Find news, events, articles, videos, and more that answer your questions and keep you up-to-date.
Visit Resource Center
Stay informed on compliance updates
Ransomware threatens to hijack critical business data that is not encrypted properly. Phishers send official-looking emails to untrained employees who accidentally hand over sensitive business information. These types of things are commonplace in today’s internet-connected marketplace. Join us as we discuss business identity theft with cybersecurity expert Adam Levin. You’ll learn practical insights to keep your business protected and what to do in the event of a breach.
Greg Corombos: Hi, I'm Greg Corombos. Our guest this week on Expert insights as Adam Levin. He's the chairman and founder of CyberScout and co-founder of Credit.com. He's also the author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Today we're going to talk about business identity theft and the different forms that can take, and all of them are quite frightening. And Adam, thanks very much for being with us.Adam Levin: Well, thanks for inviting me.
Greg Corombos: Well, let's simply start here. And I know there are multiple ways to define this, what is business identity theft, and how is it different than personal ID theft?
Adam Levin: Well, you know, there are hackers out there that find ways that they can actually spoof your business online. They can take over your website. They can do things that will not only harass you, but it makes it look as if you're being disrespectful for your clients and customers. So it's really all part of the process of creating a culture of privacy, security in your organization, monitoring your systems, and making sure that any point of vulnerability—that either you discover yourself or you're notified by one of the vendors you work with—that you need to update or upgrade your systems. These are the kinds of things you should be thinking about.
Also very important, you should always make sure that any data that you collect in your business is backed up. Because if someone clicks on the wrong link, puts malware on your system, locks up your files. And then you get a ransomware note from a hacker telling you, you have to pay a certain amount of Bitcoin, that you're not in a complete panic. Because one of the problems we've seen with ransomware, for instance, is that they will get the money from you, they will even attempt to send you some form of key that will decrypt all the files that they've encrypted. And it's wrong because they don't even know how to decrypt the information. It's one of those things where it's like, you take the plane, you hijack it, but nobody taught you how to land the plane. So this is a danger with ransomware.
And there are three big problems that businesses can face in the world we live in today. One is a ransomware attack. The second is when you get an email within your organization that looks like it's legitimate, and it's asking for money to be wired somewhere. That's called a business email compromise. Unfortunately, the information it provides is fake. And if you wire the money, you may never see it again. And if you don't think it's possible for a business, Google and Facebook combined, wired over 100 million dollars to the wrong company—company that didn't exist. They got it back. But these things can happen to them, it can happen to you. And the third is you get an email. You think it's official. It asks for backup for W-2 forms. The information is provided, and you have just exposed all the employees in your organization to the possibility of becoming victims of identity theft. So those are three big things that happen to a business.
Also, it's very important that you keep in mind, you know, a lot of people think about just hacking as a way that your business or your organization's data can be exposed. And I want to give you some thoughts as to what some of the ways that it can be exposed are, that you may not necessarily think about this. One is if your databases hacked, okay, so that's hacking. Two is if you have a laptop or a device where you're storing data on, and it gets lost or stolen. The third is if your employees sends sensitive information to the wrong person, and now you've exposed possibly a list of people. The fourth is when sensitive data is accidentally made publicly accessible. And that means that if you haven't properly secured your website or wherever you have this information, and it's exposed in clear text, and it's not encrypted.
In addition to which, if your backup data is lost, or stolen. The sixth is if you have documents, devices, or data that are improperly destroyed. We have a case where CBS News once showed up at the at the door of a medical provider and said that they went to a surplus sale and copy machines from this organization were on sale. And unfortunately, when they took a look at the hard drive in the copy machine, there was an enormous amount of sensitive information that had come when this machine was copying important documents for the organization.
Also, seven is when employees make mistakes. Eight is when your vendor is compromised. You know, a lot of people don't think about the fact that they may actually they have a good thing going within their organization in terms of security. But if they're doing business with somebody that gets compromised, that compromise could bleed over into them, either because that vendors access into their network is compromised, and malware is put in their network—think of Target and the HVAC subcontractor.
Or let's say you send your information out to a vendor to be processed for one reason or another, and has personally identifiable information in it, and that vendor is breached. You're on the hook too.
Greg Corombos: Wow. So there are so many different ways that can happen. Several of those clearly seem preventable, just based on being careful on who you send things to, and that sort of thing. But I just want to follow up on a couple of quick things. Number one, first of all, what's the smart way to back things up? So hopefully, the nefarious players here don't get access to that as well.
Adam Levin: Right. Well, there are many programs out there that are available, products and services that are out there that are available in order to make sure that you're not continuously backing up. Because the problem is, if ransomware gets into your network, and it happens at the moment that you are backing things up, it could crawl into that backup system, unless it's a separate system that you intermittently connect. So that's number one.
And there are companies like Carbonite, for instance, that have products that do that. There are many other people who are cloud providers. But again, if you use a cloud provider to store your data, or to help you with additional functions with your data, remember to read the contract very carefully, because they have their security protocols. But if you haven't properly configured whatever database it is that you give to them, and you're not watching it, it could get compromised. And how many times have you heard of databases sitting on Amazon systems or on other systems that got compromised, and it wasn't Amazon's fault. It was really the responsibility of the person whose information it was. So back up and update your information when you get a notice. And if it's a legitimate notice saying, Hey, we found a vulnerability here's a patch, make sure you apply that patch quickly. Because if you don't, hackers love to find software that hasn't been properly updated, or a software has been discontinued and a new version is now being run. And people are using the old version or they're using hijacked versions of the old version, they're not even going to get to get the notification that it was updated. So update, upgrade, backup.
Greg Corombos: We're talking with Adam Levin, chairman and founder of CyberScout and co-founder of Credit.com. The book is Swiped. Adam, a lot of times we'll get warnings from the government. And I don't know how similar it is in business. But they'll say, you know, don't respond to an email that says it's from the IRS, we would never contact you that way. Is there anything similar to that in the business world or any other way to better protect your business from official-looking emails?
Adam Levin: Well as sensitive information is always faster electronically these days. And it's not only about making sure that you've encrypted the data that you store, but that you also make sure that your data is encrypted from end-to-end wallets, in transit. And there are companies you can work with, programs you can use. Also virtual private networks. Make sure your employees, if they're communicating with your business, are operating through a virtual private network that you've gotten from...and there are many different ones that are out there that are very good.
But that's important, too, because you really need the equivalent of an encrypted tube through which your communications are passing. But again, the real rules of the road are to always minimize your risk of exposure. Always monitor—that means bring in third parties to penetration test your systems. Always use two-factor authentication when you can. Your systems and networks should always be asking anyone that logs in, Do I know you? And should I know you?
And two-factor authentication where either a code is sent to a smartphone, but even that is not infallible. Or when there are a set of very specific security questions where the answers are invented answers. They're not based on facts, because facts can be discovered on social media and other things. And then the third thing is to have a damage control program because unfortunately, it is pretty much inevitable that whatever you do, sometimes somewhere, somebody's going to make a mistake and your information, your company's information, your company's client information could get exposed.
So you need to be able to respond urgently, transparently, and empathetically. Because regulators and class action lawsuit attorneys always want to know a) did you properly protect the data, and b) when you found out you had a problem, how quickly did you move? And did you comply with all of the notification requirements, as well as if you get cyber liability insurance? If you fail to prove to your insurer that you have properly protected data and that you notified everyone you were supposed to notify within the timeframe you were supposed to notify them, you could be facing the possibility of them denying your coverage.
Greg Corombos: Let's close on that important note, Adam, and that's what to do if in fact, you are breached, or when you are braced. You say it's largely inevitable at this point. But what is the best practice, the best policy to have in place that not only do you protect yourself from a class action lawsuit, but you can simply minimize the damage caused by it.
Adam Levin: Well, the most important thing to remember is that the team that you have that's working to deal with these problems, games, different scenarios, updates your response plan. And then you need to have a professional organization. And sometimes it's best to have a third party come in. Because here's the thing to remember, in the United States, there is no national breach notification law. There are...every state now has a breach notification law, and many of them are not similar. So you need someone who can come in, who can say to you, this is the way you communicate, these are the regulators you communicate with. This is the way you should approach the media. This is the way you should communicate with your clients, customers and employees.
Greg Corombos: Adam will have to call time there. Thank you for so many excellent insights on a critical issue for businesses large and small. We really appreciate your time today.
Adam Levin: Well, thanks for inviting me
Greg Corombos: Adam Levin, chairman and founder of CyberScout and co-founder of Credit.com. He's also the author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. I'm Greg Corombos reporting for Expert Insights.
More in Compliance Solutions
More in Running Your Business