Mobile Security Best Practices

As I've been writing my new book The Invisible Threat, I have been detailing examples of the need to continually assess our cybersecurity. Some years ago I looked at a case where a criminal set up an evil twin Wi-Fi router near a Starbucks and harvested the information of everyone that connected. But this story has my eyes raised! Imagine this: Sarah, a frequent traveler, connects to what she believes is the in-flight Wi-Fi to check her emails. Unbeknownst to her, a cybercriminal a few rows behind has set up an evil twin network, mimicking the airline's legitimate Wi-Fi. As Sarah logs in, the cybercriminal intercepts her data, gaining access to her personal information inflight. This actually happened! Earlier this month, Australian Federal Police arrested a man for executing such evil twin Wi-Fi attacks on multiple domestic flights and at airports in Adelaide, Melbourne, and Perth. The suspect allegedly created fake Wi-Fi networks, prompting passengers to log in with their email or social media credentials to harvest their logins for these accounts. How to protect yourself! *Avoid Logging In: Free Wi-Fi should not require email or social media logins. *Use a VPN: Encrypts your data and secures your connection. *Disable File Sharing: Prevent unauthorized access to your device. *Forget Networks: Manually forget public networks after use to avoid auto-reconnections. Stay vigilant in public places and always remember to assess your security. Nothing is ever free. Please Share this post to spread awareness! #CyberSecurity #WiFiSafety #TravelTips #DigitalSafety #TechNews

Cyber risks do not take a vacation. We can be more vulnerable to data compromise and identity theft when we travel. You are thinking how can this be the case? Business and pleasure travel remains strong. Many are on spring break or will be shortly. We know the risks of using public Wi-Fi at a coffee shop or hotel. Have you considered cyber risks for Wi-Fi on an airplane? This is a public network too. Airplane Wi-Fi is not encrypted. This means all travelers use the airplane Wi-Fi their web surfing, email activity/content, and passwords can be seen by others on the network. Risk concerns are: ➡️Data Interception ➡️Man-in-the Middle Attacks ➡️Malware ➡️Packet Sniffing So, what can business and pleasure travelers do to mitigate cyber risks when they need to keep connected on an airplane? Options are: 1)   VPN 2)   Antivirus software on your device 3)   Password Manager 4)   Don’t auto-connect to public networks 5)   Limit activity to non-sensitive data (avoid financial transactions) Happy Travels! #RiskManagement #Cybersecurity #DataPrivacy #Leaders Longview Leader Corporation

New Resources on Telehealth Privacy & Security from OCR: The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued comprehensive resources aimed at enhancing the privacy and security of Protected Health Information (PHI) in telehealth services. OCR released a guide to assist providers in educating patients about the potential risks to their PHI when using telehealth technologies. This includes discussing the types of telehealth services offered, understanding the privacy and security practices of technology vendors, and the relevance of civil rights laws in this domain. A resource titled “Telehealth Privacy and Security Tips for Patients” offers practical recommendations such as conducting appointments in private settings, using multi-factor authentication, employing encryption, and avoiding public Wi-Fi networks. As telehealth continues to reshape the healthcare landscape, it is crucial for small business owners in this sector to stay informed about these developments. Understanding and implementing these guidelines can significantly reduce cybersecurity risks and ensure the protection of patient data. I am committed to guiding small healthcare business owners through the complexities of telehealth privacy and cybersecurity. #lawyer #nurses #privacy #CybersecurityAwareness See the link to the resource in the comments.

A recent lawsuit filed by an Apple employee against the company highlights the risks of mishandling Bring Your Own Device (BYOD) policies. The employee claims the tech giant monitored personal devices and iCloud accounts, sparking privacy and legal concerns. It's a stark reminder that allowing personal devices at work requires a carefully crafted policy that balances company needs with employee rights. Here's how to do it right: 1. Respect Employee Privacy: Employees deserve to feel secure about their personal information. Clearly define what data the company can access and avoid overly invasive monitoring or wiping personal data unless absolutely necessary. 2. Prioritize Data Security: Ensure all devices accessing company data are equipped with encryption, strong passwords, and regular updates. Outline clear steps for reporting lost or stolen devices to minimize the risk of breaches. 3. Define Ownership: Specify what happens to company data when an employee leaves. A "remote wipe" provision can protect proprietary information while ensuring personal data is untouched. 4. Foster Awareness: Policies only work when people understand them. Train employees on the importance of safeguarding company data and their responsibilities under the policy. 5. Comply with the Law: Legal compliance is non-negotiable. Make sure your BYOD policy aligns with state and federal privacy laws and is reviewed by an employment lawyer to avoid potential lawsuits. BYOD is a win-win when done right. A well thought out policy protects your business and fosters trust—but only if you're clear up front about boundaries.

