By Steve Britt and Frank Gulino
During tax season earlier this year, a human resources professional at a Virginia government contractor received an email purportedly from the company’s CEO requesting the 2016 tax forms for all of the company’s employees. She duly complied by reply email. An hour later, upon passing the CEO in the hallway, this employee was horrified to learn that the CEO had not made that request; rather, an unknown person passing as the CEO was now in possession of sensitive employee tax information.
A week later, an accountant at a Charlottesville accounting firm received an email purportedly from a client attaching a spreadsheet of the client’s operating expenses for the preparation of its tax returns. Upon opening the attachment, the malware embedded in the file propagated throughout the firm’s network, automatically encrypting all files on all network servers and posting the hacker’s demand for a Bitcoin ransom payment within 72 hours in exchange for decrypting the files.
In each case, the cyber attacker exploited the human element, spoofing the names, email styles, closing signatures and email addresses of the purported sender. This type of attack, referred to as “spear-phishing,” is particularly effective when hackers perform reconnaissance on social media accounts and capitalize on employees’ use of common passwords for social media accounts and corporate log-ins. Hackers are sometimes able to hide out in corporate networks for months, learning exactly how employees communicate for more effective trickery.
Employee-targeted attacks are up
Cyber defense technology has improved substantially over the past few years. However, unpatched systems, obsolete devices and simple, guessable passwords that never change still account for a large percentage of network intrusions. As a result, cyber criminals now target your company’s biggest vulnerability: your employees.
Since 2015, the percentage of data breaches resulting from traditional hacks and intrusions has dropped from 80 percent to less than 10 percent, while losses from phishing and spear-phishing attacks that target unsuspecting employees have risen from about 5 percent to more than 90 percent of all cyber-attacks. The focus on employees makes perfect sense. Why try to hack through firewalls, antivirus software and third-party network monitoring when a hacker can simply convince an employee to voluntarily disclose sensitive data by posing as her boss, or by taking advantage of the fact that she uses the same password for all her accounts? Employees are now clearly the weakest link in cybersecurity, and attackers have changed their game plans accordingly.
While identity and intellectual property theft were the primary risks of cyber intrusion these past few years, the new threat of ransomware is a five-alarm fire that threatens to burn down the company in just one click of a mouse. That is why over 60 percent of small businesses that suffer a data breach go out of business within six months. If all of your files become encrypted— even if you pay the ransom and even if the decryption key works, neither of which is guaranteed—the time it takes to secure a Bitcoin account and unlock your records, combined with the cost of a subsequent forensic investigation, legal bills and loss of customer confidence, can cripple a company.
Precautionary measures crucial
The need for employee policies and training has risen to the top of a company’s cybersecurity priority list. These precautionary measures cannot be put off or delayed. The only way to alter this picture is to implement the key elements of a comprehensive cyber defense plan.
A cyber defense plan will begin with a technical vulnerability assessment of your network, which almost always indicates far broader problems than expected. Clients often have to make some tough decisions about how to prioritize remediation efforts due to cost, the nature of the vulnerabilities, and the sensitivity of the data at risk. If there is later litigation involving a data breach, these reports can provide plaintiffs with a roadmap to new and expanded claims by second-guessing the choices made by management after vulnerabilities were discovered.
Tip: If these network assessments are ordered by legal counsel as part of a substantive review of the client’s data security posture, these reports can be shielded from disclosure under attorney-client privilege and the attorney work product doctrine. If the client’s IT department conducts its own investigation and orders these reports directly, they are not protected from disclosure in later litigation.
Further, a company must customize its policies and training to the particular operating posture of the company. Not only will these policies and training truly enhance a company’s protection of sensitive data, but they will instill a culture of security awareness and accountability that will ripple throughout the enterprise.
Ultimately, this collective understanding of security awareness and accountability will reach the company’s contractors and third-party vendors, such as cloud providers.
Considerations for the personnel elements of cyber policies include the following:
- Does the company have strong access management rules that limit access to sensitive corporate data and resources to only those who need access to do their job? Is that access automatically terminated when their employment ends?
- Can employees bring their own devices and access the corporate network? If so, must they use a guest network or be required to install wipe-clean software?
- Can employees plug flash drives—common vehicles for malware—into the corporate network without prior scanning (after working at home or on vacation)?
- Does a password management policy set a protocol for password complexity, require periodic changes (every three to six months) and prohibit the use of common passwords on multiple accounts?
- Does the company require regular employee training across the range of security and privacy issues with annual audits and testing?
- Does the company limit the use of social media, emailing and blogging to non-work time and non-company equipment?
Begin enhancing security TODAY
There are a few bright spots in this dreary landscape. First, it is well understood that companies cannot do everything they need to do all at once no matter the cost. But all companies—literally all companies—must begin a solid, comprehensive process to decide what they need to do to enhance their security. Companies must determine their own vulnerabilities and establish a specific prioritized action list based on their particular business. Experienced legal advice is critical for all of these issues. But in the age of spear-phishing and ransomware, the development and implementation of employee policies, procedures and training should rise to the top of your priority list.
is a partner at Berenzweig Leonard and Director of its Cybersecurity Practice. Steve has been practicing technology law for over 25 years and represents a wide range of hardware and software clients involved in managed services, software licensing, SaaS, cloud computing and software development. Steve advises his clients, which include government contractors, on the full range of data protection issues relating to HIPAA, FTC, COPPA, PCI, DoD, DHS, EU and state data breach laws. He can be reached at firstname.lastname@example.org or (703) 570-8010.
is an associate at Berenzweig Leonard and represents government contractors in complex business litigation matters and bid protests in state and federal courts as well as before administrative boards. Frank also helps clients manage cybersecurity and data privacy issues, including assisting DoD and Federal Civilian contractors with bringing their cyber defense plans into compliance with the new FARs and DFARS. He can be reached at email@example.com or (703) 663-8185.