Home / Employment Law in Virginia / Why employees may be the biggest risk for a cyber attack

Why employees may be the biggest risk for a cyber attack

More on Employment Law in Virginia

By Steve Britt and Frank Gulino

ransomware_mainDuring tax season earlier this year, a human resources professional at a Virginia government contractor received an email purportedly from the company’s CEO requesting the 2016 tax forms for all of the com­pany’s employees. She duly com­plied by reply email. An hour lat­er, upon passing the CEO in the hallway, this employee was horri­fied to learn that the CEO had not made that request; rather, an un­known person passing as the CEO was now in possession of sensitive employee tax information.

A week later, an accountant at a Char­lottesville accounting firm received an email purportedly from a client attaching a spreadsheet of the client’s operating ex­penses for the preparation of its tax returns. Upon opening the attachment, the malware embedded in the file propagated throughout the firm’s network, automatically encrypting all files on all network servers and posting the hacker’s demand for a Bitcoin ransom payment within 72 hours in exchange for de­crypting the files.

In each case, the cyber attacker exploit­ed the human element, spoofing the names, email styles, closing signatures and email addresses of the purported sender. This type of attack, referred to as “spear-phishing,” is particularly effective when hackers perform reconnaissance on social media accounts and capitalize on employees’ use of common pass­words for social media accounts and corpo­rate log-ins. Hackers are sometimes able to hide out in corporate networks for months, learning exactly how employees communi­cate for more effective trickery.

Employee-targeted attacks are up

Cyber defense technology has improved substantially over the past few years. How­ever, unpatched systems, obsolete devices and simple, guessable passwords that never change still account for a large percentage of network intrusions. As a result, cyber crimi­nals now target your company’s biggest vul­nerability: your employees.

Since 2015, the percentage of data breach­es resulting from traditional hacks and in­trusions has dropped from 80 percent to less than 10 percent, while losses from phish­ing and spear-phishing attacks that target unsuspecting employees have risen from about 5 percent to more than 90 percent of all cyber-attacks. The focus on employ­ees makes perfect sense. Why try to hack through firewalls, antivirus software and third-party network monitoring when a hacker can simply convince an employee to voluntarily disclose sensitive data by pos­ing as her boss, or by taking advantage of the fact that she uses the same password for all her accounts? Employees are now clearly the weakest link in cybersecurity, and attackers have changed their game plans accordingly.

While identity and intellectual property theft were the primary risks of cyber intru­sion these past few years, the new threat of ransomware is a five-alarm fire that threatens to burn down the company in just one click of a mouse. That is why over 60 percent of small businesses that suffer a data breach go out of business within six months. If all of your files become encrypt­ed— even if you pay the ransom and even if the decryption key works, neither of which is guaranteed—the time it takes to secure a Bitcoin account and unlock your records, combined with the cost of a subsequent fo­rensic investigation, legal bills and loss of customer confidence, can cripple a company.

Precautionary measures crucial

The need for employee policies and train­ing has risen to the top of a company’s cyber­security priority list. These precautionary measures cannot be put off or delayed. The only way to alter this picture is to imple­ment the key elements of a comprehensive cyber defense plan.

A cyber defense plan will begin with a technical vulnerability assessment of your network, which almost always indicates far broader problems than expected. Clients often have to make some tough decisions about how to prioritize remediation efforts due to cost, the nature of the vulnerabili­ties, and the sensitivity of the data at risk. If there is later litigation involving a data breach, these reports can provide plain­tiffs with a roadmap to new and expanded claims by second-guessing the choices made by management after vulnerabilities were discovered.

Tip: If these network assessments are ordered by legal counsel as part of a sub­stantive review of the client’s data security posture, these reports can be shielded from disclosure under attorney-client privilege and the attorney work product doctrine. If the client’s IT department conducts its own investigation and orders these reports di­rectly, they are not protected from disclosure in later litigation.

Further, a company must customize its policies and training to the particular oper­ating posture of the company. Not only will these policies and training truly enhance a company’s protection of sensitive data, but they will instill a culture of security aware­ness and accountability that will ripple throughout the enterprise.

Ultimately, this collective understanding of security awareness and accountability will reach the company’s contractors and third-party vendors, such as cloud providers.

Considerations for the personnel ele­ments of cyber policies include the following:

  • Does the company have strong access management rules that limit access to sen­sitive corporate data and resources to only those who need access to do their job? Is that access automatically terminated when their employment ends?
  • Can employees bring their own devic­es and access the corporate network? If so, must they use a guest network or be re­quired to install wipe-clean software?
  • Can employees plug flash drives—com­mon vehicles for malware—into the corpo­rate network without prior scanning (after working at home or on vacation)?
  • Does a password management policy set a protocol for password complexity, require periodic changes (every three to six months) and prohibit the use of common passwords on multiple accounts?
  • Does the company require regular em­ployee training across the range of security and privacy issues with annual audits and testing?
  • Does the company limit the use of social media, emailing and blogging to non-work time and non-company equipment?

Begin enhancing security TODAY

There are a few bright spots in this dreary landscape. First, it is well understood that companies cannot do everything they need to do all at once no matter the cost. But all companies—literally all companies—must begin a solid, comprehensive process to decide what they need to do to enhance their security. Companies must deter­mine their own vulnerabilities and estab­lish a specific prioritized action list based on their particular business. Experienced legal advice is critical for all of these is­sues. But in the age of spear-phishing and ransomware, the development and imple­mentation of employee policies, procedures and training should rise to the top of your priority list.

britt_hedSteve Britt

is a partner at Berenzweig Leonard and Director of its Cybersecurity Practice. Steve has been practicing technology law for over 25 years and represents a wide range of hardware and software cli­ents involved in managed services, software licensing, SaaS, cloud computing and software development. Steve advises his clients, which include government contractors, on the full range of data protection is­sues relating to HIPAA, FTC, COPPA, PCI, DoD, DHS, EU and state data breach laws. He can be reached at sbritt@berenzweiglaw.com or (703) 570-8010.


gulino_hedFrank Gulino

is an associate at Berenzweig Leonard and represents government contractors in complex business litigation matters and bid protests in state and federal courts as well as before adminis­trative boards. Frank also helps clients manage cyber­security and data privacy issues, including assisting DoD and Federal Civilian contractors with bringing their cyber defense plans into compliance with the new FARs and DFARS. He can be reached at fgulino@berenzweiglaw.com or (703) 663-8185.


Sponsored By: