Articles Posted in Human Firewall

The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.

The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.

The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.

The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.

Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?  Continue reading

Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters.  Continue reading

Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.

Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data.  Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.

There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment.  At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data.  The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.

1. Back Up Data and Store It Properly

Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues. Continue reading

cursor-clicks-red-VIRUS-button-300x225

Any hobbyist will tell you that a proper guide is a must to mastering a craft.  However, a hobby is a part-time occupation; most of us know that our businesses need full-time attention. Because cybersecurity threats can impact core business activities, addressing those threats, especially those known as “social engineering” and cyber scams, is not a mere pastime — it’s a full-time job.

Bad actors use social engineering — the practice of using human interaction (or simulated human interaction) to gain trust — to obtain passwords, access or other information about a company and its security and computer systems. Most notably, “phishing” is a form of social engineering in which emails or websites pose as known and trusted organizations (such as a customer, credit card company or utility) to trick a target consumer. Because the consumer views the organization as a trusted brand, the consumer is more easily duped into providing user information that could compromise their data security.

Fighting bad actors who use social engineering requires constant attention, especially as hackers become more sophisticated.  To keep you informed, here’s an abbreviated field guide of what you might see in the wild this season.

Phishing: Phishing is the most common type of social engineering cyber scam. Attackers use emails, text messaging or social media outreach to trick victims into providing the desired sensitive information, or to visit a seemingly innocent but malicious site, where their system or security can be compromised.

Many phishing scams present the target with a sense of urgency, such as, “update your password now or lose access to your account.” In the wake of  GDPR requirements, some ironically pose as trusted sources asking for approval for or recognition of privacy policy updates. Some distinguish phishing (think of catching many fish in a large trawling net) from spear phishing, in which a specific individual or small groups of individuals are targeted. Either way, it can end poorly for the phished. Continue reading

padlock-cybersecurity-300x203

 

Welcome to the second article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Cryptocurrencies – Does the Next Big Thing have Staying Power?, published by FinTech Weekly, he describes four challenges that arise in the use of cryptocurrencies, and potentially in other blockchain applications: volatility, criminal activity, security issues, and human error.  He writes:

“Cryptocurrencies – not just bitcoin, but any of the hundreds of different currencies that have been created using blockchain technology – have caught the imagination of the public.  There are, seemingly, daily articles that predict either the demise of all traditional currencies in favor of cryptocurrencies, and just as many articles predicting the demise of cryptocurrencies.  While cryptocurrencies are just one of the many uses of blockchain technology, the challenges cryptocurrencies face may reflect hurdles for other uses of bitcoin. With that in mind, four challenges arise in the use of cryptocurrencies, and potentially in other blockchain applications.”

To read the full article, see Cryptocurrencies – Does the Next Big Thing have Staying Power?

To read the first blog in this series on blockchain technology, see So, What is This Blockchain Thing?

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Today’s blog is written by my partner, Louise Ann Fernandez, Chairperson of JMBM’s Labor & Employment Group. Louise Ann helps companies put hiring and employment policies in place — and develops training programs — that help to protect the business against cyber threats.  — Michael A. Gold

Could We Have Seen This Coming?
The Importance of HR to Cybersecurity

Louise Ann Fernandez, Chair, JMBM’s Labor & Employment Law Group

After a cybersecurity breach, second guessing can often turn into a blood sport. The business often blames Human Resources and the HR department is quick to say that they were not given enough information or blames IT. This kind of tension is far too common and nonproductive. Communication and creativity on all sides are essential to identifying and  preventing cybersecurity threats. This article discusses some  simple proactive steps that you can take now to help you recognize potential issues before it’s too late.

IT Hiring

Your IT department is both your first line of defense and greatest vulnerability. Do you really know who is working there? We will cover hiring in general and its role in preventing cybersecurity attacks in another blog, but often problems come because of bad hiring choices in the IT department.  Because there is a shortage of qualified IT personnel and immediate needs must be met, warning signs are often overlooked. Both HR and IT must be trained to carefully analyze the credentials of all IT applicants. You need to look for gaps in employment history, too much job hopping and things that seem inconsistent such as career changes or abnormal job progression. Most importantly, you must do careful reference checks. Do not rely on the headhunter to provide references or do reference checks. They have a conflict and will not be as careful as you would like. References can easily be faked. For example, don’t accept just cell phone numbers. They could be giving you their brother’s number. Ask employees to provide work numbers for all references and call the human resources department of each prior employer to get dates of employment. Although there are more and more restrictions on background and criminal checks, they can still be done if you follow the rules. Make sure you do them. Also, do a careful social media check to see what their online presence looks like. Key warning signs are signs of second jobs that conflict with your business, angry  posts, alternate identities such as “stage names,”  peculiar political affiliations and overactive Twitter or Instagram accounts. Make sure you know all of their email addresses. Continue reading

At the airport, in a coffee shop or hotel lobby? Think twice before logging on to that free Wi-Fi.

