Airports are often in the news for flight delays, long lines, and unruly passengers, not for cybersecurity incidents. When hacks and data breaches occur, they often have a big impact and affect many passengers.

How are facilities that move hundreds of millions of individuals from location to location protecting the precious data provided by passengers?

97% of global airports have security issues

In a study of the 100 largest airports in the world, ImmuniWeb found that 97 have major issues ranging from vulnerabilities in applications to exposure on the Dark Web. Testing using freely available online tools like SSL security and mobile application tests shows that these large airports are vulnerable and can be exploited by a novice hacker.

Foreign airports are taking security seriously

While ransomware and other cybersecurity issues have taken municipalities, schools, and hospitals by storm, many international airports have worked diligently to create an environment of cybersecurity. Israel’s Airports Authority blocks more than 3 million attempted system breaches each day and has created a security operation center (SOC) to help combat the issues.

U.S. based airports are susceptible to incidents

Over the past year, U.S. airports have faced cybersecurity incidents, including a hack of the U.S. Customs system. In August, a nationwide outage that impacted the processing of international travelers was linked to a cyberattack, but an attack was never confirmed by the agency. The outage delayed flights and caused long wait times at security checkpoints around the country.

Atlanta’s Hartsfield-Jackson International Airport took a proactive approach when the city was embroiled in a ransomware attack in 2018, shutting off the public Wi-Fi to prevent the spread of malicious software. The busiest airport in the world in terms of passenger traffic, Hartsfield-Jackson International Airport’s staff took the precaution to protect its data.

Both instances show how a cyber attack, or just the threat of an attack, can impact domestic airports and government agencies.

Note: Each month, the security experts at Archetype SC chime in on trending stories in cybersecurity to help you stay in the know about how to stay safe in your business and in your daily life. For more updates on cybersecurity news as it happens, follow us on LinkedInFacebook or Twitter.

Data gathered by ImmuniWeb shows that 97 of the world’s 100 largest airports have security risks present in their operations. Risks range from vulnerable applications, misconfigured cloud environments, dark web exposure, and code leaks.

100% of mobile applications in use by the 100 airports have at least two vulnerabilities and contain at least five external software frameworks. 87% of the airports have data leaks on public cloud repositories.

ImmuniWeb’s founder, Ilia Kolochenko, called the results “alarming.”

“Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cybersecurity. Cybercriminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travelers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.”

The three airports that passed all of ImmuniWeb’s tests without detection of a major issue were all located in Europe.

Ransomware group installs vulnerable driver to shut down security software

Ransomware continues to be a lucrative and ever-evolving cyber attack that can cripple an organization. Though the practice of ransomware has boomed in popularity over the past half decade, the first attack came in 1989 against the healthcare industry. In current times, municipalities, schools, and hospitals are key targets for cyber criminals.

British cyber security firm Sophos recently uncovered a pair of ransomware attacks that came from the instillation of a legitimate driver, which was then used to disable security measures and encrypt files without being detected or stopped. In multiple instances of the attack, the ransomware used was RobbinHood, which is generally used against high-value targets.

When informed of the vulnerability being exploited for the attack, Gigabyte, the driver creator, stated that its products were not affected and discontinued the driver.

Machines running Windows 7, Windows 8, and Windows 10 are considered vulnerable to the antivirus disabling technique.

Cloud security questioned with ‘Perfect’ Azure Stack vulnerability

Microsoft confirmed a major vulnerability from late 2019 in which its cloud security in Azure had “a perfect 10.0” flaw. Check Point, a cyber security firm that offers cloud security, targeted popular cloud-based softwares to find vulnerabilities, finding success in WhatsApp, TikTok, Zoom, and Microsoft.

Details of the vulnerability include the ability of any user to break cloud isolation and intercept code or manipulate programs of other users. The isolation of the cloud is what allows multiple users to safely share the same hardware.

Yaniv Balmas, head of cyber research for Check Point, told Forbes the vulnerability “undermines the concept of cloud security. You can’t prevent it, you can’t protect yourself. The only one who can is the cloud provider.”

Microsoft released a patch to fix the issue as part of a “Patch Tuesday” rollout late last year, but did not provide detail on the vulnerability beyond a three sentence statement. Earlier this month, Microsoft released more information on the exploitability of the vulnerability.

SCARY SECURITY STAT OF THE MONTH

27.7%

Bolstering the idea that Cloud environments create a false sense of security, a new report released by McAfee noted a 27.7% increase in cloud related security incidents. The report noted “With 65% of organizations using some form of an infrastructure-as-a-service (IasS) model, organizations need to be aware of the risks that cloud-based options bring and ensure that security is a top priority when deploying them.”

Source: McAfee Cloud Adoption & Risk Report

There’s no doubt about it: the RSA Conference 2020 is where the world talks security. As the biggest event in cybersecurity, it attracts nearly 50,000 participants each year, including many of the biggest names in the industry.

With this year’s conference just around the corner (February 24-28, 2020) there’s a lot to be excited about.

It’s a chance to learn about cutting-edge technologies, a time to meet a wealth of new contacts, and a time to enjoy the many parties and events that happen throughout the week.

