Sign Arkansas Banking Permission Slip Computer

Industry sign banking arkansas permission slip computer

well good morning everyone thank you for joining us this is the better business bureau serving arkansas and the bbb education foundation's cyber security fireside chat i'll be your moderator today i'm janet robb president and ceo of the bbb serving arkansas also want to be sure and let you know and introduce to you tina hunter the executive director of the bbb education foundation and she will be managing the technical side of this process today so thank you tina our goal today is to highlight actions that can be taken every single day by individuals and smaller businesses that may not have a dedicated i.t department we want to thank our education foundation sponsors they sponsor foundation programs throughout the year including this one and without their support we would not be able to bring programs like this to you today for free or for a very low cost so i want to introduce our panelists for today jennifer samuel is with the hatcher agency jennifer is an insurance liability specialist the hatchery agency is one of the top insurance agencies in arkansas she's been with the hatchery agency since 2012 in the property and casualty division and she will share how you can protect yourself from the possible financial setback your company may suffer as a result of a data security breach jeremy osborne is the chief cyber security advocate at adafio technology partners he has over 18 years of experience in the information technology field jeremy is a certified information security professional a certified ethical hacker and a licensed penetration tester jeremy specializes in providing opportunities for professional growth through education and collaboration he is an expert at translating executive to nerd and believes that success is accelerated through diversity jason frankenberger is with the fbi special agent frankenberger is a cyber trained agent and he graduated from the university of arkansas with a degree in computer engineering he worked for an engineering firm while in college until 2006 when he joined the fbi special agent frankenberger has served in the memphis dallas and now fayetteville arkansas field offices and specializes in criminal national security federal violations of computer intrusion computer forensics and any matter requiring technical investigation and last but certainly not least we have with us today mandy stanton with the mitchell williams law firm she advises business entities and individuals in evaluating and managing risks associated with privacy and data security practices including incident readiness and response mandy is a u.s and europe-certified information privacy professional so we're going to start by asking some questions that we received prior to today from our attendees i'm going to toss these questions out and of course our panelists are always encouraged to chime in when you have something to add the first question actually is addressed to all of our panelists what single cyber security threat concerns you the most i'm going to start with mandy thanks janet i i think i have to say just from my perspective looking at this from maybe a 30 000 foot overview is i think many organizations lack a good understanding and general awareness of what information security requires um i was reading a report the other day about hybrid working environments that we're all kind of anticipating maybe more common after covid and some of the takeaways from these companies really weren't any different than um you know the takeaways we found from previous years reports um you know basically like i t decision makers were concerned about unsafe data practices by employees they're concerned about bring your own device policies um there was you know a lot of phishing attacks i think there was a i think the statistic was one in three of the organizations surveyed had a phishing attack between march and july of this year so none of these concerns are new none of these you know phishing is certainly not new but now we have these remote working environments and personal devices creating you know in some case for larger organizations hundreds of new touch points that attackers can take advantage of and i'm sure that we've all heard or stated statistics that a lot of data breaches that we have begin with human error you know just someone clicking a link or you know doing something inadvertent and so we still have this this human element that causes an issue and a risk in our um you know in our data security structure so now we have security leaders that can't necessarily guarantee that employees are training outside of the office and some organizations i read in that that report said that they didn't even provide additional materials for the organization to address a remote working environment and so it's making businesses more vulnerable and i think all that to say is that organizations don't often realize that you need to take a living approach to information security that it's not necessarily a one-and-done deal so as your organization and your environments change you know your information security needs to continue to change as well so i mean some of the the concrete things as far as that goes is going to be you know evaluating your policies and i can't say employee training enough um but even and this is something jason and i have talked about on other panels even building those relationships with law enforcement or other partners that you may bring in for an incident readiness um or incident response plan you know go ahead and starting to build those types of relationships now before you get into an emergency situation so just kind of the overall lay of the landscape and being aware of what it takes to be diligent in this area yeah good point thank you jeremy what's the single cyber security threat that concerns you the most oh well i don't i don't know how i'm going to have a better answer than what she just shared you know other than to say you know my sleeping patterns um that's probably the biggest threat to me personally right staying up all night um but yeah that that awareness that that ability to critically think and to really be able to slow down enough in your daily life to to make a conscious decision right and to to think about things before you before you act on them i think is probably if i if i had to pick one thing i'd pick that to echo out of what mandy was saying yeah yeah and what i'm hearing from both of you that sometimes the biggest threat is not external it's what we do actually have some control over as far as keeping those doors closed and taking proactive steps to prevent that sort of intrusion uh jennifer yes um well from my standpoint i think that i would say the financial security because i'm going to be looking at