cyber attacks Archives - Zasio

Adapting to Rising Cyber Threats: Lessons from New York’s Latest Regulations

Zasio — Mon, 05 Jan 2026 18:32:52 +0000

As cyber threats grow more sophisticated, businesses face mounting pressure to protect sensitive data and comply with evolving regulations. In examining New York’s response, we can identify some of the challenges in adopting rigorous information management cybersecurity policies as well as the importance of doing so.

Information Management Cyber Attacks on the Rise and Legislative Responses

Cyber-attacks have grown increasingly frequent and severe in recent years. The landscape of modern business includes rising numbers of employees working remotely and ever more reliance on e-commerce. These facts introduce more opportunities for cyber-attacks. In addition, perpetrators of these attacks have an increasing number of sophisticated tools at their disposal including AI-assisted technologies. These data breaches come with numerous consequences for businesses from reputational harm to financial losses. According to a study performed by IBM, data breaches cost companies an average of $4.9 million worldwide and nearly double that figure in the United States.

In response to these threats numerous jurisdictions across the world have introduced legislation dealing with data security. In the U.S. alone, 49 states have introduced over 800 bills dealing with cybersecurity with more than 200 of these bills going on to be adopted. In particular, New York’s amendments to its regulations regarding cyber security recently came into effect.

What do New York’s Information Management Cybersecurity Regulations Require?

New York’s 23 NYCRR Part 500 applies to entities regulated by the state’s Banking, Insurance and Financial Services laws. The latest amendments became effective on November 1 and introduced robust cybersecurity measures:

Annual risk assessments and compliance certifications
Written cybersecurity policies
Access privilege controls
Mandatory multifactor authentication for external network access
Asset inventory programs to track all information system assets
Secure disposal of nonpublic information when no longer necessary for business operations

Potential Challenges of Compliance

These requirements ensure robust security and accurate tracking of information throughout its lifecycle, safeguarding data and retaining it for the appropriate duration. To comply with these requirements, businesses must not only adopt rigorous security measures but also have knowledge of what information the business has in its systems and where it is being stored. It also requires identifying all applications and information systems that store, transfer or process information including those of third-party vendors.

Even businesses not subject to New York’s Part 500 can adopt proactive measures to achieve best information management cybersecurity practices and avoid risk. Implementing access controls such as strong passwords and multifactor authentication is critical to preventing unauthorized access. Beyond technical solutions, ensuring that employees receive adequate phishing and cybersecurity awareness training helps strengthen an organization’s first line of defense against threats. Finally, businesses must create an incident response plan to ensure business continuity and recovery if the worst-case scenario does happen.

Final Thoughts

With cyber risks increasing in number and ranging from attempts to phish individuals to advanced ransomware attacks, cybersecurity for records and information management has become a business necessity. However, these policies and procedures can be difficult to implement with existing information systems. Beyond adopting technical controls, businesses must have complete comprehension into what data it holds, where that data resides, and what applications process it. By adopting these measures businesses ensure compliance with regulations, reduced cyber risks, and greater consumer confidence in cybersecurity standards.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Adapting to Rising Cyber Threats: Lessons from New York’s Latest Regulations appeared first on Zasio.

‘Tis the Season… for a Data Breach

Zasio — Thu, 02 Dec 2021 20:04:39 +0000

The leaves are changing color and falling to the ground, pumpkin spice is on nearly every store shelf, and the air is chilly—Yes, the holidays will soon be upon us. Before you start your holiday shopping or bring out the decorations, it’s important to remember that the holidays are prime time for data breaches and cyber theft.

The Cybersecurity and Infrastructure Security Agency (CISA) defines a data breach as the “unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”[1] Each year, many large companies experience a data breach. You may not think this could happen to you, but the truth is that every company is vulnerable to hacking. According to Risk Based Security, a cyber vulnerability intelligence, data breach, and risk ratings company, the first two quarters of 2021 had 1,767 breaches. These breaches led to approximately 18.8 billion exposed records between January and June.[2] Data breaches can become very expensive. On top of ransom demands, you also have investigation, mitigation, and legal costs. But the biggest cost often is the loss of consumer confidence or closure of the business entirely.

