Jon Washburn

As Chief Information Security Officer, Jon Washburn manages the firm’s information governance and security program in alignment with established national and international standards and the firm’s strategic plan. Jon acts as the firm’s “Compliance Officer” as necessary and/or required by regulatory agencies and works directly with the Chief Operating Officer and Firm Counsel to maintain a strong enterprise information governance and security posture through policy, strategy, operational processes and training programs.

Subscribe to all posts by Jon Washburn

Working from Home? Here are 12 Steps to Reduce Data Privacy and Security Risk

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of … Continue Reading

Soon, all ransomware attacks may be data breaches

By Jon Washburn and Romaine Marshall on March 18, 2020 Posted in Cyber Attack, Cyber Crime, Data Breach, Privacy, Security

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has … Continue Reading

Your Security Program Must Think Beyond Malware Protection

By Jon Washburn on March 9, 2020 Posted in Cyber Attack, Security

According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions. … Continue Reading

Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

By Jon Washburn on November 25, 2019 Posted in Announcements, Cyber Attack, Cyber Crime, HIPAA, Security

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge. Used primarily as ’banking Trojans” … Continue Reading

Cyber Risk Update for Construction Companies

By Tamara Boeck and Jon Washburn on November 11, 2019 Posted in Cyber Attack, Cyber Crime, Data Breach, Fraud, Privacy

Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from … Continue Reading

Is your organization ready for global privacy regulations?

By Jon Washburn on September 18, 2019 Posted in ePrivacy, Privacy

The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information … Continue Reading

New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)

By Jon Washburn on January 9, 2019 Posted in Cyber Attack, Cyber Crime, Phishing, Security, Software

Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information. Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA: https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/ This does not mean we should stop using Two-Factor Authentication (2FA). We should still use … Continue Reading

Yahoo! Breach Class Action Poised to Settle

By Jon Washburn on October 29, 2018 Posted in Data Breach, Privacy, Security, Uncategorized

The Yahoo! class action over the 2013-2014 hacks, affecting 1 billion (later updated to 3 billion) accounts, is poised to settle for $85 million – and the provision of free credit monitoring services for 200 million account holders for 2 years. While $85 million may seem like a relative bargain compared to the $350 million Verizon … Continue Reading

The Senate Commerce Committee held a second hearing on consumer data privacy, this time with privacy advocates

By Jon Washburn on October 12, 2018 Posted in ePrivacy, Events, Privacy

This past Wednesday, the Senate Commerce Committee held another hearing on consumer data privacy, this time giving voice to prominent privacy advocates. Previous testimony in September from leading technology businesses focused on concerns with the complexity of having to comply with a patchwork of different state privacy regulations, broad definitions of “personal information” in the … Continue Reading

NIST announces project to develop new Privacy Framework

By Jon Washburn on September 17, 2018 Posted in Announcements, ePrivacy

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced recently that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. According to NIST Director Walter G. Copan, “The development of a privacy framework through an open process of stakeholder engagement is intended to … Continue Reading

When was the last time you looked at RDP access?

By Jon Washburn on August 15, 2018 Posted in Cyber Attack, Cyber Crime, Data Breach, Security

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down. In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible … Continue Reading

New threat targeting old medical imaging equipment

By Jon Washburn on April 30, 2018 Posted in Cyber Attack, Cyber Crime, HIPAA, Industrial Control Systems, Security

Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use: https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ While this group seems to be limiting their actions to reconnaissance and compromising … Continue Reading

List of Pending 2018 Breach Legislation

By Jon Washburn on March 19, 2018 Posted in Data Breach, Law/Regulation Update

While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights … Continue Reading

Email tracking services – are they really worth it?

By Jon Washburn on December 22, 2017 Posted in ePrivacy, Security

As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. … Continue Reading

How does your leadership remain aware of cyber security threats?

By Jon Washburn on December 13, 2017 Posted in Cyber Attack, Industrial Control Systems, Security, Software

Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there … Continue Reading

The more people interact with AI, the more they like it – but that doesn’t diminish their privacy fears

By Jon Washburn on December 6, 2017 Posted in ePrivacy, EU, Software

According to a recent Genpact study: Nearly two-thirds of consumers (63%) are worried that Artificial Intelligence is going to make decisions that will impact their lives without their knowledge Less than one-third (30%) are at least “fairly comfortable” with the idea of companies using AI to access their personal data Almost three-quarters (71%) say they … Continue Reading

Funds transfer fraud in real estate transactions has seen an explosive increase this year

By Jon Washburn and Tamara Boeck on November 20, 2017 Posted in Cyber Crime, Fraud, Phishing, Security

As a firm with a large real estate practice, we are keenly aware of the risks of wire transfer fraud in real estate transactions – which has exploded from a reported $19 Million in 2016 to almost $1 Billion in 2017. Often this fraud is the result of the hacker compromising a legitimate email account … Continue Reading

Big Data is amazingly useful … and risky

By Jon Washburn on November 17, 2017 Posted in Data Breach, ePrivacy, Security

Per the Freedom of Information Act, US citizens have the right to access information from the federal government. We can visit Data.gov to search the more than 197,000 current datasets currently indexed on the site. While the intent is to leverage that data for the public good, there’s also an enormous amount of information available … Continue Reading

You may be subscribing to US-CERT … but have you heard of ICS-CERT?

By Jon Washburn on November 9, 2017 Posted in Industrial Control Systems, Security

The United States Computer Emergency Readiness team (US-CERT) operates within the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), protecting America by responding to major incidents, analyzing threats, and exchanging critical cyber security information with trusted partners around the world. You may have already signed up for the popular email alert … Continue Reading

Cyber thieves will target anything they can hold for ransom

By Jon Washburn on October 23, 2017 Posted in Cyber Attack, Security

Back in August, the Associated Press ran this article profiling how a North Carolina manufacturer has been attacked twice by cyber criminals looking to install malware and cripple the “just-in-time” nature of their operations so that they’d be willing to pay a ransom to return to production. While this manufacturer avoided paying the ransom so far, … Continue Reading

Encryption vulnerability in WiFi Protected Access II (WPA2)

By Jon Washburn on October 16, 2017 Posted in Cyber Attack, Security, Uncategorized

WPA2 is the “secure” implementation option used by the vast majority of enterprise WiFi systems – other protocols have their own security issues, which is why everyone moved to WPA2. Unfortunately, researches have found a way to break that security. The good news is, for most attacks the attacker has to be on the same access … Continue Reading

If a security researcher leaves you a voicemail, please call them back …

By Jon Washburn on October 13, 2017 Posted in Security, Software

A good lesson for technology providers: if security researchers reach out to you, acknowledge them as quickly as possible, especially when they’ve discovered a critical vulnerability. If you work with them to remediate the issue, you may be able to get a patch out before they feel the need to publish the vulnerability for the … Continue Reading

What is FOSS, and why should I be worried about it?

By Jon Washburn on October 3, 2017 Posted in Software

Free and Open-Source Software (FOSS) is computer software that can be classified as both free software and open-source software. Anyone who wishes to use FOSS is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve upon … Continue Reading

The Security Risk Assessment (SRA) Tool

By Jon Washburn on September 18, 2017 Posted in HIPAA

If you’ve been looking for a simple tool to help you with an initial self-assessment of how compliant you are with the HIPAA Security Rule, the ONC – in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC) – developed a downloadable tool to help guide … Continue Reading