RSA really is what you make it — the choice is yours!

As a veteran attendee, here’s a few tips I’ve discovered over the years for getting the most out of the event and having a great time while you do it:

1. Be sure to pace yourself.

Attending the many sessions and keynotes throughout the week is really the bread and butter of any trip to RSA.

With more than 500 sessions and 700 vendors at RSA Conference 2020, it can be easy to get overwhelmed and burnt out quickly. So make sure to pace yourself and prioritize what will benefit you most.

No matter what your specialty is, you’re likely to find a session that will fit your exact niche or interest, but it’s also good to diversify. RSA is not only a great chance to learn from thought leaders who are pushing the envelope in your field, but its also a chance to get great insight into other avenues of the cybersecurity industry you may not be as familiar with.

Remember, that the best connections at any conference are usually made in the hallways in between sessions, so make sure and give yourself some space between events to wander the area, browse the expo floor and meet with other attendees.

2. Make sure you take advantage of all the free stuff.

Speaking of browsing the expo floor, exploring the 700+ Vendor booths can be a great way to find out about new technologies, speak face-to-face with potential partners and to rack up plenty of fun, free swag.

But if silly (i.e. awesome) promo items aren’t your cup of tea, there’s also plenty of other great freebies to be had throughout the week.

Whether it’s free coffee and breakfast treats outside the center each morning, free food at events like RSA After Hours or complimentary drinks at events like the Expo Pub Crawl, there’s no reason not to take advantage of all the freebies RSA has to offer.

This week is also a great chance to catch up with friends in the industry for some coffee, grab lunch with your sales contacts or sit down and hash out the details of a new project with your partners over a fancy dinner.

3. The nightlife is worth the price of admission.

Going to RSA just for the conference is kind of like to going to the Super Bowl just for the game (… sorry to all my fellow 49ers fans for bringing it up).

What REALLY makes the RSA Conference great for many attendees are the events and parties outside of the conference that offer a chance to get out of work mode and into fun-mode.

Getting out and talking nerdy with other cybersecurity professionals in a relaxed environment can help you create connections and further relationships that will personally and professionally pay off down the road.

The parties hosted by Cisco and BugCrowd are always huge — like 30-minute wait to get in outside in the rain, huge — while events like the CyBEER Ops Networking, CYBERTACOS offer a fun, themed alternative.

One event I’ll definitely be attending this year is the PulseSecure RSA Party at 3rd Street Taproom, from 7-10 p.m. on Wednesday February 26. Click here to register and come introduce yourself while you’re in town (I’m the one with the mohawk.)

4. Don’t forget to go outside.

There really is no place quite like San Francisco. Whether you’re a first-timer or an RSA veteran, taking in a bit of the beauty that’s just outside the conference is a nice change of pace.

The best place to do this is nearby Yerba Buena Gardens.

Hit the doors of the Moscone Center and venture down Howard Street to find an escape of green space, gardens, public art, restaurants, and a relaxing atmosphere. Take a walk, read a book, or browse some of San Francisco’s coolest public art like the Green Glass Ship, Genesis, and Shaking Man — with free admission.

The park is open daily from 6 a.m. until 10 p.m.

In the hustle and bustle of a major conference like RSA Conference 2020, taking 15 minutes to reconnect with nature and take in the finer things in life can be just the reset you need to before jumping back into the grind.

5. You should definitely check out the RSA Innovation Sandbox.

This is definitely one of the coolest events at all of RSA.

The RSA Innovation Sandbox Contest is is where some of the most-promising and most-interesting emerging security technologies to showcase their innovations.

Now in its 15th year, the sandbox features companies innovating in the areas of data access visibility, employee security risk, and phishing attacks, among many others.

Each of the 10 finalists will present a three-minute pitch on-stage, then will have a round of question-and-answers and will run a demo of the technology for a panel of judges.

Previous winners in the sandbox competition include Axonius in 2019, BigID in 2018, UnifyID in 2017, with other notable companies like Imperva and Phantom also having won the competition.

In the world of cybersecurity, antivirus is often seen as the first line of defense to prevent, detect, and remove malware from endpoints. While the job of antivirus is pretty straightforward, there are many options to serve this purpose for personal and business users.

From PC Protect to McAfee, the market is flooded with software options, but only one company is wholly created in the United States — PC Matic.

Starting in the research and development phase and moving to implementation and support, PC Matic is all-U.S. based and has been since its inception in 1999. Starting as PC Pitstop and morphing into PC Matic, the company began as a computer performance forum and found its footing in cyber threat prevention.

Today, PC Matic is used for personal computers, businesses, and in the government to provide antivirus and ransomware prevention to millions of endpoints across the globe.

What can PC Matic do?

Within its offerings, PC Matic has three consumer products and enterprise products to fit the needs of businesses. On the consumer side, PC Matic offers its flagship product, PC Matic, along with PC Magnum and Optimize.

PC Matic is the standard security product, providing malware and ransomware protection. PC Magnum helps keep private files and data from falling into the wrong hands by scanning, cleaning, and removing caches, cookies, histories, and downloads. Optimize is a new and improved version of the former PC Pitstop technology, which is designed to improve computer performance.

In its enterprise offerings, PC Matic PRO offers cloud-based endpoint security and remote management with real-time whitelisting to block unwanted and unsafe programs from working on your machines. More than 100,000 businesses trust PC Matic PRO, which has scanned over 100 million applications and PCs with its technology.

What does PC Matic PRO provide for businesses?

PC Matix PRO offers a complete solution for businesses, using whitelisting, patch management, and traditional anti-malware protection and cleaning. Its whitelist keeps businesses secure by using real-time updates to deny access to any blacklisted programs.

In extensive testing, the PC Matic PRO whitelist has produced 99.99% good file accuracy and blocks more unique and old threats than blacklists and heuristic detection. In addition, proactive whitelist technology is a strong opponent to ransomware, as it is the only solution to completely block ransomware before it can encrypt business data.

Why use PC Matic?

As an antivirus and antimalware solution, PC Matic has brought home numerous awards as a market leader, most innovative product, editor’s choice, ransomware prevention, and cyber defense awards.

In a crowded market, PC Matic has garnered excellent reviews from PC Mag, CNET.de, and PC Magazine. It has been called “an effective antivirus and system optimization tool. It did quite a good job in my malware-blocking test,” by PC Mag.

PC News Magazine said, “With PC Matic, you never have to worry about performance, speed, and maintenance of your PC ever again as it handles it all.”

The new year is just over a fortnight old. That’s plenty of time for an excess of cybersecurity issues to hit the news wire, including a major issue with Windows 10 and Server 2016 that was so severe it was found by the National Security Agency (NSA).

Multiple vulnerabilities found in Microsoft Remote Desktop Protocol (RDP)

Buried a bit behind the news of the NSA’s findings to Microsoft on issues with Windows 10 and Server 2016 were a handful of vulnerabilities that, in short, are a big deal.

Many organizations use Microsoft RDP to gain remote access into network computers, allowing individuals to work securely from any location. However, vulnerabilities in the RDP system have made things so easy for attackers that a bad egg could gain access to networks using RDP without even having to provide a login.

Imagine, someone, rooting around in your remote computer or network without so much as stealing your login credentials to gain access.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said the Microsoft Security Response Center.

These vulnerabilities have the potential to have a long “shelf” life due mostly to the slow nature of patch installs on servers.

IoT is Cybersecurity’s Worst Kept Secret

The explosion of the Internet of Things (IoT) devices over the past decade has created mountains of data that have the potential to drive profitability.

According to HelpNet, market-leading IoT cybersecurity solutions are driving visibility and are helping create a new type of device “registry” which has information like operating system specifics, application versions, and vulnerability remediation from the life of a device. This information can also be used to repair or replace devices before an outage causes downtime or lost revenue.

Taking data from workflows and utilization recorded by IoT devices allow enterprises to stay ahead of potential issues to maintain operational systems.

How HR Teams Can Help Mitigate Cybersecurity Challenges

Data breaches have taken cybersecurity from an IT-focused issue to a full-business issue that crosses the lines of departments. No longer is it just an IT problem to face these issues.

In fact, good cybersecurity measures begin with HR.

Your human resources department gets the first crack at getting to know a new employee once they’re adding to your staff. Yes, you interviewed them and may have approved the hire, but your HR staff may have scheduled interviews, corresponded via email or phone, and will be a key cog in the onboarding process. That department will know well before you will if your new hire is a noob or has the chops to follow your cybersecurity procedures.

HR professionals can help to identify employees with bad security habits and help to mitigate potential issues with additional training.

SCARY SECURITY STAT OF THE MONTH

900 million

The number of users estimated to have been affected by the “extraordinarily serious” security flaws discovered in Windows 10 this week. And that’s not even counting the more than 200 million users still using Windows 7 and Windows 8, which could be vulnerable to all sorts of additional issues.

Source: Forbes.com

Since the very first product transaction, customer information has been a valuable commodity.

Today we understand that personal information — so much more than we ever dreamed — IS the product for sale. Everything we do and every place we go can be captured and sold.

Information is so valuable, in fact, that it is targeted each and every day by bad actors with bad intentions.

For evidence of how common compromised personal information has become, look at HaveIBeenPwned.com, which has recorded more than 9.3 billion accounts exposed in the past 6 years (2 billion in 2019 alone).

But despite the overwhelming reality of the figures we face, many continue to misunderstand the vast risk landscape and the very definition of what it means to be targeted.

Whether it’s the innumerable accounts and profiles we need to function in today’s society, the third-parties encouraging us to share our locations, create digital libraries and offer up our DNA or just the need to access free Wi-Fi and charge our devices in public places, our data is at risk all day, every day.

Some people simply succumb to the belief that defense is futile, and they likely have already been exposed, while others fumble with a lack of knowledge on how to protect themselves. But regardless of whether you choose to fight it or ignore it, the truth is that the risks are VERY real.

Perhaps nowhere are these risks more evident than for employers trying to deal with their employees’ poor habits when it comes to cybersecurity.

