that it wasn’t even higher. Facebook already set aside $3 billion in anticipation of this fine, and given that they announced quarterly revenues of $17 billion ($7 billion in net income), finding another $2 billion should not be difficult. This isn’t Facebook’s only serious legislative concern – there are active investigations by the Department of Housing and Urban Development regarding discrimination, by the Justice Department and the Federal Trade Commission on monopolistic practices, and the Senate Judiciary Committee’s chairman, Lindsey Graham (Rep) has stated that Facebook (and Google) need to have more scrutiny of their fundamental business model. This is on top of the GDPR active investigations into Facebook that have been underway for some time.
New privacy laws are in the works. California’s privacy law, known as the California Consumer Privacy Act (CCPA) will go into effect on Jan 1, 2020, and it has many similarities to GDPR. New York has introduced an even more consumer-centric bill called the New York Privacy Act. The social media industry is, unsurprisingly, lobbying hard against these measures, and it remains to be seen what becomes law. What we do know is this: Fines for cybersecurity breaches of consumer data and for privacy violations are getting much larger. Profits by companies that use this data are also getting larger. Hopefully the fines will rise quickly enough that it will be in companies’ best financial interest to protect our data and our privacy. To date, the opposite has often been the case.
How should we, as individuals and business leaders, react to this information? We can let our government representatives know that we want large companies to care as much about the privacy of our data as we do. We can be very careful about the type of information we share on social media. We can educate our employees, our families and our friends on how social media companies profit from selling our information. Education breeds understanding. Understanding breeds action. Action breeds change.
If I am coming to your town, state or country and you are interested in a speaking event for your company or organization, please let me know! There are a number of terrific cities on my 2019 schedule already.
July 16thViewpoint event, Hartford, CT
July 18thViewpoint event, Waltham, MA
July 2019 France, Germany and Italy private events
August 6thViewpoint event, Chicago, IL
August 20thViewpoint event, San Diego, CA
August 22ndViewpoint event, Sacramento, CA Sept. 25th Viewpoint Collaborate annual users conference, Portland, OR
This isn't surprising to anyone, is it? The government is violating it's own extremely broad surveillance powers. "The ACLU called on lawmakers to investigate the improper collection and to shut down the program altogether."
Privacy advocates everywhere are having a very bad day today. iPhone and Android hacks. "More surprising, Guido and other observers of the iOS arms race say, is how publicly Cellebrite is trumpeting its new tool."
Do you have a Medtronic “MiniMed 508” insulin pump? The FDA is mandating a recall of the device because of unpatchable cybersecurity issues. Cybersecurity meets life safety. Hopefully this action will spawn more rigorous testing of IoT medical devices.
"The DOJ and the FBI argue that catching criminals and terrorists should be the top priority, even if watered-down encryption creates hacking risks. The Commerce and State Departments disagree, pointing to the economic, security and diplomatic consequences of mandating encryption 'backdoors'."
Cybersecurity Tip of the Month:
A barrage of data breaches has left millions of usernames and passwords available for cybercriminals to take advantage of. In addition to this, poor password security practices can leave you vulnerable to being hacked. Put these suggestions into effect to help protect yourself and your data.
1) Start with a strong password. Make them long and complex, using lower and uppercase letters, numbers, and punctuation marks. Don’t use easily guessed information, and do not use any of these most commonly used passwords. You can also consider using a passphrase and substituting characters to make it more complex. For example, “My dog ate my homework” could be used as Myd0gat3myh0m3woRk!.
2) Use a different password for each account. If one of your passwords is stolen, hackers will try that password on multiple sites.
3)Use a password keeper. Password keepers such as Dashlane, LastPass, and 1Password are great tools to help keep with password security. They can generate strong passwords, safely store them, evaluate the security of your existing passwords, and can alert you if your password has potentially been compromised. An added bonus is that you only have to remember one password!
4) Check “Have I Been Pwned” to see if any of your accounts have been exposed in a data breach. If so, change any passwords that may have been affected.