this from a business perspective and we're still seeing only about 30 percent of businesses buying cyber security policies so that leaves 70 percent of businesses out there at risk of um being having no coverage so to speak and then when they do get hit we're seeing a lot of businesses go bankrupt from the the financial burden that this takes on yeah yeah good good point uh there are significant financial consequences if you have a data breach and there is insurance for that jason so all great points um you know echoing on what mandy said you know in this post covered world we've seen a whole lot of stuff just get stood up really really quick and security has kind of been a secondary uh type approach i know from the fbi perspective uh the number of cases and the number the amount of work we have been doing since march has been uh just exponentially higher the number of complaints and stuff probably still the the highest lost value stuff that we're seeing hit small businesses and eating big businesses is continues to come from business email compromise it's still ransomware is out there so um you know if you're not familiar with business email compromise these are things that can be done simply by spoofing an email or an intrusion into somebody's email system you know an example that i that i use quite frequently because of the number of cases that we've seen with this is whenever you purchase a house you receive those uh instructions on how to wire uh money to the closing company for your closing funds and we're seeing uh that email get intercepted in number of different ways and having the wrong bank account routing numbers sent to the person making those wires so anytime somebody is wiring money just being extra extra careful if somebody's changing a bank account on you that is an automatic red flag you need to go and revisit that with the person that's changing the bank account we've seen losses up here north in northwest arkansas i can speak to we've had actual losses of 1.2 million dollars to a small company that uh put them out of business we've had a number of the title company related incidents in northwest arkansas you know in the 200 to 400 000 range and we've been lucky on a lot of them to be able to get uh recall some of those funds we have a system in place where we can we can at least try uh to get some of those funds those domestic wire transfer funds back and uh we can certainly talk about how to initiate that process uh when we talk about reporting and such but definitely business email compromise from the from just straight lost perspective but also um like the other presenters said this post coven uh situation that we're in everybody's working from home there's lots more opportunities everything from uh you know i have cases on the zoom bombing to um you know things happening with when websites get stood up poorly uh and quickly okay thank you so you you've all talked in general about cyber security threats but i want to ask specifically about cyber security threats to smaller businesses i think there is a definite misconception out there that this mainly happens to big companies uh that are big targets and have big data and big pieces of information uh jeremy could you address that issue of um you know the risk associated from a small businesses perspective yes certainly um and i'm really interested in some of jason's insights on on this topic as well you know one of the things that that we see is and again it's back to education and awareness it's the familiarity that you have with the subject matter right you are you're a business owner you're really good at whatever your business does right and so you may or may not have a technical bent to your you know how you approach things and and how interested you are in the technology so i personally just think it's really really important to find people that you trust find people that are trustworthy to help you understand help you think through some of the the technology and the cyber risk associated with the smaller businesses yeah jason could you address the issue of the vulnerability of a small business versus a larger higher profile company sure um you know the larger businesses you know we have a lot of them in arkansas and you know they have teams uh where they're in on site uh that spend they have a huge budget a lot of times for it security and they do a pretty good job that doesn't mean that they're immune to the same types of things that we're seeing happen to businesses but on the small business side we do see a lot of small business tax either via you know an uneducated employee clicking a link or opening an invoice and kicking off a ransomware event a business email compromise event or even just a straight up intrusion we've had them you know i've had complaints with people just getting in and stealing information from everything from hospitals to law firms and a lot of times those are very very difficult to track down and prosecute but they're definitely hitting smaller businesses that may or may not have any i.t budget it may be a secondary um a co-responsibility of somebody's main responsibility to manage the network we're seeing email systems that are not professionally managed that will be you know the business name gmail.com which is you know presents a whole host of issues there who has access to that account are you using a common password um are you using two-factor authentication who's truly managing that network and it can make for an easy target for smaller businesses that may not have the budget uh and that's where you know we really encourage them to either they're big enough to have their own i.t department or to get a managed service from a provider you know adafio or whoever else is their preferred provider to have some kind of management of that network sorry energy is something else um i i've i've actually had uh and quite a an increase in helping um clients with data breaches this year and one of the things that i've seen more frequently this year is um smaller businesses who are the victim of an indirect attack through their vendor like their vendor has been attacked and and so it's not necessarily you know direct within your network but through this association from shared services which of course are cost effective for small businesses um you know they're they're kind of getting caught up in this web of a cyber attack um because their their partners are being targeted so one of the things i would say to kind of uh to to mitigate that risk a little bit is to make sure that you do have a good um you know give as jeremy i think said slow down take a pause and really give some thought to vetting your vendors and investigating their security measures before you sign a contract with them and get on board with them that's good advice and and speaking of third parties