No matter how much time and money is dedicated to systems and software, if human behavior is ignored, the problem will not only persist, it will intensify.

Here are some of the growing number of signs that the link bewteen individual behavior and cybersecurity is growing for 2020 and beyond:

1. More devices, more problems

The number of handheld devices — smartphones and tablets — in use has exploded.

Twelve years ago there were 120 million cell phones in use … today there are 5 billion! iPhones alone have added 2 billion devices.

Experts predict that this number will continue to grow with more than 30 billion devices to be deployed by 2025.

With this many devices, it is only natural that a huge increase in cybersecurity attacks and threats will follow.

2. False sense of security grows

There’s evidence to suggest that the growing use of handheld devices may be making individuals less vigilant about cybersecurity than in the past.

A 2019 Verizon report on cybersecurity noted the “visibility and accessibility of handheld devices are contributing to the problem” with user-friendly designs that do not encourage people to be cautious.

Because these devices are “designed to make us flow from one application to another naturally, and almost without thought” users may not be as wary of security threats as they had been with computers in the past.

3. Android and iOS are at risk

In December 2019, Google deleted seven malware-infested applications from their Play Store. The applications were pulled because they opened back doors that allowed malware to be installed from external locations.

Though they are no longer available for download, Google isn’t deleting applications already installed.

Which applications? Alarm Clock, Calculator, Magnifying Glass, Magnifier with Flashlight, Super Bright Flashlight, Free Magnifying Glass, and Super Bright LED Flashlight.

If you happen to have any of these on your devices, delete them immediately.

And don’t think iOS users are safe from this sort of exploit.

Hacker News recently reported over 1 billion malicious ad impression exploit flaws targeting Apple users.

In some cases, intrusive pop up ads can forcefully redirect users to malicious sites. Earlier this year, a campaign allowed successful bypass of ad blockers on iOS devices and highjacked 500 million mobile user sessions in just one week.

Finally, researchers also recently found 1,000s of Christmas-themed applications with significant security flaws across both platforms, so if you have lingering holiday applications on your device, you should delete those as well.

4. Text messages are growing targets

In December, USA Today reported a database housing millions of SMS text messages that were left open online for an extended period of time.

According to the report “the team was able to access the text messages because the logs were completely unsecured and unencrypted.”

Just a quick reminder that your text messages aren’t safe from harm either.

5. Your home is at risk, too

Our homes now have the same risk as businesses, without experienced staff.

In December, D-Link Routers published a list of known vulnerabilities but are not fixing them.

Home Networks include all kinds of devices, applications, and connections including firewalls, antivirus software, malware scanning, printers, phones, televisions, lights, doorbells, refrigerators, thermostats, cameras, personal assistants, etc.

These Internet of Things (IoT) devices all have default settings and passwords readily available on-line and routinely need updates and patches.

6. Data breaches continue the rapid growth

Data breaches again dominated the news for cybersecurity in 2019,  with a whopping 5,183 breaches in the past year according to MSN.

According to research from Risk Based Security, the total number of breaches was up 33% over the previous year and nearly 8 billion records were exposed in all.

There are too many to list them all, but even a small sample of these breaches serves as a stark reminder that attacks can affect businesses and organizations of all sizes:

  • Facebook recently announced 267 million Facebook accounts were compromised.
  • On Dec. 19, convenience store and gas station chain Wawa reported that all 800-plus locations were exposed to a data breach.
  • Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies in 2019, which left sensitive customer data unprotected in the open wilds of the internet.
  • 72 school districts across the U.S. representing more than 1,000 schools were breached in 2019. Schools are now second on the “most attacked” list behind cities and municipalities and just ahead of third-place, the healthcare Industry — which just saw a major blow when 15 million patients had their info stolen before LifeLabs paid the ransom to retrieve them.
  • Even locally in the Myrtle Beach area, healthcare organizations including Tidelands Health and Conway Medical Center, both experienced breaches announced in December.

7. Passwords remain the biggest problem

Password encryption continues to be a problem because individuals increasingly need many logins in their daily lives. Who can remember a dozen or more unique passwords?

Because of this, passwords are reused, rarely or never changed, or only slightly altered.

These passwords, which have likely been exposed by data breaches, can then be used to perform credential stuffing, an attack that gains unauthorized access to user accounts through large-scale automated login requests.

Microsoft reported that in the first three months of 2019 they found 44 million accounts reusing passwords found in breaches. In fact, 72% of consumers admit to recycling passwords up to 4 times.

According to the report, 90% of attacks start with individuals. Of those, 94% come from e-mail, and 45% from Microsoft Office attachments.

This fraudulent account takeover is responsible for millions of dollars stolen due to wire transfer account changes.

We have seen this at all levels, from public/private project owners to general contractors to subcontractors to employees and even human resources.

8. Antivirus protection is not enough

Only half of all malware is caught by antivirus software, according to 2019 reports. This is dramatically lower than the historical success of 67%.

Advances in attacks coupled with the volume of devices and applications are outpacing application defenses, which means just having antivirus software installed on your computer is no longer enough to mitigate your individual risk.

9. Biometrics is not the solution

If you think facial recognition or fingerprints is the solution, think again.

The Verge published an article recently reporting that security company Suprema fell victim to a hack exposing the fingerprints of over one million people.

Biometrics is a growing technology that can be effective on many levels, but when individual behavior in cybersecurity isn’t a focus, even the most high-tech companies can fall victim to breaches.

10. Things might get weird in 2020

A December ZDNet Article, warns about AI-powered deepfakes, as well as ongoing ransomware, IoT, and 5G as examples of how risks will continue to grow stranger and more diverse in the coming year.

Renown Tech analyst Forrester predicts deepfakes — which take a person in an existing image or video and replace them with someone else’s likeness  — could cost $250 million next year.

This risk comes not only through direct damage to individuals and brands but also in a toolkit for phishing gangs.

“AI tools are already available and in use faking the voice of company officers/executives, directing employees to fraudulently move funds,” the article states. “5G will serve to spread the disease and risk faster.”

So, what does all this mean for businesses?

If your focus is solely on systems, you are missing out on the fact that cybersecurity and individual behavior is as big a problem, if not bigger.

Your employees, your subcontractors, your suppliers (and their employees), are as much a threat to your business as unpatched servers.

The dollars spent securing your business data is at risk if all the users in your world are not protecting themselves.

In 2020 and beyond, cybersecurity must be viewed in much the same way as safety in the workplace was thirty years ago.

Zero tolerance must be the goal and incidents must be tracked, investigated, and remediated.

We’re moving on from 2019 and are saying goodbye to a decade that saw some of the largest cyber attacks on record, the rise of the Internet of Things, and ever-expanding budgets needed to stay out front of new cybersecurity threats like ransomware.

Looking forward, the year 2020 and the decade it kicks off sees the world of cybersecurity in a period of transition. As security incidents, breaches, and hacks garner more attention around the globe, awareness of cyber crime is at an all-time high. Businesses, governments, and other enterprises are beginning to ask the right questions about cybersecurity to begin proactive defense, rather than reacting following a security incident occurs close to home.

Kicking off the Year of the Rat, we anticipate that the cybersecurity world will still have to battle with ransomware, data privacy will become a much larger issue in the U.S., and data breaches will rock the headlines once again.

Ransomware will continue to expand

Ransomware took the world by storm in 2019, with attacks on government agencies, hospitals, colleges, and a wealth of other industries dotting the headlines. Municipalities like Albany, NY and Baltimore, Md. were hit individually, while more than 20 towns in Texas and multiple Florida cities paid out large sums, from hundreds of thousands of dollars into the millions, to regain access to their systems and data last year.

Cybercriminals won’t stray from what works, so expect even more ransomware attacks in 2020 – and not just large scale businesses. As governments and large enterprise begin to craft plans to prevent ransomware in their ranks, cyber criminals will begin to look at other vulnerable businesses. While the six-figure payout of a larger corporation is a great reward, there are plenty of “small fish” that are just as attractive as targets of cyber criminals.

Data privacy takes center stage

The California Consumer Privacy Act represents a radical shift in how companies deal with consumer data in the United States. With the new regulations, which go in place on New Year’s Day and will be enforced starting July 1st, companies must be more transparent with what consumer data they gather, how it is stored, and make “reasonable” efforts to maintain security measures.

Adherance with CCPA regulations will be buzzworthy early in 2020, as companies move to update privacy policies to reflect the new standards.

Read this blog for more information on CCPA.

Traditional passwords will begin to phase out

Passwords are an easy target for hackers, mostly due to the human element. People don’t want to create multiple complex passwords using a unique combination of letters, numbers, and characters. Passwordless authentication will be the next fad in the password world, replacing multi-factor authentication as the next buzzphrase.

Passwordless authentication can be made up of a variety of things, from hardware tokens to biometric authentication. One thing is for sure with the future of passwords – removing the human element will help secure the practice.

Third-party vendors cause multiple large data breaches for major corporations

This one feels more obvious than anything, as third-party vendors have caused some of the largest data breaches in history. Year after year, major data breaches happen because of vulnerabilities introduced by third-party vendors, yet major corporations continue to do a poor job of vetting their vendors.

According to the Ponemon Institute, third-party vendors account for more than 50% of all data breaches and a breach caused by an outside entity costs twice as much as an internally sourced breach.

In 2020, taking the time to vet your vendors and factoring their cybersecurity shortcomings into your risk assessment will be critical to keeping your name from the breach headlines.

With every passing year, society becomes more and more reliant on technology and we share an increasing amount of our personal data online. Of course, this means that now more than ever that you should be wary of how your data is being handled and that the need for secure networks and applications is at its peak.

As we are rapidly approach the end of the year — and the decade — we’d like to take a minute and look back at a few of the big stories that have dominated the conversation in the cybersecurity industry this year. From data breaches and new privacy laws to ransomware at the local government level and supply chain attacks here’s a look back at what made 2019 in cybersecurity such an interesting year.

1. Data breaches cause havoc

Again in 2019, a number of data breaches made news, both due to the high-profile companies they affected and the sheer number of accounts with leaked information.

According to the RiskBased Data Breach QuickView Report 2019 breaches as a whole were up 33 percent since last year, while the number of records involved in the breaches grew a staggering 112 percent to more than 7.9 billion records.

A few of the most newsworthy breaches involved companies like DoordashFirst American Financial, Epic Games — creators of the popular Fortnite video game.

The Fortnite data breach, which occurred Jan 12, 2019, involved a flaw in the login system, and gave hackers the ability to impersonate real people and make purchases for in game currency on their own accounts using someone else’s credit card information that was stored on their accounts and even listen in on their in game chat conversations. Epic Games, has not stated how many people were affected by said breach, but with over 200 million registered users and around 80 million users logging in each month that’s a terrifying number of individuals that could be affected.

Also, in late February, two cybersecurity researchers happened upon one of the largest non-password protected email databases on the web.

If all that has you a bit concerned about how you may have been affected by these breaches, you can do a quick search on the Have I Been Pwned website, and you will get a list of how many times your personally identifiable information (PII) has been found online.

2. New data privacy regulations

Potentially the biggest news in security and data privacy this year was the California Consumer Privacy Act (CCPA). Though it is not set to take effect January 1, 2020, security professionals and those throughout the technology space spent plenty of time and effort preparing for a sweeping new set of laws that affords its residents information on what personal information has been collected on them.

Much like the General Data Protection Regulation(GDPR), which was implemented by the European Union in 2018, this act will reach well beyond the confines of California and effect businesses across the U.S.

Compliance with the CCPA forces businesses with at least $25 million in annual revenue that earn more than 50% of business revenue from selling personal data to be more transparent with data collected on consumers. It also allows consumers to hold businesses accountable for their treatment of consumer information.

Learn more about CCPA and what you should be doing to prepare for it, by clicking here.

3. Ransomware attacks on local governments

Malware attacks are nothing new, but as ransomware attacks continue to grow the risk of these attacks has extended to new niches and different industries.

In, 2019 the poster child for the growth of this type of attack was the rise in notable incidents of ransomware being used against local government entities.

In all, there were more than 70 state and local government ransomware attacks this year affecting groups including Philadelphia Courts First Judicial District, Cleveland Hopkins International Airport and several municipalities in Florida and Georgia.

According to security giant McAfee this type of attack saw an increase of 118% in the first quarter of 2019 alone.

One of the highest-profile ransomware attacks this year and possibly in history is the ransomware attack on the city of Baltimore. Effecting the entire city of Baltimore’s police surveillance cameras, utilities payment systems, phone and email outages until the found a paper-based workaround, this attack showed just how crippling a lack of cybersecurity preparation can be.

4. Supply Chain Attacks

A relatively new type of attack that has risen to the forefront of cybersecurity concerns in 2019 are supply chain attacks, which targets third-party software vendors.

To users these attacks look like legitimate software updates from a trustworthy provider, but they are actually compromised and push out malware to users.

One of the biggest supply chain attacks is the NotPetya attack that occurred in 2017, targeting the Ukrainian government and costing the world over 10 billion dollars in total damages.

This year, two of the world’s top technology providers fell victim to supply chain attacks this year, with Asus and Microsoft infecting millions of customers through attacks where hackers used legitimate updates as the means of distribution.

Since 2018 experts have seen a 78% in this type of attack, which is scary considering there is no “quick fix” way to prevent these attacks — the only way to protect yourself is thorough vetting of your supplier network and even then risks still exist.

5. Android Malware

This year had its fair share of attacks on our devices, including a growing number on mobile phones.

Over the past year, experts have seen a 50% increase in attacks on mobile devices — with Android users being particularly susceptible to malware and other hacks.

Due to the continued growth huge increase in 2019, more and more hackers are using malware to try and steal banking information, login credentials, and even take over your phone.

‘Tis the season for holiday gatherings, work parties, and family obligations, making it all too easy to forget about cybersecurity.

During the hustle and bustle of the holiday season, cybercriminals are on the prowl, looking to dupe the unsuspecting masses with scams to steal personal information, financial data, and other sensitive information.

How can your organization and its employees ensure your holidays are happy and your data remains protected?

Don’t use public Wi-Fi for sensitive information

Wi-Fi connections that are public can be accessed by anyone, thus leaving those networks open for fraudsters to pillage your data. In the era of online shopping via cell phones and tablets, more personal information like names, addresses, bank accounts, and credit cards are shared without a thought of encryption or security. Don’t open your wallet to cybercriminals by using public Wi-Fi to transmit your most valuable data.

Only use verified websites

Website security is a critical component to keeping your data safe, regardless of what deal you’re hunting. Trusted websites should have “https” at the beginning of the website and a lock image near the address bar, showing that the page is secure and encrypts all information that it is transmitting. Without encryption, your data is an open book for hackers.

Change your passwords

This might seem like the simplest activity that doesn’t hold much weight, but your login credentials open the door for cybercriminals to infiltrate a network or open accounts in your name. Even if you haven’t been breached in the past, which is unlikely, using the same login credentials across accounts is a recipe for disaster. Work to have unique passwords for all of your accounts, using software like LastPass to help create and store information. Many hacks come from credential stuffing attacks, where a hacker will use information stolen from previous breaches to try and infiltrate other accounts.

