What is the biggest worry in cyber security these days?
The most obvious one is the measures companies are taking to make sure there are no data breaches and ability to hack their systems. In other words, what are they doing with IT personnel or outside vendors to make sure their servers and systems are being protected from hackers. We are focusing on clients making sure they are aware of state and federal requirements to protect information.
South Florida has a lot of small and medium-sized businesses. What advice do you have for them?
Even if they don’t have a big IT department, there are certain things they can do day to day so that information on their servers is safeguarded. We all have our passwords and user IDs. How often are you updating them and changing them? What you can do are some common sense reasonable measures to make sure your passwords are updated routinely and people have access to your system only on an as-needed basis. You don’t need to have an IT person. You just need to understand your system and put barriers in place.
There is plenty of software out there that sets up firewalls and protects your system. From a legal standpoint, it’s something you want to do so someone can’t argue that you didn’t spend $80 on software that’s available at Office Depot.
Even if a small or medium business doesn’t have an IT department, there are plenty of third-party vendors that do consulting on a per diem or hourly basis. You don’t have to spend $100,000 for an IT director. You can spend a few thousand bucks to consult with an IT vendor.
Are you able to help clients find the right vendors?
We do. So much of our practice is involved in forensic analysis. If one of my clients comes to me and says, “Who would you recommend as a third party vendor?” we have a half dozen companies that we can refer them to that are competent at what they do.
What to do you need to do with vendors or business partners to make sure they aren’t an issue?
Make sure your partners” computer data and servers have protection in place. You might have them sign a disclosure form that warrants that they have taken steps to protect data on their computer systems.
What are the issues about bringing your own personal device for company work?
The first thing that needs to happen is to make sure the workers” PDAs or computers are sanitized – that they don’t have some sort of encryption that will make the system insecure. I know our clients will take the computer, laptop and PDA device and make sure it is not corrupted and doesn’t have any viruses. They will make sure it has the same firewall protection the company has. If they are not being scanned and made secure, the whole system is a house of cards.
What else is on the horizon?
One of the statutes we are dealing with is the Computer Fraud and Abuse act. It’s not about just monetary penalties, but there could be criminal liability if you were criminally negligent. If someone has done something to hack in your system, these penalties are pretty severe. Congress is trying to come up with amendments and clarifications to these statutes now. The law does require you as a company to take responsibility for your data and you can’t be lackadaisical and say it was a third party guy.
Paul O. Lopez can be reached at 954.525.7000 or firstname.lastname@example.org.