and i'm going to toss this to jason first what about using public wi-fi and mobile hotspots what are the primary dues and probably more importantly the don'ts uh on using public wi-fi you know so so public wi-fi whether we're going to a coffee shop or a fast food restaurant everybody is or a hotel uh hotels are notorious for having uh free wi-fi and you can even pay money to get the updated wi-fi uh from uh from a hotel um there are definitely if you're if you're on an open network like that you know your data is transverse in the network just like everyone else's and it also makes it open to where anybody that's on that network can uh can see what data is that that you're sending and now most of your stuff should be encrypted in some form uh but you know if you can avoid a public network like that there's special software there's browser plugins that steal login credentials that sometimes happen before you make an encrypted connection um depending on what website many years ago there was a just a simple browser plugin you could run and it would uh you could you could be on a copy shop network and it would just scrape credentials off of everybody that's logging into social media and stuff like that just keep in mind that everything you do is visible to anybody that's on that network we've also seen instances where you know if you're sitting at a fast food restaurant that um somebody may spoof a very similar sounding restaurant name or hotel name to try to get you to connect to their network so that you're actually routing your traffic through somebody who you don't know but believe it's safe um you know if you can use a mobile hot spot or hotspot your phone or something like that that's a more private connection you're far better off um hotels are notorious if you go to a hotel i mean there's a reason you know even you know when you go to like the big computer conventions out in las vegas and stuff like that these guys are practicing what they do uh on hotel networks they've got some pretty fancy stuff that they like to try out and deploy and they're very successful with that and you know just keeping in mind what is it that is on your computer how is your computer set up your own personal devices um to not accept connections from from the outside you may be behind the hotel firewall but if somebody else on them is uh behind that firewall as well you could uh be asking for problems and data loss on that and here's another question that came in um this may be a good one for jeremy or mandy or actually anyone on our panel and that is can you truly be anonymous online so i'll i'll take the first stab at that one yes and seldom is it worth it rig t it is so much effort to get to that point and and jason i'm sure you you've probably got some insight into this as as well you know there's always a human behavior that if you can if you can find it you can make a really good kind of educated assumption or guess at who that person is right there's there's there's linguistics capabilities there's patterns of behavior that that happen it is just really super difficult to become completely anonymous online other thoughts yeah i i agree you know there's many greek uh groups that have named themselves anonymous and uh they can be pretty good at trying to keep themselves online but uh i can tell you a lot of times i've shown up at people's door uh and made arrests and put them in jail because they really thought they were being anonymous online and uh you know a lot of times we do run into situations where somebody is anonymous online and i may know who did it but it comes around to a lot of times uh you know for a particular company it's been hacked into or had an intrusion what type of log files they have that i can go off of and try to figure out who did it so a lot of it's on on tracking on this side but you know there's lots of vpn connections and stuff like that you can do a really really good job of being anonymous um but like jeremy said it's very difficult and you got to be your uh operational security has to be 100 there's there's no rooms for mistakes or you'll show up gets scary doesn't it so assuming that um all of our information is out there somewhere and i think that's a fairly safe assumption most of the time uh someone posed the question of what insurance do we need to protect our business and we also want to hear about thoughts on investing in not only data breach insurance but lifelock and similar products jennifer i'm going to toss this to you first and then ask mandy to add to that okay um as far as the the insurance goes i think that jason brought up um a good point a lot of small businesses are what we are seeing as well that that need um the cyber liability insurance policies and they are not purchasing them um but as far as trying to protect your business and your small business a lot of people think that they have a data breach endorsement on their property policy or their general liability policy and that does not cover necessarily cyber related events so i would say you should look at the policy that you have in place right now uh and then as well you want to go out and you want to buy a standalone cyber liability insurance policy for your business then once you get in into that phase then there's a lot that goes into deciding which cyber liability policy to purchase and i think they brought up third party before but um when it comes to a business third party means a different thing to me so let's say you have a medical billing company and that's my client so i'm getting the policy for that company well they do medical billing for 200 different urgent cares well if my medical billing company gets hacked well then they're responsible for all of those the third party which is all of the urgent cares so it's very important to have contracts in place between you and the third parties you and your vendors i'm seeing a lot of people require um companies that they do business with to have cyber liability insurance policies so from a um business standpoint from an individual standpoint we do see id shield and life log and those are good things to have in place on all insurance policies it's it's mitigating a risk so these are all put into place to help with those expenses but they do have some um i think lifelock they have some and i wouldn't call it an insurance policy i would call it more um security protection fraud protection um if you have to go outside of that lifelock which is a good thing and i would suggest yes having some kind of security but if you have to go outside of lifelock and there is um attorneys involved well then you are also um responsible for some of those attorneys fees so just with all insurance policies read the fine lines or talk to someone that deals with these type of policies because it's not a normal business policy yeah i