Even if you take reasonable efforts to keep your data secure, individuals and businesses remain vulnerable to data breaches orchestrated by scammers and hackers, said attorney Jennifer Puplava. As chair of the computer systems and technology committee at Mika Meyers PLC in Grand Rapids, Puplava is involved in the annual Data Privacy Day each January to promote awareness of the ever-growing threat to cybersecurity and of data protection practices. She recently spoke to MiBiz about the problem and what people can do to help their chances against hackers.
How prolific is this problem?
It’s everywhere. It’s an increasing problem and it’s only going to get worse. That’s why this initiative was started years ago to try to get people to realize that they need to pay attention to this, and there are certain simple steps that everybody should take that doesn’t make the problem go away, but it makes it more difficult for people to grab your data and do bad things with it.
We’ve seen all kinds of different scams, everything from old-school check kiting. You paste together something that looks like a real check and it ends up turning into a question about a check that a company thinks is supposed to be going to a vendor. It isn’t to try to get them to cash a check, it’s to get them to try to share their banking information. It’s so hard to stay on top of all of the different scams.
Do people even immediately realize when a breach has happened?
It’s difficult and complicated because it’s so sinister. Someone can get your information and then just sit on it for a while and do nothing so that you’re not aware of it. Someone gets your bank card information, and they may go out and rack up a thousand bucks on something but you know immediately that’s a problem. That’s not so much the case when they’re stealing your data. They’re just waiting for the right opportunity to use it.
The scariest situations that I’ve seen have been where someone has hacked into a system and then waited until the right moment to take action. They’ve infected a system and they can see things, they can read things, send things out, they can freeze up computers, and it’s not as if they do it on the day that they get access. And it’s not an isolated incident.
For small businesses, what’s the easiest step they can take toward prevention?
The next thing that people and businesses could check is what are they allowing by way of cookies. Only accept necessary cookies. You go to all kinds of websites and they want you to agree to all of the things and they’re collecting all kinds of information in the background and you’re not aware of it. Go through and change the way that that’s done. By limiting the amount of information that businesses are allowed to collect from you, that doesn’t necessarily get rid of all of the bad guys, but it helps limit the amount of information you have out there available for theft.
Does that mean adding layers to access a system?
Another method that we’ve been pushing out that people don’t like but it’s something to consider is multi-authentication. If you’re pulling up a business account on your computer at home, do you have to then verify that it’s you by a second means, or are you able to just log in and get going? Having a separate authentication put in place for all of your email, for your financial accounts, for those sorts of important, sensitive information and uses, that really can help keep bad guys out of the mix. And it’s a pain at first, but it becomes easy after a while.
What’s the biggest misunderstanding people have about cyber attacks?
They think that it’s not going to happen to them. They think that they’re too smart and that they’re not going to get trapped because they think, ‘Oh, I see all of these emails and they’re all scams and it’s not going to be a problem for me.’ Everyone will get hacked. It’s not a question of whether, it’s a question of when.
Do small businesses still think they fall under the radar for hackers?
Small businesses are more cost conscious. They think, ‘I don’t want to invest a lot of money into fancy security or do anything like that.’ I think that’s a misunderstanding of what they need to do. They don’t have to spend a ton of money to educate their staff of five that, ‘Hey, don’t click on an attachment unless you verify it’s correct by making a phone call’ or ‘we’re going to use multi-factor authentication if you’re going to be working remotely to get into our system.’ It isn’t so much a question of cost as it is one of education.
Is there enough public awareness of the problem?
There’s not. It’s improved. The whole point of Data Privacy Day is to help build that awareness because, unfortunately, a lot of clients come to me for the first time after something has happened and they have to deal with the fallout. It’s better to plan in advance and try to take every step you can to minimize the potential exposure you might have so that if something bad does happen, so if you do click on the bad link or the bad document, you minimize the impact that might have on you, whether you’re a business or an individual.
What’s the biggest mistake businesses make in terms of cybersecurity?
They move too fast. They want to keep their business running and they’re hustling. Let’s say you have a small office of five and you get an email from the boss that says, ‘I need you to send me the employment record or the W-2s for our employees. Send it to me. I need it right now.’ If you’re the lowest man on the pole, you’re going to send it to your boss because you want to make the boss happy and you know the boss needs it right now. It’s a better practice to actually walk down the hall and say, ‘Did you send me that email? Do you really need that?’ or to pick up the phone. That’s probably one of the biggest challenges for businesses, to realize you may need to take a minute to verify you’re not getting scammed, even if it may delay your response to a customer or to a boss or to a prospect.
Do we need to remember the people doing this are pretty sophisticated in conning people?
They are so sophisticated. They will create an email, they’ll rip off logos. Here’s another potential way they can scam you: Let’s say they’ve already gotten access to your system and they’re just lying in wait. They can actually send an email within the system saying, ‘Hey, I need to wire some payments. What’s our routing information again?’ Someone might check that email address and say, ‘Oh, yeah. This is from inside the house. I have no problem with this.’ People can get scammed that way, too, which is why making sure that you’re secure, and not just doing it once but doing it regularly, is important.
When we hear stories about businesses getting hit and having their customer data stolen, the tendency is to get angry. Do we need to keep in mind that these businesses are also victims of a crime?
They are, and it’s happening more than you might realize. You hear about the big breaches like the Targets of the world or the Experians, because so many people’s records have been affected that it becomes public knowledge. You may not hear about the smaller breach where only the individuals who were affected receive notices from the company, but there are a lot of breaches that happen on a daily basis, and it’s increasing.
Just as you secure your business by making sure you lock the door behind you when leaving the office each night, do you need to think the same way about data?
I tell my clients there’s no such thing as perfect security. There are things that you do. That doesn’t mean you’re going to be successful because criminals are determined, they are motivated, they want their end game. But that doesn’t mean you should leave your doors unlocked and show them in. You should lock your doors. You should have passwords for all of your accounts using multi-factor authentication. Being careful what you share online, being careful what clicks you make when you’re provided a hyperlink — all of those things help to shore up your defenses.