As we embark on exciting journeys this holiday season, let's take a few moments to consider our information security. Here are some travel tips that can improve your cybersecurity and enhance your travel experience.   💻 Before Your Trip: Before beginning your journey, take some time to make sure your devices —laptop, smartphone, and tablet— have the latest operating system updates and security patches. Devices that are updated will be resistant to exploitation attempts. Use the data encryption features that are available on most devices to prevent the exposure of information if a device is lost or stolen.   📱 Depending on your risk profile, consider traveling with alternate devices that do not contain any sensitive personal or business data.   🔒 Obtain a Virtual Private Network (VPN) subscription to maintain privacy for while using public WiFi access points. It encrypts your internet connection, and your safeguarding sensitive information from prying eyes.   🗺 Download map data for the cities you will visit. This will allow you to navigate without using cellular data. I also download some podcasts, and videos for entertainment on the flights. This reduces the need for connecting to potentially insecure public networks.   🛫 While Traveling: Be mindful of what you share on social media. Avoid broadcasting your exact location in real-time, to reduce the risk of being targeted.   🔎 Use Bluetooth trackers to keep track of luggage and help locate items if they are lost.   📄 Protect your trip details and boarding pass. Do not post photos of your boarding pass. Threat actors could obtain your trip's record locator and your frequent flyer account number. This information can be used to change your itinerary or even cancel your flight. Digital security is as crucial as packing your bags! Stay safe and enjoy your travels! 🌍🔒 #CyberSecurity #TravelSecurity

No More Exceptions! Mandatory MFA in Healthcare. Cybersecurity threats targeting credential-based access have skyrocketed, and new proposed HIPAA regulations aim to make Multi-Factor Authentication (MFA) mandatory for all access to ePHI systems—with no exceptions for legacy tech. What does this mean in practice? Healthcare organizations must: ✅ Implement two-factor authentication (2FA) for all workforce members. ✅ Strengthen identity verification for technology assets interacting with ePHI. ✅ Ensure automated logging and alerts for all authentication attempts. If your organization still has systems exempt from MFA or relies on legacy tech that can’t support these requirements, now is the time to act. 🚫 Remove shared accounts. 🚫 No password reuse. 🏋♀️ Stronger access controls. Does this seem like an impossible task? Start small, now. Deepen your access reviews now. Identify gaps, document exceptions, and ensure your identity tech strategy integrates with all your healthcare IT systems. The sooner you start, the smoother the transition and the easier it is to monitor and prove you meet the requirements. How is your organization preparing for this shift? #Cybersecurity #HealthcareIT

7 security and governance steps I recommend for AI-powered health-tech startups to avoid hacks and fines: 1. Pick a framework -> The Health Insurance Portability and Accountability Act (HIPAA) is non-negotiable if you handle protected health information (PHI). Look at the security, privacy, and data breach notification rule requirements. -> If you want a certification (incl. addressing HIPAA requirements), HITRUST is a good place to start due to origins in healthcare. The AI security certification gives you solid controls for these types of systems. -> If you are looking to cover responsible AI as well as security/privacy, ISO 42001 is a good option. Consider adding HIPAA requirements as additional Annex A controls. 2. Publish policies Longer != better. Use prescriptive statements like "Employees must XYZ." If there are detailed steps, delegate responsibility for creating a procedure to the relevant person. Note that ISO 42001 requires an "AI Policy." 3. Classify data Focus on handling requirements rather than sensitivity. Here are the classifications I use: -> Public: self-explanatory -> Public-Personal Data: still regulated by GDPR/CCPA -> Confidential-Internal: business plans, IP, etc. -> Confidential-External: under NDA with other party -> Confidential-Personal Data: SSNs, addresses, etc. -> Confidential-PHI: regulated by HIPAA, needs BAA 4. Assign owners Every type of data - and system processing it - needs a single accountable person. Assigning names clarifies roles and responsibilities. Never accept "shared accountability." 5. Apply basic internal controls This starts with: -> Asset inventory -> Basic logging and monitoring -> Multi-factor authentication (MFA) -> Vulnerability scanning and patching -> Rate limiting on externally-facing chatbots Focus on the 20% of controls than manage 80% of risk. 6. Manage 3rd party risk This includes both vendors and open source software. Measures include: -> Check terms/conditions (do they train on your data?) -> Software composition analysis (SCA) -> Service level agreements (SLA) 7. Prepare for incidents If your plan to deal with an imminent or actual breach is "start a Slack channel," you're going to have a hard time. At a minimum, determine in advance: -> What starts/ends an incident and who is in charge -> Types of incidents you'll communicate about -> Timelines & methods for disclosure -> Which (if any) authorities to notify -> Root cause analysis procedure TL;DR - here are 7 basic security and governance controls for AI-powered healthcare companies: 1. Pick a framework 2. Publish policies 3. Classify data 4. Assign owners 5. Apply basic controls 6. Manage 3rd party risk 7. Prepare for incidents What else?