So why do attacks often occur during the holidays? One reason is that companies often operate with a skeleton crew making it difficult to communicate with IT staff. This leads to longer response times in an attack, which allows damage to extend much further compared to an attack during normal working hours. These attacks can come in many forms so it’s important to know what they look like in the event you come across one.

Types of Data Breaches

Here are a few of the ways hackers may gain access to your information:

Phishing Scams. Phishing happens through emails or messaging applications that appear to be legitimate and attempt to exploit your trust. Examples of phishing include:

- Email phishing is one of the more well-known cyber-attacks. Attackers impersonate brands and send emails that lead victims to click on links or download malicious content that installs malware on the victim’s device.
- Spear-phishing is a targeted attempt by a person disguised as a trusted individual, such as a friend, co-worker, or family member, to obtain sensitive information (think account credentials, money, or financial information). Attackers often target their victims by looking at the victim’s personal information available on the internet, such as social media websites. The attacker requests the victim perform an unusual task hoping the victim has enough trust to perform the task without question.
- Whaling is similar to spear-phishing except it involves supposed “senior officials” at a company. In this type of phishing, scammers imitate a senior staff member after using the company’s website to obtain names and email addresses. These emails are sent to unsuspecting subordinate staff with a request, such as transferring money or reviewing a document that contains malicious content. If you don’t typically receive emails or messages from company higher ups, this should be a red flag.

2. Ransomware. Ransomware is malicious software that targets a company’s data by blocking access to their systems. According to Fortune.com, ransomware attacks grew by 150 percent in 2020. Given this increase, Fortune.com estimates damages from cybercrimes may reach $6 trillion in 2021. The FBI and CISA have noted that hackers are increasingly deploying ransomware during holidays when offices are often closed.[3] As the hackers’ thinking goes, holiday attacks maximize damage and companies caught off guard will have little choice but to meet their demands.

- Non-secure Wi-Fi Connections. Since many companies still have employees working remotely, connecting to secure Wi-Fi is especially important. You should warn your employees about using public Wi-Fi connections where cyber criminals can intercept communications or setup up Wi-Fi connections that appear legitimate, but are fake and used to steal information. Employees should be extra diligent during the holidays when accessing their email or company systems remotely.

How to Protect Yourself

The reality is that we are all at risk of data breaches and cybersecurity issues; however, there are some things you can do to protect yourself and your consumers. Here are a few key examples:

Education. Training your employees about the importance of cybersecurity is just as important as other IT maintenance and document management protocols. Set aside some time for employee refresher courses on the importance of not opening emails, attachments, or clicking on links from unknown sources, not sending sensitive documents through personal email accounts, using secure Wi-Fi connections, and keeping track of company devices.
Investing in cybersecurity software. The return on investment could be exponential. Also, keep all software up-to-date. Software that is out-of-date may contain weaknesses in which hackers may take advantage of. Software updates and patches work to repair these vulnerabilities and protect your data.
Implement a strict password policy. Strong passwords should be used by everyone, whether you’re an employee or a consumer. Do not reuse passwords or use passwords that contain information that can be public knowledge (for example, your birthday, a pet’s name, or a child’s name). Passwords should contain a variety of characters, numbers, and upper and lowercase letters.
Use two-factor authentication, especially for remote access. Two-factor authentication provides another security layer that makes it more difficult for hackers to login and use your accounts because the hackers will need another piece of information other than your username and password. This often comes in the form of an SMS code sent to your phone or a code provided by an authenticator app.

Conclusion

Holidays are great; we all want to enjoy them. After all, who doesn’t love shopping and decorating while sipping on a hot pumpkin spiced beverage. But a data breach may put an end to your holiday spirit. Educating yourself and your employees about ways to prevent against cyber-attacks is not only the best defense against such attacks, but also the best way to and ensure peace of mind during the holidays and beyond. Contact Zasio today to explore the software and consulting solutions we offer, to address your information governance needs.