don't know if i really have much to add that was a great explanation jennifer i i mean i think um you know one of the things that we always say is you know no one's going to advocate for you like you are so i like anything else we've talked about dealing with information security it's an evolving thing so i don't think you get lifelock and think okay i'm okay like you need to stay on top of your information and your credit reports or whatever you may do um and so you know that's just kind of some general advice i would give from a more individual side um and you know i don't have anything to add in terms of the difference between first party and third party coverage i think jennifer covered it one thing i will say in terms of the amount of coverage like what would be an appropriate amount and you know a lot of that a lot of times that's contractually driven with whoever you're working with if you have a client that's requiring you to have a certain dollar amount or if you have a vendor that you're requiring them to have a certain dollar amount but um one of the things i would say is um there's a there's a study that comes out every year um that you know estimates the the fees per record in the event of a data breach and depending on your industry i mean some industries like financial and medical are obviously higher that usually runs between about 150 and 450 per record so depending on how many employee records you have whatever customer data you have that each piece of information that's a record which could require notification could require credit monitoring those types of things and so um you know in terms of how much coverage is adequate those are the things you need to be looking at is is at the record level and i mean jennifer if you have anything else that i've i mean that's short but if you have anything else to add to that now um i saw that someone asked a question on the prerequisites for business insurance and what they look at they'll send an application for you and the main things that they're going to look at is what mandy just talks about the number of personal information files that you have and also the number of employees because we talked about it earlier inside is one of your biggest risks so they're going to look at how many employees you have that could possibly go rogue on you um so anytime you're looking at uh insurance the underwriters wanna they're placing a bet on you um on how safe you are on how big of a risk you are on how many open doors you have out there but they don't they don't normally have to come in and or request an audit um they may want to know your revenue annual revenue securities in place at the time which is why i like working with you know people like adafio because they'll come in and they will help you get those protocols in place and so those are questions on the application what do you have in place at this time good good answers i want to make sure i'm jumping ahead to some of the questions previously submitted because i want to be sure that we address this issue that i'm getting ready to talk about uh we've had a question submitted uh just a couple of minutes ago as well that is on this same subject and it's the issue of the mix between personal use and business use on personal computer equipment or business owned equipment the specific question asked was about an employee using a dating app such as tinder on a business network and can that put the business network at risk i think the answer to that is obviously yes um but i think with especially the last six months with so many companies transitioning from perhaps an on-site workforce to a remote workforce there are many employees that are using their personal computers at home for company business and so it's kind of the the same problem but a reverse way of getting into it and um so what is the acceptable use what are good policies to put in place regarding personal use of company owned equipment versus business use on your personal equipment in your home i think i want to start with jeremy on this one oh wow thanks for the softball there no just kidding you know it is it is such a robust and complex topic right especially when you're talking about smaller businesses trying to make that digital transformation right you're talking about environments that may or may not you know have any sort of oversight and governance around them you know you're talking about devices that were never intended to access this kind of information so yeah there's there's a whole host of risk and i'll and i'll take us kind of full circle a little bit back to the insurance conversation and that is one of the things i think that it's really important to understand is it's important to understand what you get out of the services that you're providing here's what i mean by that if i have a bring your own device policy or an acceptable use policy or some guidance that i have i've given the people that i work with right that needs to be understood it needs to be well documented and discussed and it needs to be able to be followed up on right there's a there's a quality assurance for lack of a better term there's a qa perspective of check in with your people make sure that they are not you know being put in a position of having to make fast poor decisions i think jeremy just froze no i'm still here i was done oh there you are okay good uh jason what would you add to that yeah you know so when you start talking about bring bring your own device policy you know you're called byod and a lot of i.t professionals will refer to that as bring your own disaster uh whether you're when you start allowing devices onto your network that are personal um that you're inviting the outside into your network if you're allowing them to vp into your network uh you know you're now allowing them to bring that personal device that they take home and do whatever on and now they're bringing it back into your network directly i go back to a story when i worked before the fbi when i worked for an engineering firm we had a virus that came into our facility shut us down our manufacturing was shut down and we all started digging around trying to figure out what in the world happened and it turned out that we had a laptop that had come in come in from the outside and then got plugged into our network behind our firewall where we had all our protections in place and it shut down the facility for a number of days we get it back online um turn in a small company and the boss wanted to know who did it well it turned out it was his laptop so it was kind of lucky lucky for us and what had happened is he had taken his personal his work computer home that was you know he was the owner of the company he let his kids play whatever games on it contracted a virus and then brought it back to work the next day um so i know our