Be suspicious of email links

Yes, everyone gets thousands of emails around the holidays with promises of big sales, epic savings, and an opportunity that is too good to pass up. How often do you check to see that the sender is actually a representative of the business? Oftentimes, phishing scammers can make an email look identical to a legit one from your favorite brand, then include dummy links that lead you away from the savings and sales. Be ultra-careful to avoid falling down a phishing hole this holiday season.

We hope your holidays are a wonderful time spent with friends and family, not trying to recover accounts, change passwords, and replace compromised cards. Take an extra step in your security and enjoy the most wonderful time of the year!

The popular food delivery service, DoorDash, uncovered "unusual activity" with a third-party vendor and found that some of its user data were breached.

Outside security experts confirmed to DoorDash that nearly 5 million consumers, independent contractor drivers, and retailers who used the platform on or before April 5, 2018, were affected by the breach. Data accessed could include profile information like names, email addresses, delivery addresses, order history, phone numbers, and some password information. Additionally, the last four digits of credit cards used by consumers were exposed, but not the entire card number.

Drivers and retailers on the platform also had the last four digits of their bank account number exposed, but the information is not sufficient to make any changes to an account. Approximately 100,000 drivers also had their drivers' license numbers exposed in the breach.

DoorDash has taken steps to increase its overall security and has added additional layers of security to improve protocols around user data.

Using outside vendors within your business can open you up to different vulnerabilities that can lead to breaches and other security issues. When vetting vendors, establishing a baseline of security is a critical step to ensure your business, data, and customers are protected.

January 2020 will bring changes to data privacy and security rules for businesses operating within, or interacting with residents of, the state of California.

The California Consumer Privacy Act is the first of its kind in the U.S. It represents a sweeping set of laws that affords its residents information on what personal information has been collected on them, with whom it has been shared, how to delete it, and how to prevent the sale of such data. Compliance with the California Consumer Privacy Act will force businesses to be more transparent with data collected on consumers while simultaneously allowing consumers to hold businesses accountable for their treatment of consumer information.

What is the California Consumer Privacy Act? 

Although it’s called the California Consumer Privacy Act (CCPA), the regulations have wide-ranging impacts in the United States and beyond. Much like GDPR in the European Union impacted American companies and consumers, so too will the California Consumer Privacy Act.

To fall within the jurisdiction of the California Consumer Privacy Act, businesses must work in the state of California or collect personal information on residents of the state. Additionally, businesses must fall under one of the following criteria:

  • Have at least $25 million in annual revenue
  • Possess data on more than 50,000 consumers, households, or devices
  • Earn more than 50% of business revenue from selling personal data

Those businesses not meeting the above-listed criteria will not be largely impacted by the CCPA, but those meeting even just one of those have a lot of work to do.

The California Consumer Privacy Act is broad in scope, substance, and enforcement, covering new forms of data like internet browsing history, metadata, and IP addresses. It also redefines what a sale of data “looks” like, stating that data does not have to be given in exchange for money, but expands the definition to include anything “valuable” to the holder of the data. Essentially, trading data for goods or services are covered under the California Consumer Privacy Act.

Companies looking to comply with the California Consumer Privacy Act will not find a wealth of information within the act itself. In fact, there is no roadmap to compliance given by the state, rather just some general ideas of what businesses will be required to do and timeframes around those actions.

What does my business need to do?

First: don’t panic.

The California Consumer Privacy Act goes into law on January 1, 2020, but you’ve got plenty of time to determine what compliance looks like for you. Six steps are recommended for immediate implementation in order to make compliance easier:

  • Update Privacy Policies
    • Much like the rush of updates and emails that came after the European Union’s GDPR regulations took effect in 2018, privacy policy updates and their accompanying notification emails will likely flood our inboxes in 2020.
    • Update your privacy policies and notices to account for the necessary additions of what personal information is collected or sold, along with providing information about opt-outs from the sale of personal data.
    • Create either a policy to specifically cover California residents to couple with current policies; or create one wholesale policy to cover all consumers.
  • Update Data Stores and Business Processes
    • Included in the California Consumer Privacy Act regulation is the requirement to maintain a data inventory to track data processing activities such as:
        • Business processes
        • Third parties with data access or transferal of data to third parties
        • Products, devices, and applications that process consumer personal data
    • The data inventory or database must track every consumer right’s request.
  • Implement Procedures to Maintain Consumer Rights
    • Certain consumer rights have been guaranteed by the California Consumer Privacy Act, including the rights of access, request, notice, and knowledge about personal data gathered by businesses. Consumers will be afforded the power to see and remove:
      • personal information collected,
      • the sources from which the information is gathered,
      • the purpose for gathering the information,
      • the categories of other parties with which the data was shared, and
      • the specific personal information gathered about the consumer by the business.
    • Businesses may provide personal information to a consumer at any time but do not have to provide requested information more than twice in a 12-month time frame.
  • Update Security Measures
      • An easily overlooked regulation of the California Consumer Privacy Act is the responsibility of the business to protect personal data with “reasonable” security. For many organizations, this includes performing a risk analysis and remediating high-risk vulnerabilities to maintain a baseline of security.
  • Make Changes to Third-Party Agreements
    • Third-party data processing will need an updated contract with requirements including:
      • creation of vendor data inventories,
      • use of due diligence questionnaires,
      • providing records of the processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfer that qualifies as selling.
  • Train Employees on the New Regulations
    • At a minimum, any employee handling consumer inquiries for data collection and personal information must be informed of all requirements.
    • It is recommended that more in-depth training on the California Consumer Privacy Act occur at all businesses dealing with the new regulations.

