The Financial Times reports that many nonprofits are vulnerable to cyberattacks.

Many charities simply don’t want to invest time and money defending against hackers. A 2016 study found about half of nonprofits had not conducted a cyber risk assessment, and two thirds had no plans to increase spending on data security. But hackers don’t give nonprofits a pass. The article tells the story of a small, Indianapolis, Indiana-based cancer charity that lost all its client data in a ransomware attack.

“While it is not surprising that charities want to spend scarce resources on housing the homeless or feeding the hungry, some argue that those very services could be at risk if they fail to invest in cyber security tools and practices,” according to The Financial Times report.

Industry publication Data Breach Today reports hackers are increasingly exploiting weak Remote Desktop Protocol (RDP) credentials to launch ransomware attacks.

“Many enterprises use remote desktop protocol to remotely administer their PCs and mobile devices,” reports Executive Editor Mathew J. Schwartz. “But security experts warn that weak RDP credentials are in wide circulation on darknet marketplaces and increasingly used by ransomware attackers.” RDP credentials have long been used to launch distributed denial of service (DDoS) and malware attacks. Investigators recently found RDP credentials for sale for as little as $3.

To thwart hackers, experts told Data Breach Today, companies should use strong RDP passwords to stop brute-force attacks, keep an eye out for unusual network behavior and audit ports to prevent open and unsecured RDP or SSH ports.

Cloud computing offers greater flexibility, speed, and convenience, but some businesses were hesitating to take advantage of the technology due to fears of increasing vulnerability to cyberattacks.

But a recent study reveals a marked increase in moving sensitive data to the cloud as a result of increased confidence in security – and despite continuing struggles to monitor and manage the data once it’s there.

In a post on the Dark Reading blog, Kelly Sheridan reports that fewer than 25 percent of businesses had their applications, data, and infrastructure in the cloud two years ago, but that 44 percent are cloud-based today, and 65 percent are expected to be two years from now.

Read more:

https://www.darkreading.com/cloud/security-forecast-cloudy-with-low-data-visibility/d/d-id/1330239

 

Physicians have their hands full on the best of days. It’s not difficult to imagine why using a voice assistant such as Amazon’s Alexa or Apple’s Siri might be attractive.

In fact, a recent survey showed nearly one in four physicians uses the assistants for work-related purposes, such as researching prescription drug dosing. It’s likely many are unaware of the information security dangers they pose.

In an interview with SCG Health Blog, Fox Rothschild attorneys Elizabeth Litten and Michael Kline explain that the labor-saving devices pose a bevy of data privacy and security risks, and offer doctors six helpful tips for protecting their practices.

A number of employers in Illinois are involved in pending class action litigation regarding violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (the “BIPA”). The BIPA, which was enacted in 2008, addresses the collection, use and retention of biometric information by private entities. Any information that is captured, stored, or shared based on a person’s biometric identifiers, such as fingerprints, iris scans, or blood type, is considered “biometric information.” The Illinois Legislature enacted the BIPA because biometric information is unlike any other unique identifier in that it can never be changed, even once it has been compromised.

The BIPA requires that, before a private entity can obtain and/or possess an individual’s biometric information, it must first inform the individual, or the individual’s legally authorized representative, in writing of the following: (1) that biometric information is being collected or stored; (2) the specific purpose for the collection, storage, and use of the biometric information; and (3) the length of time for the collection, storage, and use of the biometric information. Furthermore, before collecting any biometric information, the private entity must receive a written release for the collection of the biometric information from the individual or the individual’s legally authorized representative after the above notice has been given.

The BIPA additionally requires the private entity to develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. That policy must be made available to the public. The collected information must be destroyed once “the initial purpose for collecting or obtaining such information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15. In the pending cases, the private entity employers failed to obtain informed written consent prior to the collection, storage, and use of fingerprints and other biometric information. The employers also failed to publish any data retention and deletion policies for the biometric information.

The BIPA also restricts a private entity’s right to sell, lease, trade or otherwise profit from a person’s biometric identifier or biometric information. An employer who adheres to the requirements of the BIPA will be able to avoid class action litigation on this issue and maintain compliance with industry standards.

The Federal Trade Commission is investing nearly $3 million in technology to support an increasing need for e-discovery driven by massive data breaches such as the one disclosed recently by Equifax.

The news comes from the National Law Journal, which reports that the FTC awarded a one-year contract to Innovative Discovery LLC of Arlington, Virginia for a secure litigation support service. The agency awarded the contract without competitive bids because it “faces usual and compelling circumstances that require the immediate initiation of this pilot,” the Law Journal reported.

“The FTC is entering into an unprecedented year of investigations and litigation, including its investigation into the Equifax data breach and an usually high number of forensic data acquisitions in fraud cases,” agency officials wrote. The contract, they added, “is essential to enabling the FTC to successfully conduct investigations and litigation to stop consumer harm, thus enabling the agency to accomplish its mission.”

On Tuesday, November 7th from 2:00 to 6:30, Fox Rothschild and Kroll will be presenting the CLE: Staying One Step Ahead: Developments in Privacy and Data.  The CLE will take place at Fox Rothschild’s offices at 353 N. Clark Street in Chicago.  The speakers are Bill Dixon from Kroll, and Dan Farris and Mark McCreary from Fox Rothschild.  Cocktails and networking will follow the presentations.

If you are in the Chicago are on November 7th, I hope you will join us.  Click here to register for this free event.

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

For small and medium-sized businesses, the most dangerous cyberthreat may come from within.

IT industry publication TechRepublic reports that a newly released study by Keeper Security and the Ponemon Institute suggests careless employees are at fault for the majority of data breaches at small and mid-sized businesses. The study surveyed 1,000 information technology professionals in the United Kingdom and North America. Some 54 percent listed employee negligence as the root cause of cybersecurity incidents, followed by insufficient password policies.

A stunning 50 percent said they had suffered ransomware attacks in the past year. Of those, 79 percent said ransomware entered via a phishing or social engineering attack.

Click here for TechRepublic’s full coverage of the study.

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.