What’s not to love about free, public Wi-Fi?  It’s free. It’s easy. A couple of clicks and you’re connected to the world.

When you’re on the go, there will always be a need to check your email, send a document to a client, touch base with someone in the office, or review the balance in your bank account. You can take care of life’s business from almost anywhere, and public Wi-Fi makes it easy.

Its ease of use makes it a boon to hackers, as well. While you’re taking care of business, so are they.

Earlier this week, I was interviewed by Leonard Lee of Thomson Reuters Legal Current for a 20-minute podcast titled “Dangers of Public Wi-Fi”.  We discussed some of the things that can happen when you’re using public Wi-Fi, including:

  • Spoofing. Rogue computers can spoof you, pretending to be something they’re not, and capture your data when you click on their link.
  • Capturing passwords. More sophisticated hackers can enter your device stealthily and monitor everything you do (capturing keystrokes to passwords, for example).
  • Depositing malware. Hackers can also deposit malware into your computer. This can endanger not only your own data – if you’re connected to your company’s network you’re risking the integrity of data shared by everyone back in the office.
  • Peeking the old fashioned way. And remember, in a public place it’s still possible for hackers to perform a hack the old fashioned way – by looking over your shoulder and reading your screen.

The safest way to go? Don’t use public Wi-Fi. Continue reading

cursor-clicks-red-VIRUS-button-300x225

Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach.  California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”).  As these laws developed, a tandem requirement has emerged:  the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data.

Recent breaches, however, have made it clear that these efforts do not address what might be the most pressing problem facing businesses:  how to recover from a malicious attack.  As data security attacks have evolved, firms must recognize an entirely different set of risks.

In the past, most hackers have focused on obtaining financial or personal information for profit.  Thus, the most publicized data breaches – Wyndham and Target, as examples – were directed at obtaining credit card information which could be sold on the dark web.  While these incidents can be expensive, they rarely threaten the existence of a firm; indeed, most consumers are so inured to the likelihood that their credit card information may be stolen that they take a blasé attitude and assume, correctly, that their personal losses will be small, typically limited to the inconvenience of getting a new credit or debit card.  Similarly, as more and more companies recognize the likelihood of a loss and, in response, adopt breach notification policies backed by cybersecurity insurance, the impact has become incorporated into the cost of doing business.

This attitude began to change with the increased incidence of ransomware.  Rather than seek financial or personal data, ransomware exploits technical or, more often, human vulnerabilities to encrypt data and hold it hostage in return for payment of ransom.  There have been highly publicized incidents, including hospitals, hotels, law enforcement agencies and other entities, that paid ransom in return for access to their data.  While paying ransom has been almost universally criticized, many firms felt they had no choice; they did not have adequate backups, and the only possible means of continuing business was to pay a relatively modest payment.

With the recent Petya virus attacks, however, that calculus has changed.  It has become more and more apparent that this virus, while claiming to be ransomware, was actually much more destructive; researchers increasingly believe that the malware was “wiperware” with the objective of permanently destroying data, and the perpetrators of the virus had no intention of freeing the data.  The researchers analyzing Petya (sometimes called PetyaWrap, NotPetya, and ExPetr) have speculated the ransom note left behind in the attack was a hoax intended to capitalize on media interest sparked by the May Wannacry ransomware attack. Continue reading

Web analytics concept - Multicolor version

Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity.

Fortune 500 companies and brands with household names are much more likely to recover their reputations following a data breach.  While breaches are costly in financial terms to all companies, the damage to the brand of a middle-market company may not be survivable.  Large companies can weather the storm of negative publicity and loss of reputation, but mid-markets often cannot:  60% of middle-market companies that are hacked are out of business within one year.

This presents a near-paralyzing scenario to middle-market managers – the mere spectre of a data breach presents business risks that are difficult for them to fathom.

In our work with middle-market companies, we’ve developed effective strategies to help companies respond to the risk and protect their vital digital assets.  In fact, when the process is managed well, middle-market companies can respond to cybersecurity threats more quickly and effectively than larger businesses. Continue reading

Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry.  The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.

The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk.  Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice.  Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise).  Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.

Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.

What can cybersecurity lawyers bring to the table?

Hand-in-Glove Collaboration

Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol.  Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading