Published in the Union Leader (3/27/2017)
Q. I’m a New Hampshire business owner. Recently, I have read lots of news stories about data security breaches. What are the biggest cyber risks I need to be aware of and how can I protect my business?
A. In the past decade, businesses have migrated more and more valuable business and personal information to digital forms. While this has helped streamline workflows and increase work efficiency, it has also exposed many ill prepared businesses to crippling cyberattacks. Hackers have used stolen business and personal information to commit fraud and identity theft for lucrative financial gain, including by profiting from fraudulent tax returns and wire transfers, stolen intellectual property, and the disruption of business activities. Here are the three most significant cybersecurity risks faced by businesses and some quick tips on how to protect your company against these attacks:
1. Phishing. In a phishing attack, the hacker disguises itself as a trustworthy site such as a bank or online payment processor and sends you a link by email or instant message, directing you to a hacker operated website. These attacks are hard to spot because the email address may only be misspelled by one or two characters and the website looks nearly identical to one from a trustworthy site. The website will then instruct you to enter your personal information, enabling the hacker to gain access to your accounts.
The best defense is employee training. Effective training will teach employees how to recognize phishing attempts and how to effectively deal with them.
2. Social Engineering. Social engineering attacks are sophisticated hacking schemes that take more time to execute. First, hackers gain access to high level personnel accounts, such as the business owner’s email. Next, they study the individual’s characteristics, learning how to mimic the individual’s usual language, tone, and email format. Finally, the hackers send fraudulent emails to the appropriate people, such as the business’s accountant, directing the person to do something like wire funds to a certain bank account or transfer highly valuable records.
The best defense is instituting a double verification protocol within the business, including for transfers of funds and sensitive records. For example, for wire transfers, require that individuals provide both an email and a phone call to authenticate the transfer request.
3. Lost or theft of unencrypted mobile devices. These devices pose high security risks because they are small, portable and prolific in today’s business world.
The best defense for laptops is to encrypt the hard drive or create a separate partition for documents and sensitive data. For mobile devices, companies should ensure that the devices are running the most up to date operating system and that passwords or biometric identifiers, such as the fingerprint reader, are enabled.
It is important that businesses make data security and privacy a priority. In our world of emerging data security risk, companies should contact an experienced attorney to conduct a comprehensive risk assessment to identify and remediate potential exposure.
Kevin can be reached at [email protected].
Know the Law is a bi-weekly column sponsored by McLane Middleton, Professional Association. We invite your questions of business law. Questions and ideas for future columns should be addressed to: McLane Middleton, 900 Elm Street, Manchester, NH 03101 or emailed to [email protected]. Know the Law provides general legal information, not legal advice. We recommend that you consult a lawyer for guidance specific to your particular situation.