BY KEN MAMMARELLA
Special to Delaware Business Times
Protecting your enterprise from cyber-crimes doesn’t just mean protecting computers on site. It also means considering connections from employees’ homes, vendors and public Wi-Fi.
Those were a few tips from a Delaware Decision Makers panel titled “Cyber Security Threats and Solutions,” Aug. 10 at the Clarion Hotel — the Belle near New Castle.
Cyber-crimes are soaring, said James Collins, Delaware’s chief information officer, noting ransomware losses will likely hit $5 billion this year, up from $325 million in 2015.
“Cyber-crime is a major threat across all industries,” he told dozens at the networking event, representing architecture, education, government, law, retailing, marketing, nonprofits, refining, technology and wealth management. He cited an estimate that each record breached costs $225, for notification, remediation, loss of customers, business disruption, regulatory fines, legal and public relations expenses, credit care reissues and identity monitoring.
An update to Delaware law on breach notifications goes into effect next spring, said panelist Bill Denny, a Potter Anderson & Corroon partner who specializes in cybersecurity.
Delaware is becoming the 14th state to require reasonable security to protect personal information. Collins said only 31 percent of small businesses actively employ measures to fight cyber-crime.
The law expands records covered beyond Social Security numbers, driver’s licenses and credit and debit account numbers and passwords. New categories are passport numbers; logins and passwords for online accounts; medical histories and DNA profiles; health insurance policy numbers; biometric data; and taxpayer identification numbers.
Only owners or licensees of breached data must notify the people, but vendors involved will only have to notify their clients. The attorney general must be notified about breaches that affect more than 500 Delawareans. Breaches involving Social Security numbers must include free credit monitoring for a year. Loss of encrypted data won’t be considered a breach — unless the key is stolen
Panelists’ ideas to copy:
• Test workers with fake phishing emails. Sadly, the number who bite
is “never zero,” Denny said.
• The state this year bought cybercrime insurance. General liability doesn’t cover cybercrime, and “a breach can take out a small business,” Collins said. “It can be so costly that it cannot recover.” A written information security plan could halve cybercrime insurance premiums, Denny added.
• Collins likes software in the cloud or as a service so that “someone
is awake at night monitoring.”
• Panelist Jim Garrity, chief operating officer at Diamond Technologies, an IT management firm in Wilmington, has clients who wipe their devices every night.
• Query what might be hundreds of vendors about their cybersecurity. (Target’s infamous 2013 breach came through its heating and ventilating company.) Know how to remotely wipe cellphones and other devices that are lost or given to family members; never use free public Wi-Fi without knowing how to create a secure tunnel.
• Make password rules easier for humans. New federal standards are dropping the demand for all those [email protected]#$%^&*() characters and numbers and capitalization and frequent changes. The update calls for changing only after breaches and just longer pass-phrases, perhaps an easier-to-remember string of real words. “Once you get to 16 characters, they’re almost impossible to crack,” Garrity said.