I did not lose on Jeopardy!

The Final Jeopardy category is “Cybersecurity.”

The answer: “The reason why it was not Jeopardy! Clue Crew member assistant director Sarah Whitcomb Foss trying to sell me a PS5 over Twitter.”

The question: “What is her account was hacked?”

For anyone who followed my PS5 saga from yesterday, here’s the resolution. 

If you need to catch up, you can do so here.

I’m quite happy I wagered big on my cyber fraud Spidey sense. 

I lost on Jeopardy! A cybersecurity lesson on phishing scams

It started innocently enough, with a tweet: "Please share your best strategies for finding a PS5 before Christmas that do not involve me sleeping outside of a store or paying through the nose on eBay. Thanks."

Almost too coincidentally, a few minutes later I saw this tweet from Sarah Whitcomb Foss, a member of the Jeopardy! Clue Crew and one of the show's assistant directors: "Hello Twitter family! I am proud to announce that I have partnered with #Sony to supply you guys with some brand new #PS5 consoles for retail pricing! Just RT and like this and send me a DM if you need help!"

With my curiosity piqued (and her Twitter account blue-checkmark verified and looking legitimate), I followed her instructions by retweeting and liking her tweet, and sending her this DM: "Looking to purchase a PS5. Is this legit?"

Now is as good a time as ever for a cybersecurity refresher

In light of the recent crippling Russian cyber-attacks on Colonial Pipeline and JBS, now is a perfect time for a refresher course on cybersecurity.

Here are some A+ resources I've previously provided:

I’m not in Kansas anymore … or ever (an unemployment fraud story)

What's wrong with this photo?

Is your business prepared for a cyber attack? (probably not, but I can help.)

I’d like to share three scary cybersecurity statistics with you.

1. 60 percent of small businesses fail within 6 months of a cyber attack.
2. 72 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as other than highly effective.
3. 90 percent of data breaches are caused by human error.

These numbers mean that most of you reading this post work for a company that is not doing nearly enough to mitigate your cyber-risk. Coupled with the truth that data breaches are a when issue, and not an if issue, these numbers also mean that everyone’s data is way too exposed, and no matter what you are currently doing in this space, everyone can do more.

Meyers Roman is here to help.

Does an employer have a duty to protect the personal information of its employees? (Part 3)

Employees trust their employers with a whole bunch of personal information. Social security numbers, medical documents, insurance records, birth dates, criminal records, credit reports, family information, etc. And it’s not like employees have a choice over whether to disclose and entrust this information to their employer. These documents are all necessary if employees want to get hired, get paid, and obtain health insurance and other benefits. Thus, an employer’s personnel records are a treasure trove of PII (personally identifiable information — any data that could potentially identify a specific individual, which can be used to distinguish one person from another and de-anonymizing otherwise anonymous data).

For this reason, cyber-criminals target myriad businesses in an attempt to steal (and then sell on the dark web) this data.

If a company is hacked, and employees’ PII or other data is stolen, is their employer liable to its employees for any damages caused by the data breach?

Should you pay if your business is attacked by ransomware?

Cleveland Hopkins Airport flight information boards have been out of service since last Monday (story here). Yesterday, after paying contractors more than $750,000 to restore them, the City finally acknowledged the cause—a ransomware attack.

Ransomware is malicious software that locks and encrypts a victim’s computer data. The criminal then demands a ransom to restore access, usually within a set amount of time. If the ransom is not paid, the data is destroyed.

What a morning at the BMV teaches about cybersecurity

I spent way too much of my Saturday morning at the local Bureau of Motor Vehicles (aka the Walmart of government agencies). "Why," you ask? Because my plates were on the verge of expiring, and I had forgotten to take advantage of the much preferable online registration process.

So there I found myself at 10 a.m. Saturday morning, waiting in line. To be fair, it was the "express" line, designated for license renewals only. My experience, however, was less than express, thanks to the patron two spots ahead of me in line.

FINRA's new "Best Practices" for Cybersecurity is MUST reading for any employer

The Financial Industry Regulatory Authority (FINRA) recently issued its Report on Selected Cybersecurity Practices – 2018 [pdf].

The Report identifies five common cybersecurity risks and outlines recommended practices for each:

• Branch controls
• Phishing attacks
• Insider threats
• Penetration testing
• Mobile devices 

While FINRA only regulates securities firms, the five topics its Report covers should be required reading for any employer that wants to understand how to implement cybersecurity best practices.

Make your business cyber-aware for National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month.

Let's see how good your cyber-awareness is.

Do you know the top method of cyber-attack?

Ohio's new cybersecurity safe harbor for businesses means the time for cybersecurity compliance is NOW

Do you know that the average total cost of a data breach to a business is $3.86 million?

This is a 6.4% increase over the past year.

For companies doing business in Ohio, some relief is on the way.

Does an employer have a duty to protect the personal information of its employees?

Consider the following scenario.

An employer discovers that an employee who worked in its information technology department had been stealing older laptop computers. Some of those computers had been used in the employer's human resources department and contained former employees' personal information (including social security numbers and drivers' license numbers), which the company collected on each employee at the time of hire.

Ohio lawmakers consider safe harbor for cybersecurity compliance

If the Equifax data breach hasn’t scared your company into cybersecurity compliance, Ohio lawmakers are considering dangling you a compliance carrot.

Senate Bill 220 [pdf], introduced earlier this month, would provide business a cybersecurity ‘safe harbor’ in exchange for compliance with the NIST Cybersecurity Framework (or other similar standard).

It’s coming from INSIDE THE HOUSE: 12 steps for your employees to become cyber-aware

Do you remember the movie When a Stranger Calls?

The movie opens with a babysitter receiving a telephone call from a man who asks, “Have you checked the children?” She dismisses the call as a practical joke, but as they continue, and become more frequent and threatening, she becomes frightened and calls the police. Ultimately, she receives a return call from the police, telling her that the calls are coming from inside the house.

(Cue ominous music)

October is National Cyber Security Awareness Month. And, according to one recent study, employee negligence or other error is the cause of 41 percent of all data breaches. Your data breaches are coming from inside your house. The question is what are you going to do about it.

WannaCry? Then ignore cybersecurity

Friday, the largest cyber-attack in history hit 150 different countries. The ransomware, known as WannaCry, infects via a link in a malicious email, encrypts the local files, and spreads to other computers. It then demands a ransom of $300 in bitcoin for the unlock key. 

What can, should, and must you do, immediately, to protect your business? For starters, ensure that all computers are patched to the latest Windows update (Mac computers are unaffected). 

10 key elements of any data security policy to safeguard your company

Yesterday, I told you that small businesses (less than 250 employees) suffered 31 percent of last year’s cyberattacks. What can you do to best protect your business (of any size) to repel an attack? Let me introduce you to the Data Security Policy, an essential component of any employee handbook now, and likely forever.

What should an effective Data Security Policy contain? Consider 1) consulting with a knowledgeable cybersecurity attorney; and 2) including these 10 components (c/o me, Travelers, and the U.S. Small Business Association):

If you think your small business isn’t at risk for cybercrime, think again

If you’ve ever spoken or though the words, “We’re too small to worry about a cyberattack,” you’d better think again.

According to a recent study, 31 percent of all cyberattacks in 2016 were directed at companies with less than 250 employees.

Do I now have your attention? 

Make password security a priority for your employees in 2017

Do you know the top 10 passwords used to “secure” enterprise-connected devices in 2016? Sadly and unsurprisingly, here they are, along with how long it would take it would take a computer to crack each (and hack into said device and network):

A not-so-subtle reminder about the need for cybersecurity training

I feel like I’ve written a lot lately about the need for cybersecurity training for employees (for example, here, here, and here). Yet, as long as employees keep opening unknown emails and clicking on strange links, we need reminders of why this training is necessary. And, just this past week, the Cleveland Metropolitan School District offered a great teachable moment.

The newest threat to your cybersecurity? Your lunchroom appliances

Dinner is always a bit of cluster in my house. We are a home of two working parents, and, with music lessons and band rehearsals three nights a week, it seems that we are always scrambling for our evening meal. More often than not, we end up eating out, which is neither good for our wallets nor our waistlines.