[1] Cybersecurity and Infrastructure Security Agency, National Initiative for Cybersecurity Careers and Studies, Cybersecurity Glossary, available at: https://niccs.cisa.gov/about-niccs/cybersecurity-glossary (accessed October 21, 2021).

[2] Risk Based Security. “2021 Mid Year Report.” 2021, https://pages.riskbasedsecurity.com/hubfs/Reports/2021/2021%20Mid%20Year%20Data%20Breach%20QuickView%20Report.pdf

[3] Alsever, Jennifer. “Why company hacks tend to happen over holiday weekends.”6 July 2021, https://fortune.com/2021/07/06/why-company-hacks-tend-to-happen-over-holiday-weekends/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post ‘Tis the Season… for a Data Breach appeared first on Zasio.

The Age of the Cyber Breach and the Value of Information Governance (IG)

Zasio — Fri, 19 Jul 2019 20:24:35 +0000

Companies today are maximizing the value and usability of information like never before. Unfortunately, so are cybercriminals. During the first half of 2018, more than 3.3 billion records were compromised, with malicious outsiders being a major cause.[1]

In the fight against cyber breaches, companies are at a steep disadvantage for many reasons. First, the internet was not designed with security in mind. It grew out of an experiment to send messages between researchers’ computers over a network. And its users grew so fast that the network, established on a foundation of collaboration and trust, remained a platform where its users are largely on their own to defend against cyber-attacks.

Second, cybercrime is a low cost, high reward endeavor. Cybercriminals can operate from anywhere, and with impunity in many countries that tolerate and even encourage attacks against the West. Cybercrime is a profitable enterprise with a thriving marketplace for selling exploits (vulnerabilities that allow cyber criminals’ access to connected systems) as well as stolen personal information and trade secrets. To top it all off, well-funded, government-sponsored actors have been blamed for several high profile hacks.

Third, cybersecurity is expensive, constantly evolving, and complex, especially for established companies relying on antiquated technology. Industry researchers are in a race to identify and patch vulnerabilities before cyber criminals can exploit them. In the fight against cyber breaches, every employee and connected device is a potential access point.

Legislative Response – Sanctions

Legislators around the world have addressed the increased frequency of cyber breaches, often by slapping fines on companies they deem to have done too little to prevent them. Under Europe’s General Data Protection Regulation (GDPR), the UK regulator just proposed a fine of £99 million against Marriott in response to a cyber breach it reported in November 2018. [2] The UK regulator also proposed a fine of £183.39 million against British Airways in response to a cyber breach it reported in September 2018.[3] Proposed new state privacy laws in the United States would, if passed, also increase the cost of incurring a cyber breach.

Cyber Security Efforts and the Value of Information Governance (IG)

As companies move to upgrade their systems to add levels of security to company information, their efforts will be diminished if they retain that information too long or if employees save copies of that information to unofficial locations. Cybercriminals that trick an employee into clicking on a phishing email may have an easier time accessing and removing company information from an employee’s unencrypted device than from an encrypted server. And if the cybercriminal successfully uses that employee’s credentials to access the encrypted server, the loss may be much greater if the company did not routinely dispose of unneeded information.

One tenant of good cybersecurity is good Information Governance (IG). Companies with good IG practices understand what data they have and are empowered to (1) destroy what they don’t need and (2) to protect and maximize the value of the information they do need. By identifying and destroying unneeded information (or information being kept without a legal or operational justification), companies reduce the amount of information that can be compromised. These actions also save companies money on storage and legal discovery costs and reduce legal exposure.

Good IG practices involve:

establishing internal policies for managing what information is kept, where and how it is kept, and for how long;
implementing the right technology to track, manage, and dispose of records effectively;
establishing clearly defined roles for anyone creating, storing, sharing, or disposing of information; and
establishing procedures that allow companies to meet legal and regulatory compliance by dictating how information should be managed, stored, shared, and disposed of.

Establishing and adhering to good IG practices is not easy, but it is increasing vital to the health and productivity of organizations in the age of the cyber breach.

[1] Data Breach Level Index, Gemalto (Last accessed July 16, 2019), https://breachlevelindex.com/.

[2] Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/.

[3] Intention to fine British Airways £183.39m under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/.