policies you know we don't allow any personal devices on our network you know i carry two cell phones which is a pain that just has to be uh part of it you know the laptops that i have i have a personal laptop that i use at home that's my personal device and then i have you know the laptop i'm doing a presentation on today that was a government purchase device and i have a very strict dividing line there uh nothing personal goes on the business computer not the business goes off the personal computer but for some people that's not practical but it does you know it's all uh you know risk versus convenience what your company is willing to accept on that you know i would say just to add real quick as far as i mean really ultimately to jeremy and jason's point it's a business decision what you want to permit and how much risk you want to take um in terms of what your employees can use on your network your your internet connection your software your devices whatever it may be so in in drafting this type of policy i would say you know you want to be um you know clear about what's covered with it but you don't want to be so specific that you create and unintentional loopholes um and you know and and to make sure that the policy itself doesn't also impede your employees ability to actually do their job um i mean we you know for example you know somebody at my office we have we have clients from all over the spectrum walking in the door and so we we definitely need google you know so um you know but i've worked at a place before where we weren't allowed to be on google so um you know i would just say make sure that you're making your policy flexible enough to allow you to to do business and also allow you to address like updating and current technology as well yeah just to piggyback that's an excellent point mandy makes you know our network is very highly locked down i go to my phone to do what i need to do in the course of my daily business and i can't get to the website well what do i do i pick up my personal device and i get where i need to go and that unfortunately sometimes facilitates a crossover there that i probably shouldn't have um so she's actually absolutely right making it flexible enough where your employees can do what they need to do without having to without forcing them to make that crossover to another device to do business on and i'm gonna add talking about home and personal computers and work computers um you need to check your insurance policies to make sure as a business owner to make sure that the equipment that your employees are using at home or taking home is covered because there are some that will not um cover an incident if it's not on the premises of curiosity do do any of the policies come with you know proactive measures or you know some some help and counseling and guidance capabilities um to get in front of breaches or in front of the security risks yeah there are um the cyber policies have a 1-800 number that you have access to to call and get support okay good to know this is kind of related to a couple of other questions that have been submitted concerning the issue of how using social media puts individuals at risk the question was is opening an attachment on reddit or facebook risky and related to that is how can i tell if an email is fake or contains malicious content and what happens if i open it and then decide it may not be a safe thing to have done so how do you know on the front end what are some things you can check for and if you think you've done it and have that oops moment what's your next step you know i mean you can you can look at attachments and you can look at emails and you can make a best guess as to whether that's legitimate or not you can look up in the main bar you can hover over things and see what it's trying to connect to you can try to do all that but the best practices is to you know if you're getting a link in an email or an attachment that you're not expecting don't open that um we've had countless times where ransomware is run in the background and then locked up computers or it's been the facilitation point for a business email compromise or uh just a data breach in general comes in through when you click that link you're circumventing a lot of the protections that your id provider has in place we've had i've had people walk into my office and start talking to me about the problems they have and we start we start talking about it okay what happened in the days before this did you have a uh an email come in a lot of times like you know what i did have an email come in and it asked me for all of this information and asked me to click here and now they're having having problems so we can get it tracked back pretty quick a lot of times um they're just asking people to click in emails because that's easy we have brute force attacks there's all kinds of high-level attacks that happen but a lot of the times our bad guys aren't making it harder than they have to either it's simply coming from an email attachment being vigilant about that you know there's some places that will never ask you to click on the link or open an attachment email they're never going to ask you for information your bank account they're never going to send ou say hey you know click here or your account's expired or something like that you know we're still seeing those same types of things um happen day in day out and so yeah you have to be vigilant you have to vet those but it can be very hard unless you're wanting to dig down in header files and even then it's not worth it just you know don't click that or or you know if your bank is sending you a link to click go to your normal bookmark for your bank and log in that way and they'll have a secure messaging portal in there that'll have any messages yeah sometimes it's that old uh precaution of stop think and take a breath before you click um you know we need to slow down sometimes a couple of other questions that came in um one says uh you know from ordering lunch to purchasing office supplies online these sites always seem to ask if i'd like them to save my information for a future perfect uh purchase and that's convenient but what are the risks involved always a a risk in putting any sort of information out there right yeah but there's always there's always ways to to kind of counteract that risk constant vigilance right is one you know keep an eye on on your credit card activity if you've got you know if you're if you're storing those that type of information out there it's definitely a convenience factor right um there are some uh credit card companies that will they have services around like single-use credit card numbers so you can go to the website and you can log in and you can set up an alternate credit card number and associate it with a particular thing right so i want to ziki's