Arm PSA Certified 2024 Security Report found that security is a rising team priority. To help you better comply with security regulations, here are a few recommendations from interviewing Memfault CEO François Baldassari: 1) Implement Secure OTA Updates Ensure that your IoT device supports secure over-the-air (OTA) updates with signed firmware. This is critical for addressing vulnerabilities and complying with regulations that mandate the ability to update devices remotely. 2) Encrypt All Communications Encrypt all data transmitted to and from the IoT device. This protects against unauthorized access and is a key requirement in both the Cyber Resilience Act (CRA) in the EU and the Cyber Trust Mark in the US. 3) Maintain a Software Bill of Materials (SBOM) Keep an up-to-date record of all software components and dependencies used in your device, including their versions and known vulnerabilities. Regularly check this against a vulnerability database to ensure any issues are promptly addressed. 4) Monitor and Track Device Behavior Implement observability in your IoT devices by monitoring network traffic, IP connections, and other key metrics. This helps in detecting anomalies that could indicate security breaches or vulnerabilities. 5) Engage with Security Best Practices and Standards Stay informed and align your practices with recognized security frameworks like PSA Certified from ARM. Engage with open-source communities and leverage security-focused tools and libraries to ensure your device meets regulatory requirements. Are you and your team ready for IoT Security Compliance? Drop me a line to let me know the techniques you use to comply. - - - P.S. If you'd like to go deeper into this topic, check out my conversation with Memfault CEO François Baldassari on "Are Embedded Manufacturers Ready for IoT Security Compliance Demands" at https://lnkd.in/gcWiq9c3 or use your favorite podcast app and find "The Embedded Frontier."

Given the enormous breaches in 2024, HHS is stepping up their game; shifting many best practices to requirements. Here are 22 takeaways. 1. Make all specifications mandatory, with limited exceptions. 2. Require written policies, procedures, plans, and analyses for Security Rule compliance. 3. Modernize definitions and specifications to align with current technology and terminology. 4. Compliance Timelines: Introduce specific deadlines for meeting requirements. 5. Maintain a technology asset inventory and network map of ePHI movement, updated annually or with environmental changes. 6. Require detailed, written assessments including inventory reviews, threat identification, and risk level evaluation. 7. Notify entities within 24 hours of changes to ePHI access. 8. Written restoration procedures for critical systems within 72 hours. 9. Analysis of system criticality for restoration prioritization. 10. Incident response plans, reporting protocols, and regular testing. 11. Conduct annual audits to ensure Security Rule compliance. 12. Business Associate Verification - Annual verification of technical safeguards by a subject matter expert with written certification. 13. Mandate encryption of ePHI at rest and in transit, with exceptions. 14. Anti-malware, software minimization, and port disabling based on risk analysis. 15. Multi-factor authentication required. 16. Perform vulnerability scans every six months and penetration tests annually. 17. Enforce segmentation to isolate sensitive systems. 18. Require dedicated technical controls for backup and recovery. 20. Test and review security measures annually. 21. Notify covered entities of contingency plan activations within 24 hours. 22. Require plan sponsors to comply with safeguards, ensure agents follow requirements, and notify plans within 24 hours of contingency plan activation. Public comments due in 60 days.

Traveling & Cybersecurity: Pack Light, Stay Safe, Avoid Disaster Traveling these days isn’t just about catching flights and dodging middle seats (my personal idea of hell)—it’s about risk management. If you’ve ever had your credit card frozen overseas or connected to airport WiFi and immediately regretted it, you know what I mean. And guess what? Cybersecurity is the same game. Just like you wouldn’t stroll through a crowded market flashing wads of cash, you shouldn’t be digitally reckless either. So, let’s talk travel tips that double as cybersecurity best practices: ✈️ Pack Light – In high-risk countries, less is more. Consider a clean laptop/phone—a device with minimal data that you can wipe after your trip. The fewer digital valuables you bring, the less there is to steal. 🔐 Lock It Down – Just like you wouldn’t leave your passport lying around, secure your devices. Use strong passwords, multi-factor authentication (MFA), and encrypted backups. And for the love of cybersecurity, disable auto-connect on WiFi. 🛂 Watch Where You Swipe – ATMs and credit card skimmers are a traveler’s nightmare. Online, the equivalent is phishing and social engineering. If a website, email, or “urgent” request makes you feel a big emotion, pause before you click and verify another way. 📡 Use a VPN – Public WiFi is a hacker’s playground. Whether you’re sipping espresso in Rome or waiting on a layover, encrypt your connection before logging in. If you wouldn’t shout your banking details across an airport lounge, don’t broadcast them over open WiFi. 🕵️ Know the Local Threats – Different regions, different risks. Some countries are notorious for cyber espionage. If you’re traveling somewhere with an extra interested government, assume your devices are being monitored. (Yes, YOU!) Plan accordingly. 🔌 Charge Smart, Not Stupid – Public charging stations? Juice-jacking paradise. That two-way data transfer cable you use every day could be the reason your phone gets compromised. Invest in a one-way charge-only cable or, better yet, use an old-fashioned outlet plug. The price of a safe charge is a lot cheaper than getting hacked. 🚨 Have an Exit Plan – If something goes sideways—whether it’s a lost passport or a hacked account—you need a backup. Have emergency contacts, alternate logins, and a way to remotely wipe your devices if needed. At the end of the day, travel and cybersecurity both reward the prepared and punish the careless. The question isn’t if something will go wrong, but when—and whether you’re ready for it. Stay sharp. Stay safe. And please, stop using “123456” as your luggage combination (or 007). What other cyber travel tips do you have to share with others?? Let’s help one another!👇 #Cybersecurity #HumanRisk #TravelTips #SecurityFirst #Infosec