As the FBI warned, ransomware has proven to be a formidable threat costing businesses over $1 billion in 2016, averaging 4,000 attacks per day. Ransomware forces victims to choose between losing access to their files or paying a fee that can range between hundreds and thousands of dollars. Ransomware has already made headlines in the first quarter of 2017.
Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.
Here’s a cartoon I created to illustrate the importance of security awareness training. I hope you find it amusing.
Security experts are sounding the alarm bell as ransomware attacks continue to increase rapidly since my last post on the subject.
I recently created a new resource page — How to Make Security Training Effective. The page contains my advice for how to make security training memorable and effective in changing behavior.
Training the workforce is an essential way to protect data security, but not all training endeavors are successful. Poor training is akin to shouting into the void. This resource page is designed to provide some tips and advice about training that I’ve learned from being an educator for more than 15 years. Continue Reading
What laws require security awareness training? What topics do the laws require to be covered? What should be covered? How frequently should training be given?
I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more. I discuss various legal and industry requirements for security awareness training. I also discuss best practices. I hope that you find this resource to be useful.
Ransomware is on a rampage! Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.
Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.
Ransomware has the potential to attack the Internet of Things. In one instance, a researcher was able to infect a TV with ransomware.
Ransomware is now attacking smart phones.
Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system. The computer network was down for more than a week, and patients had to be transferred to other hospitals.
I created some new training programs last year, and here are some of the highlights:
The Ransomware Attack (~5 mins)
This short program (~5 minutes) consists of an interactive cartoon vignette about malware. The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware. The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.
The Life Cycle of Personal Data (~ 15 mins)
This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data. The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.
By Daniel J. Solove
Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.
This is not time for firms to keep calm and carry on. The proper response is to freak out.
by Daniel J. Solove
According to a recent report by Enterprise Management Associates, 56% of employees are not receiving any sort of data security awareness training.
This is a rather distressing statistic. It is particularly distressing because according to another study, “when specific employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.”