and so i get this special credit card number associated with tcz and i store that credit card number in the taziki's website right and then you can always trace that back to where that came from if your information gets compromised and it allows it affords you the opportunity to go back and say i want to cancel that use case number because it looks like it may have been compromised so there's services out there like that from some of the card companies so probably best not to save the information bottom line uh another question came up you know says it's so tempting to purchase items on facebook or instagram you see the pop-up ads it seems like they know exactly the types of things i would like how is that uh you know even i can answer this question it's called target marketing and uh companies have a way of knowing you know what you've looked at let's say you go you have gone and looked at um you know a um a bedspread for your home and then all of a sudden you're seeing these pop-up ads from companies that offer linens and other home decor does anybody want to talk just briefly about target marketing uh to me that's not quite so scary um but it's just something to be aware of it's kind of that eerie feeling that someone's been listening to my conversations because i was just talking about x and now here's an ad for x that pops up on my newsfeed i could go full bore um well jason and i could probably go uh full bore conspiracy theorist on on some of it you know uh yes there's definitely the this this congruence between all the different platforms and the marketing systems you know it it used to be you had two minutes and 20 seconds in the middle of a tv show and now it's based off of activity that you're going after you know i i don't want to i don't want to derail the conversation but i personally believe that one of the one of the risk factors that is not really well understood is based off of behaviors and and purchasing histories social media has the opportunity to have an an opinion influence if that makes sense right so it's almost like a this reinforcement wheel because i did this thing i get reinforced for doing that thing which makes me do that thing again right well and it is somewhat related to um another question that was posed it says on the news we hear about foreign groups creating accounts to spread misinformation how do you know that information that you may see on the social media sites is a reliable source uh you know that's a hot topic right now it's in the news it's been very politicized uh even yesterday or the day before there was a lot of uh debate about certain social media companies closing accounts shutting them down putting them in social media timeout for posting various stories quite honestly i'm not sure that there's a really good answer on a reliable source but i'd really like to hear jason's take you know groups that do create accounts to spread in for misinformation uh what's the end goal there and is there a way to protect ourselves except be rational yeah no you you're absolutely right i mean you know it was a big hot topic during the 2016 election and it's going to be another big hot topic now about foreign groups trying to influence our elections through this information um you know you have to look at where you're getting your information from uh what news agency uh you choose to to follow um nowadays can even be uh you really have to dig down and figure out what uh reliable source for your own self on that if you're getting yours your you know the vast amount of your news from social media you know that's you know if it's on the internet it's got to be true right so that's a lot of times it's so easy for people to pick up a false news story and hit the old share button and now it's you broadcast it to your 500 people in your friends list half of those people share it now you've got this exponential spread of information through social media it may or may not be true there's not uh you know some of our social media sites are trying to do some uh like facts checking and stuff like that and post caveats with the information that's getting spread um but you really just have to take take any information you get off of internet you know a non-reliable uh source um and vet it yourself or try to get it back to its original source and its news agency because it's definitely out there and happening whether it's coming from foreign sources or from right-wing left-wing groups right now everything is getting politicized and you just have to you just have to be careful and do your own vigilance yeah yeah i think uh self-education is probably the best protection there uh you know evaluate it yourself use some common sense and some basic logic and look at a variety of sources because you know it's it's very very difficult to determine what's accurate and what's not i want to make sure we get to this next question someone said i'm using a password app to keep up with all the passwords i have for what seems like everything on the planet are these password apps safe to use and if so which ones might you recommend jeremy you want to take this well not only not only are the good ones safe to use i would encourage people to use them because there is just a as they allude to i mean i i think i'm up to 462 different account credentials or something ridiculous right and some of those password managers have the capability to to do dark web searches on your behalf to see if your account credentials are part of a previous compromise right so there are some really uh there's some really good ones out there i'd be very hesitant to recommend anyone in particular just because there's such a diversity of them but but i would say that things like you know impasse for the osx platform or um or something like a lastpass or or something like that would be a good place to start you know do your diligence look at the features that it that they have and the cost for you and your organization right because it can really have a positive impact on your risk profile yeah the password apps are far better than writing things down and you know if you went around a lot of office buildings around here you and picked up keyboards you'd probably find a lot of yellow sticky notes with a bunch of chicken scratch on it that's a password hint of somehow it's important though to check you know your company's business's policy on storing passwords um but being real about it you know if you have 400 passwords how you possibly and everything changes all the time how are you possibly ever going to keep up with that without having a reminder or writing it down or storing it somewhere you know are you better off people are going to write them down because they're paying to reset when you have to reset them and forget the password and so people don't want to do that so creatures