Although The Communicators Club’s October 2019 presentation is in the books, we want to continue sharing the still-relevant insight and critical information offered by that event’s guest speaker: Data security expert Cameron Shilling.
We asked Cam to address some of big questions in data security and privacy; the McLane Middleton-based lawyer also provided some easily achievable actions to protect yourself online.
His presentation greatly increased attendees’ abilities to protect their personal and/or business data from the growing threat of cyberattacks.
Question: Without getting into details, is a main thrust of your Communicators Club presentation to educate attendees to be more proactive in protecting their private data? Can the bad actors truly be kept at bay?
Answer: My goal is to inform attendees about the tangible steps they can take to protect their businesses, so that they feel this process can be accomplished (as opposed to being a confusing and daunting process). With proper security – including readily available and affordable measures – we can protect against the vast majority of bad actors.
‘We all use password managers and encrypted devices. And our home network is well protected. These are core personal-protection techniques that are not excessively costly or difficult to implement.’
CAM SHILLING
Q: Have you always been interested in data privacy and security, or is it a specialty you’ve been drawn to as your legal career progressed? Was there a particular incident or experience that galvanized your interest?
A: I have been a lawyer for 25 years, and focused on information privacy and security for the past 10-plus years (which is almost as long as the legal field has existed). I come to this from a depth of expertise in both business counseling and litigation, as well as forensic investigations in commercial litigation. Like many careers, I did not precisely plan to be an information security lawyer, but rather had the right skill set and motivation at the right time for industry growth.
Q: How have your data-privacy pursuits evolved with the ever-growing reach and sophistication of data-hacking techniques? Is it a constant learning curve?
A: Staying on the leading edge of information privacy and security is a daunting and daily task. I constantly read technical articles and legal blogs, and frequently meet and work with technology security experts.
In particular, whereas the main focus of the industry for the first eight years (2008 to 2017) was information security, the big growth and significant focus of the last three years has been information privacy — particularly because of the European General Data Privacy Regulation, or GDPR, and the California Consumer Privacy Act.
Q: As the Internet of Things grows and more household- and business-based devices are equipped to “phone home,” are there ways to take advantage of that ease of information retrieval (“Hey, Alexa”) without completely sacrificing privacy?
A: Absolutely. The best practices with respect to protecting IoT devices are to route them through a secure network (these are available for both business and residential use), and enable inherent protections on the devices themselves. We frequently help businesses and families do this, and also can connect businesses and families with the right technology consultants to do so.
Q: What’s your stance on the recent spate of ransomware exploits targeting municipalities across the nation — underscored by the widespread takedown of services in Baltimore?
A: Local and state governments are prime targets because they have relatively weak security, high-value sensitive information, and (generally) decent funding to pay ransom. Unfortunately, these entities are behind the curve with respect to information security. Local and state government needs to act rapidly, and devote the resources to conducting immediate risk assessments and starting to implement security measures that will make them less vulnerable.
Q: Are there circumstances that justify these communities’ insurers paying the ransom, or has it set a terrible precedent that ensures an escalation in attacks and ransom-payment demands?
A: Paying ransom should not be the first or only option. Entities with robust backup systems never have to pay ransom. Similarly, many entities can restore operations even without robust backups, though doing so is more costly and time consuming.
If an entity is unable to restore its critical systems, paying ransom may be unavoidable. However, entities that do so need careful counsel. Ransom is negotiable, and sometimes insurable. Care needs to be taken to ensure that paying the ransom will ensure the return of information, and that the attackers did not leave backdoors open. Anyone impacted by ransomware needs immediate counsel from experienced legal and technological experts.
Q: Is there a question (or two) you’re sure to be asked during the Q&A portion of these presentations?
A: Yes. “How much does it cost to do a comprehensive risk assessment?” and “How long does it take to do the assessment and implement the remedial measures?”
Q: Have you dealt with data-privacy threats in your family and home life?
A: I am very careful with my family’s information security. Children and the elderly are prime targets for personal identity and financial theft. I have locked every family member’s credit accounts. We all have a credit/identity restoration insurance. We all use password managers and encrypted devices. And our home network is well protected. These are core personal-protection techniques that are not excessively costly or difficult to implement.
Q: Finally: What is one thing anyone reading this post can do in the next 10 minutes to more effectively safeguard their personal and/or business data?
A: While it is impossible and inappropriate to single out one security measure, there are a few on the short list. Every business needs to implement effective multi-factor authentication for as many systems and applications as possible, including email, virtual private networks (VPNs), primary networks (e.g., network access control, or NAC), and critical on-premises and cloud-based applications.
Every individual needs to lock/freeze each of their three credit accounts, purchase credit/identity restoration insurance, and harden the defenses surrounding their home networks and personal devices.