You walk into a coffee shop or hotel that offers free public Wi-Fi with your company email, banking app, and Amazon Prime app on your cell phone or tablet. When you walk out, your bank account numbers, sensitive client documents and Amazon passwords have been picked up electronically by a shady person sitting in a corner with a digital capture device.
It’s that easy.
For businesses whose employees’ work email accounts may include attachments that contain a client’s financial or personal information, having their digital devices compromised could be especially detrimental.
According to Karen Painter Randall, founder and chair of New Jersey law firm Connell Foley’s cybersecurity and data privacy practice and director of the University of South Carolina School of Law’s Cybersecurity Legal Task Force, financial damage caused by a data breach costs companies an average of $3.9 million a year.
Cybersecurity threats can take many forms. If your business takes you to other countries, it’s not a hacker in a black hoodie you may have to be concerned about while using public Wi-Fi to access your device — it’s the government. Nations such as China and Russia control their public Wi-Fi systems, giving the governments unlimited access to data.
S.C. business leaders often travel to foreign countries on economic development trips, taking their digital devices and the valuable information they contain with them. The Federal Bureau of Investigation constantly monitors domestic and foreign techniques for infiltrating personal data.
“This is more prevalent overseas, because businesses don’t have as much guidance or restrictions on how they conduct and protect data,” said an FBI supervisory special agent in Columbia who requested her name withheld to protect her digital footprint. “In some countries, their infrastructure for cellular and wireless service is owned by the government. So they might not have any way to protect your data, because the government would have to have 24-7 access as part of that service being provided in that country.”
“You’ll see that at hotels here in the United States,” the FBI agent said. “You’ll use their Wi-Fi, you’ll be redirected to a page and you have to agree to terms, a user agreement. So the same thing could happen overseas. The very first thing you’re presented with when you connect to a network is some sort of action you do, whether that’s a check box or going to a site or loading a page.”
As soon as you connect to a network, you are vulnerable to the limitations of that network’s security. Once an entity has access to your device, a keylogging program can follow every keystroke you make as you type on your device. Screenshots also can be captured and saved.
The law is one profession that could be vulnerable to liability claims if a client’s security is compromised. Many attorneys have access to their work email on their phones, which can include confidential client documents and communications.
“If we have sensitive information of a client and it gets out to parties who aren’t supposed to have it and then that somehow damages the client, the client then could potentially turn around and sue us for negligence or potentially malpractice,” said Charles Kinney, an attorney at Collins & Lacy in Columbia. “Under the rules of professional responsibility, you’re supposed to have a level of competence. And with the newer rules, those levels of competence also go into being technologically savvy and protecting clients’ information and your information.”
South Carolina enacted a breach notification statute that requires businesses to notify citizens and clients of a cybersecurity breach. The state also allows for a private right of action for any individual who suffers an injury as a result of the breach.
Tod Eberle, chief of the National Security & Cyber section of the U.S. Attorney’s Office, told a University of South Carolina School of Law cybersecurity webinar that the most common current sources of cyberattacks are nation-state hacking, dark net marketplaces and transnational organized crime. U.S. businesses are getting hit hard with compromised emails and ransomware, he said. Account takeovers, including theft of credentials, are common as well.
Companies need to conduct a cybersecurity evaluation and develop a protection plan, including a response plan should the system be compromised, experts advise. Data should be backed up regularly so it can easily be recovered if there is a ransomware attack. Eberle said it’s not a question of if a company’s system is breached, but when.
Individuals can take steps to protect themselves as well. Turn off the Wi-Fi setting on your phone or device. Do not allow access to geolocation, photos, camera, microphone or other settings on apps. Be vigilant about the apps you download.
You can also set up your own Virtual Private Network, or VPN, and connect your devices to it.
“You’re going to a service that you are aware of and is providing encryption protection for the data that you’re utilizing. You can still get on a Wi-Fi network, but the first thing that you do is you connect to your VPN,” the FBI agent said.
But even with a VPN, be aware that whatever you currently have on your device could compromise your security.
Experts also recommend having two cell phones, one for personal use and the other for professional use, and keeping personal and work information, such as email, separate. Something as seemingly innocent as a free video game can contain malware.
“There’s nothing that’s absolute for security,” the FBI agent said. “It’s a matter of different layers of defense and healthy paranoia.”