you know human beings being what they are um they're going to write them down on a post-it note they're going to store them in the past they're storing them in a spreadsheet somewhere or a note section on a phone people are doing that but that you know having a password app is far better than than any of those type of habits so you know if you're a small business i would encourage you to at least evaluate your policy on that if you don't allow it just know that your your your uh employees they're remembering those passwords somehow um so might as well have it in a secure space instead of in a post-it note so a follow-up question from that is this we want to use a password app to protect all of our passwords however if that password app gets breached they not only have one they have all of our passwords what do you tell someone that has that concern is that just part of life these days so that is an it's an excellent question right and it's very realistic i i would answer that question with with a couple of responses the first of which is make sure that you are using a passphrase right don't use you know balloons 18 is your password use you know i don't know a shakespeare your favorite shakespeare quote you know it's a full sentence including you know periods and spaces and the whole nine yards right you're talking about password for the password app yes absolutely correct absolutely and what i can what i can tell you is that if your master password and your biometric thumb print gets compromised and someone gets access into your password database having a database of those passwords is going to dramatically shorten your time to reset all 462 passwords right you have all the information you can get ahead of them anybody else want to weigh in on passport apps the pros and the cons you know to jason's point earlier um on what we kind of term ethical hacking engagements right risk penetration testing type stuff we are we are regularly seeing these passwords underneath keyboards i would much rather from from the bad guys perspective right i would much rather you guys not use a password manager it just makes my life so much easier to break into your accounts interesting what about two-factor authentication is that something i should set up within my business if it's appropriate yeah absolutely um you know there of course there's a bit of a cost associated with that but you know it again it turns that multi-factor and and help me out here guys if i don't do a good job of explaining this two-factor multi-factor authentication is something you know right and something you have or something that you are a username and a password are not two different factors those are that's your account that's one factor right and you need a thumbprint or a face id or a you know a super special code or a little code generator doodad thing on your phone like a duo or a microsoft authenticator you know that multi multiple factors if i get a pop-up on my phone that's registered that says someone's trying to log into my email account i have the option of saying yes i approve it because it's me or cancel that so even if the bad guy has broken into my password manager and stolen my password and logged into my email when that second factor comes up and says hey was this you you get the opportunity to say no it was not me okay um i wanted to add i wanted jeremy or jason or someone to respond to um data breaches that are occurring in the cloud because i know it's a high number of cloud data breaches and i have a lot of business owners that think their information is secure because it's um saved in the cloud yeah so you know there's a big move to the cloud right now because it's cost effective it's cheaper it can be easier to manage it all boils down to what are the terms and conditions that you've set up with that cloud provider who holds the keys to your data are you allowing it to be stored in an unencrypted format on that cloud drive who has the encryption keys is the cloud provider or are you the only one that maintains that encryption key uh to your data that's sitting out on the cloud um who's i mean you're putting your data in the hands you're trusting them to people that you've never met data center owners and providers depending on who you choose so it's all in how it's set up in your terms and conditions and what level of encryption and who holds those encryption keys um it can be safe but you know any data that's sitting out on a cloud drive somewhere is there's always risks with it but if you've got your data sitting out there and you've got your terms and conditions set up appropriately you're the only one that can read the data with your encryption keys um you know you can be you can be safer than not and i'm sure jeremy has something to add to that as well yeah i think that's a great kind of description of of what we're talking about you know from from a cloud perspective and you make a great point it's not that cloud is more or less risky than not cloud right it's the risks are different and you need to think about them and understand them you know and back to the uh back to the liability piece he's talking about the terms and conditions that liability piece can really make or break you know a security the result of a security incident right and then on top of all that kind of tying it together if we talk about you know the insurance policy the cyber insurance that you've got in place there are provisions in there that that may or may not cover those so you need to think about those types of things you know you need to think about what um what is my liability what's my residual liability if you will left over if this type of event happens yeah who's going to be responsible if the data does get reached the cloud provider who's going to pay for it who's going to be the who's the liability on and that all boils down to your terms in your agreement yeah well and there there was a question too and i can answer this one the question is is there a risk in running out of date software on my phone or my computer uh even i know that yes keep your software updated on all of your devices jennifer i'm going to ask you about this because this kind of goes into the risk assessment area someone asked what particular devices are at risk is it everything you know for years we've heard your iphone is safe is it really and someone said why would anyone want to see the grocery list from my wi-fi enabled refrigerator i would say from from my standpoint we see claims associated with with every type of electronic device so if it's something that can be then it's a possibility and you may have a grocery list on there then you may also have something else associated with that that gives hackers information into obtaining passwords to get into information that is then sensitive information then as an employee