The post The Age of the Cyber Breach and the Value of Information Governance (IG) appeared first on Zasio.

Tips to Prevent Hoarding of Documents

Zasio — Mon, 18 Mar 2019 21:38:36 +0000

I recently saw a commercial for the show “Hoarders,” which depicts the real-life struggles of people who suffer from compulsive hoarding disorder. Each hour-long episode profiles two people on the verge of a personal crisis, all caused by the fact that they are unable to part with even the tiniest possessions, and the cumulative effect becomes a mountain of junk and garbage overtaking their home or apartment.

It occurred to me that organizations have a similar hoarding problem when it comes to documents, which is amplified by the number of employees who keep copies and versions regardless of what kind of archival tools or records retention program is in place. After putting hours of effort and consideration working on, let’s say, a 35-page assessment and formal proposal, you can bet that most folks tuck an extra copy away on their hard drive or a file share somewhere…and probably print out a paper copy too, just to be safe.

Employees often have hoarder’s mindset, keeping copies and versions regardless of what kind of archival tools or records retention program is in place.

Sense of Ownership

That sense of ownership and the desire to avoid reinventing the wheel makes perfect sense, but all those hoarded documents have a downside because the information can pose an unseen risk to the organization. And the liability grows when people have a “keep everything” approach to records management, especially as the volume, velocity, and variety of content that every organization must manage continues to grow and evolve in this age of Digital Transformation.

Just Keep Everything

While digital transformation may seem like it’s all about collecting more and more data, the truth is not all data is good data and there is a great deal of liability for the company when it over-retains. For example, not having visibility into what an employee saves is a cause for concern, because you don’t know what type of information is being preserved by the employee and whether or not it falls within a proper retention schedule. And if they are holding onto a record for a longer period of time than they need to – regardless of the company retention policy – that information is still subject to disclosure through discovery, or any type of compliance audit, or other types of regulatory and legal proceedings.

You Don’t Know What You Don’t Know

Information security and data loss prevention (DLP) is also a pressing matter, especially as the number of cyber incidents continues to rise. If documents are hoarded by employees, organizations lack visibility into critical facts such as what is being over-retained, where it is being stored, who has access rights, and the appropriateness of the security applied to the content. If past incidents played out before the public is any indication, the hidden information represents a treasure trove of data for hackers looking for security loopholes.

Costs and Risks

The costs and risks are substantial, including fines for over-retention of certain documents and information (e.g., personal data). There are litigation costs that come into play through e-discovery, and very real exposure in court by virtue of what you are now compelled to disclose. Additionally, the harm to the organization’s reputation, loss of public trust, and impact on current and future business opportunities cannot be discounted.

Best Practices

It’s one thing to point out a problem and another to do something about it. Here are three best practices to consider:

Communication

The first step is communication and putting records management top of mind with every employee. It is important to set the expectation that everyone will follow through with the retention schedule and preserve documents according to the records management and other related corporate policies and guidelines. It is important to review corporate policies and guidelines from different departments (e.g., information security, IT, privacy, etc.) and assure alignment to address potentially conflicting information.

Training

Next step is training; not just at the time of new employee onboarding, but continuous refreshers along the course of the employees’ time at the company. As records management is reiterated and encouraged the tendency to hoard tends to fade from the mindset of the employees as it becomes second nature in the execution of their everyday tasks.

Make it Easy

Let’s face it, if the systems and procedures to properly save and archive records are hard to use, and people are not comfortable using and trusting the system, they will simply revert back to their old hoarding habits. Make it easy by using an automated process and reducing the number of steps for employees to follow where possible.

Moving Forward

When it comes to information governance and successful adoption, the focus needs to extend beyond just the technology and account for work culture and employees’ mindset. You can change that hoarding mentality through awareness, common-sense training, and implementing systems that make it easier for employees to comply with the organization’s information governance policies and guidelines.

For more information or to see how our Versatile technology solutions and consulting services can help manage and protect your records and ensure you comply with legal retention requirements, please fill out our Contact Form.

The post Tips to Prevent Hoarding of Documents appeared first on Zasio.