California data security experts urge action to fend off hacks, data breaches as regulatory deadline nears

Think your company's data is safe? It might be time to think again.

That was the overriding message from a range of technology and cyber security experts Wednesday at the North Bay Business Journal's North Bay Cybersecurity Summit for Business.

iWorkGlobal Chief Technology Officer Eric Edelstein led off the morning with an energetic presentation on new statewide privacy protections set to take effect Jan. 1. He outlined the provisions of a new law, the California Consumer Privacy Act, which applies to companies with $25 million in gross revenue or more, handle the data of 50,000 California residents or more, or for whom sale of personal information comprises 50% of their revenues.

He outlined how the new law makes it clear consumers' data belongs to them and said the penalties for misuse of that data can be severe, including fines in the thousands of dollars for the most egregious violations.

Edelstein said “data privacy is not an IT thing; it's a business thing.” He emphasized that data privacy “starts from the CEO and the board,” and encouraged companies to hire outside consultants to make sure they know what data they use, where they are and how they use them.

Ryan Donham, head of the information technology department at Empire College in Santa Rosa, provided live examples of how account passwords can be hacked by bad actors by setting up false internet networks or websites. He read out a list of passwords that he had hacked from people in the room - whom he mercifully did not name. Those included “password1” and “tallhotsexy” - an audience favorite, based on laughs.

He also demonstrated how phones can be hacked to turn on recording devices and cameras even when a person thinks the phone is off.

KLH Consulting Chief Information Officer Morris Williams advised companies and their leadership to be regularly and continually taking inventory of devices and software in their network and stressed the importance of long, difficult-to-guess passwords. He said knowing where the data the company uses and accesses resides is also a crucial element of any assessment.

However, training staff might be the single most important aspect of security, Morris said.

“Human error continues to be the greatest source of vulnerability,” he said.

David Trepp, a partner at BPM's IT Assurance group, adopted a somewhat ominous tone.

“The threat landscape is worsening,” Trepp said, highlighting hackers sponsored by foreign nations as well as criminals out for cash as indefatigable threats to a company's security.

He said testing a company's vulnerabilities to cyberattack could contribute greatly to finding and fixing weakness. But those services can be expensive and he advised making the information security budget separate from the general IT budget.

“You can't just buy a firewall out of the box and expect to operate it,” Trepp said. Much customization had to take place first. The “ongoing operation of security controls often cost a lot more than those controls in the first place,” he said.

But all is not lost, because you can buy insurance, according to Tony Guerrero of the George Petersen Insurance Agency.

Guerrero outlined the different types of coverage companies can purchase, including when a company's data, including client data, are breached as well as for claims made by the government as a result of a breach.

“First party” insurance covers things like breaches and virus transmission, while “third party” insurance covers extortion by cybercriminals, computer fraud and other issues.

You can also purchase insurance that covers the process of notifying and mediating with clients in the case of a data breach, Guerrero said.

Wrapping up the conference, Business Journal publisher Brad Bollinger offered some takeaways: The California data act takes effect Jan. 1. Your cellphone is not off even if you think it is. Advocate for data security at your organizations.

“Make your passwords 15 characters,” he said.