that falls back on your company and as a company you know it's your responsibility yeah it gets complicated um we're about to run out of time this morning uh i want to make sure that we at least mention this subject because someone asked about online platforms being used for school work you know more and more students right now are doing virtual school um i think a lot of the principles and suggestions that you have all talked about this morning apply to using your devices for school work as well does anyone have any particular pointers or precautions on um you know doing school work online make your kids use the chromebooks that the school is giving them i know here in fayetteville every um every school is providing a chromebook or an ipad um that the students can take home and do their work on that so you know i have a teenage son he wants to use my computer but i have to go no if you've got your own so i know from i don't know how the rest of the state s handling that though you know go ahead but i just say once again you know there's no uh no replacement for just you know being a parent in that situation i have three kids here in fayetteville schools and yes they all got sent home with a chromebook and they are able to um you know they're having zoom meetings and stuff like that and you know there's just a whole host of risks there that are it's just it's it's like i said earlier it's different risk now we're talking about you know a chat function and kids you know a lot of times people kids everyone tend to feel more invincible when they're chatting online versus you know stuff that you would never say to my face that you're willing to type it in a chat to me or hey meet me on this app um and they're all going over to some app to chat about you know who knows what um i know if you know my kids use all these these apps because you know their friends are on it and right now it's kind of hard to have any kind of social interaction with your friends so it's really hard it's a balance once again of uh you know what they're allowed to do but versus their own needing that socialization with the kids and just i i've sat down with my kids you know as we went into this and it's like look you know come talk to me about it you know i won't have the answers but if something doesn't seem right just come talk to me about it and in a couple of instances they've come and talked to me about stuff that this doesn't just this just didn't seem right so we kind of talked our way through it and you know once again whether it's business educating users or uh educating your kids of how that looks and what we should be doing and developing an atmosphere where they feel like they can come and hey this doesn't seem right or somebody said this or or you know can you help me handle this situation developing that atmosphere where they feel comfortable coming to you good advice uh finally and and perhaps most importantly before we close uh what do we do if we think we've been a victim of a data breach what's our checklist of who to contact first you know i would say probably you know if you know if it's business contacting your your whoever handles your info your information technology um and then uh going from there and trying to isolate the device and working with them not trying to hide it if you open the link and something starts happening you just get this really weird feeling uh trust me they would much rather you call and say hey i've clicked on this link i don't know what to do then you know hours later after lots of damage has been done they call you and say what did you do you know a huge difference in that and the sooner the better right it's better to do it immediately instead of working a half a day and entering a bunch more keystrokes and getting into more programs and then thinking about it sure do it right then yeah those viruses have a way of propagating through the network uh pretty quickly so the faster the better that they can get on that damage so as soon as you have that oops moment stop what you're doing and notify someone you know if you decide you want to work with law enforcement and turn it over to that we have um go to www.ic3 so the letter i the letter c the number 3.gov that's our federal way of inputting uh those types of things you know if you have a hacking type incident you can always call our office and uh and and talk to us about it and we can kind of help direct you to the right place or take the report over the phone as well uh and then we'll find it that way okay um can i add something here real quick as please do um on you know kind of getting out of the immediate um emergency response and forensics piece of it but down the road you know you do have i would say make sure that you have an understanding of what your legal obligations are um one of the things i generally see with people is i have clients who are they're understandably freaked out about what they have to do and they think they're going to get in trouble and so they're not always up front with the entirety of the situation and what that ends up doing is it's like peeling back onion layers and it ends up being more costly so i would say you know nine times out of ten you haven't done anything wrong the only thing you can get in trouble for as far as penalties down the road is if you don't respond in an appropriate manner and so i would just make sure that you you know have an understanding of what your obligations are um you know and don't be afraid to who if you're doing it yourself if you're doing it you know with partners whether that be you know lawyers consultants whoever um you know don't don't bury your head in the sand um because it is a pretty broad landscape um privacy laws are driven down to the single individual and they're driven by the residency of the individual not where your company is organized or um located so it is going to be a bit of a broad scope in terms of the cleanup that you have to do and so um just don't don't be afraid to just take the steps just face it head on it will be fine good thank you so much hey i want to thank all of our panelists again today for sharing their expertise the fbi hatcher agency adafio mitchell williams law firm if we did not get to your question today that you may have submitted either before or during this presentation we will be sending an email with the recording of today's program a list of additional resources as well as answers to those questions that we may not have been able to answer today i want to thank all of you again from the better business bureau of arkansas and our bbb education foundation from joining us and with that thank you again for being with us remember go to bbb.org for the latest information and for answers to the questions you may have and i hope everyone has a good rest of the day thank you very much