Penalties for Non-Compliant Businesses 

Under the California Consumer Privacy Act, penalties are based upon unauthorized access incidents – be that breaches, exfiltration events, theft, or unauthorized disclosure due to poor security procedures and practices.

Fines will range from a maximum fine of $2,500 per violation for non-civil cases and a maximum of $7,500 for each violation in suits brought by the California Attorney General.

The intent is a critical component of each fine category, as the $2,500 fine is for non-intentional violations, while the $7,500 would be the maximum for intentional actions.

What are my next steps?

The California Consumer Privacy Act is more intensive than GDPR, requiring companies to take additional steps to ensure customer data is secure.

Most companies will need to consult with experts in data management, cyber security, and network security to ensure all aspects of the California Consumer Privacy Act are met before the regulations go into place.

The penalties and potential for embarrassment from a breach are strong and place an extraordinary amount of responsibility on businesses to keep data safe.

A partner like Archetype SC, with expertise in data, cyber security, and database management, is an excellent resource to answer questions and provide consultations on California Consumer Privacy Act compliance.

Data breaches are everywhere.

Go to your favorite news site, tune in to the national news on TV, or simply Google it – you’ll find thousands of results breaking down breaches from phishing attacks, employee negligence, or a host of other brute-force methods. Attacks are happening with more frequency and increased complexity, raising more questions than can be answered.

One of the main questions that business owners should ask is this: “Am I liable for a data breach that happens within my business, even if it’s not directly the fault of my business?”

The short and simple answer is probably, though regulations vary from state-to-state.

Your clients, customers, and users expect your business to protect the data they have entrusted to you, be that as basic as names and addresses or as personal as Social Security numbers and banking information. Even if a vendor you hire to work for you is at fault, your name is the overarching company of record. Remember, the Target breach of 2013 came about due to a hacker stealing credentials from a third-party vendor. Nobody remembers the name of the vendor and the fines were levied against Target for the breach. Even more recently, Capital One fell victim to a breach by a former employee of a third-party vendor.

How can I protect my business before a data breach happens?

As a business, failing to test your systems for security flaws through security assessments or having a security professional hack your network to find vulnerabilities leaves your ‘Open’ sign on all day and night for cyber criminals who are after your most precious resource – your data. Something as simple as using the same password for multiple accounts can lead to the loss of a wealth of data and an embarrassing and expensive recovery process.

While there may not be an automatic liability for your business if a breach occurs, there are some steps that can be taken against your company if you are the subject of a data breach lawsuit.

First and foremost is negligence. Simply, what would a reasonable person or company do to lessen the chance of a data breach? Did your business take steps to shore up holes or vulnerabilities? Is your company aligned with best practices in the industry? If your company is found to be grossly under-prepared for a breach, some financial responsibility will be pinned to you.

Another avenue of finding fault for your company is in your breach response. Did your company do enough to stop the breach once it was found; did you quickly notify affected parties of the breach; did you immediately begin an investigation to find and incorporate remediation steps?

Businesses can face backlash from government agencies, heavy fines, and legal action following a breach.

For businesses that collect and store data, living with the expectation that someone is always trying to hack your systems will help maintain an edge against cyber attacks. There is no way to be totally immune from a cyber attack, but having a solid cyber security plan and incident response guidelines in place can help to reduce the impact on your business.

The role of third-party vendors

Many businesses employ third-party vendors to perform services, which increases breach risk due to the unknown element of the outsiders’ security policies and practices.

It is often a business norm for a third-party vendor to support core business functions and to have access to your data and internal systems.

While it may be the norm, it is still inherently unsafe as 63% of all data breaches can be linked to third-party access.

Using a third-party vendor may be critical to your business operations, but doing so without vetting their security posture can lead your business down a troubled path.

What steps can you take to protect your business?

A security assessment can help give you peace of mind about your business’ own security posture and making an assessment a frequently required piece of each vendor contract you have in place will help to secure your operations from the ground up.

In many instances, a security assessment should be part of your vetting process when selecting a vendor to work with your business. When it comes to cybersecurity, there is no such thing as being too cautious.

Archetype SC’s SRVA is a great starting point to determine your current security posture, find vulnerabilities, and create a remediation plan to protect your business.

Additional steps, including employee training and security process updates, can help lessen the likelihood of an attack by educating your resources on what to look out for and the proper steps to take if they recognize a cyber attack.

© 2025 Archetype SC. All Rights Reserved.
Privacy policy
cross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram