In the current environment, most organizations are aware of the potential threats to their firms from a breach of their data systems and networks. Among the ways companies can protect themselves from these types of threats is through improved employee awareness and training. In the following guest post, Paul Ferrillo and Randi Singer of the Weil, Gotshal & Manges law firm discuss the steps companies can take to avoid common lapses in employee judgment or awareness that can expose a company to a cyber-incident
I would like to thank Paul and Randi for their willingness to publish their guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this site. Please contact me directly if you would like to submit a guest post. Here is Paul and Randi’s guest post.
They may be based in North Korea, Russia, China, or the United States. They may call themselves “Deep Panda,” “Axiom,” Group 72,” the “Shell_Crew,” the “Guardians of Peace,” or the “Syrian Electronic Army.” But no matter how exotic or mundane the origins of a particular cyber-criminal organization, all that it needs to initiate a major cyberattack is to entice one of your employees to click on a malicious link in an email, inadvertently disseminate malware throughout the network servers, and potentially cause tremendous damage and loss of business.[i]
Indeed, “spear phishing” is a tactic used by cyber-criminals that involves sending phony, but seemingly legitimate, emails to specific individuals, company divisions, or even business executives, among other typically unwitting targets. Unlike spam, these emails usually appear to be from someone the recipient knows and in many cases can appear completely legitimate, or at least unassuming. If the recipient opens any attachments or clicks any links, havoc can ensue. Such spear phishing emails are suspected to have caused many of the recent major cyber attacks. Despite fancy-sounding defensive cybersecurity devices at companies and financial institutions, “spear phishing with malware attachments” is often the easiest route into a sophisticated network.[ii] One report recently noted that, “Compared to the ‘spam-phishing’ emails of days past, which most people have learned to identify and avoid over the years, spear-phishing emails are astronomically more effective. Whereas the current open rate for spam emails is a meager 3%, the open rate for spear-phishing emails is a staggering 70% (not to mention 50% of those who open these emails also click the links they contain). A study published by Cisco found 1,000 spear-phishing emails generate ten times more data revenue for hackers than sending 1,000,000 spam-phishing emails.”[iii] According to another recent study, 90 percent of all hacks in the first half of 2014 were preventable, and more than 25 percent were caused by employees.[iv]
For these reasons, it is absolutely crucial that a company provide training to its employees to detect and avoid spear phishing attacks, and more broadly, avoid common lapses in judgment or awareness that can expose a company to a cyber-incident. For example, companies can easily offer training that improves password protection, helps avoid workplace theft, and better protects employee-owned devices without password protection such as smartphones, laptops, and tablets. Though no one particular training regimen can provide guaranteed protection from a cyber-attack, statistics support their inclusion as a critical part of a company’s overall security posture.
Anti-Spear Phishing Training
Weeks after the announcement of the Anthem attack, which, like that on Sony Pictures, was likely caused by a sophisticated spear phishing operation, cybersecurity guru Brian Krebs noted that others were attempting to prey upon the misfortune of over 80 million patients by sending their own spoofed emails to affected customers.[v] Other “cold-calling” scams apparently were perpetrated at about the same time as the fake emails were sent:
Now, if you were a terrified Anthem patient whose personal health information was potentially stolen, this sort of an email communication would not be unexpected, and would be very appealing; it would be natural to click the link. In reality, clicking on the fraudulent “free credit protection link” would only have touched off a whole new world of pain.
Here is another example illustrating the growing sophistication of spear phishing attacks. What if you were an existing customer of HSBC and received this email? Would you click on the link, or ignore it and potentially let your account be suspended by “the bank”?[vi]
But the potential price for opening a link that does not appear to be obviously suspicious can be breathtakingly high. In an era where there is so much personal information about everyone on the Internet, it would not be hard for even a high-school student to create an authentic-looking email that could catch us when we least suspect a cyber-attack (especially the Anthem “customer email”). Even higher-level employees are vulnerable to spear phishing (often called “whaling” when high-level executives are targeted), and the corresponding damage can be exponentially worse.[vii]
How do you guard against a socially engineered spear phishing attack? You train and you train, and then you train some more. Many corporate IT departments already periodically send out fake emails to their employees hoping for a “bite.” Many more companies regularly train their employees monthly on anti-spear phishing using automated computer programs that send emails to employees from exact website addresses to see who will unwittingly click on the links.[viii] Records can be kept of successes (and failures). Some companies might award prizes to employees who religiously resist getting tricked, gaining loyalty while simultaneously lowering risk. Lowering the risks of an employee clicking on a malware-infected spear phishing email can be substantial.[ix]
Password Protection and Awareness
There has also been a tremendous amount of publicity over the inadequacy of employee passwords. A January 2013 report by Deloitte suggests that an astonishing 90 percent of user passwords are vulnerable to hacking.[x] There are a few rules of the road:
- Companies should force employees to change their passwords regularly (preferably every 30 days), without exception;
- Employee passwords cannot be common defaults such as “password” or “12345”;[xi]
- Employees should not store passwords on sticky notes placed on their computers or in a physical or digital file or folder called “password”;
- Employee passwords should be strong; rather than the first name of the employee’s child, dog or cat, it should contain unique patterns of letters, numbers and other signs, like “I li6e cho$hlat@”;
- Employees should be required to install passwords on any device used to access company email or any company resources, including home laptops, so that they remain secure as well;
- Companies should make sure that employees follow responsible “social media” practices with regard to company-specific information;
- Companies should provide privacy screens to employees to prevent “shoulder surfing” (reading over an employee’s shoulder); and
- Employees should receive frequent training on spear phishing, so no employee inadvertently gives up his password to an unauthorized third party.
Other Simple (Non-Hardware) Ideas to Protect Company Data
Finally, for any company, it is important for the IT department to reinforce the following best practices for the handling of company data:
- Follow least-access principles and control against over-privileging. An employee should only be given access to the specific resources required to do his or her job. Not every employee needs the keys to the kingdom.
- Make sure software patches and critical updates are made in a prompt and timely fashion so that no critical patch is left uninstalled for lack of time or budget.
- Every company should install within each employee a sense of “ownership” in the collective good of the company, one that requires him or her to be cyber-conscious and sensitive to the potential areas of susceptibility that we have described above.
Cybersecurity is the ultimate team sport, and every person in the company, from a director down to an entry-level employee, needs to be invested in its cybersecurity:
The infamous Sony hack, the systematic attacks of Heartbleed and Shellshock targeting core internet services and technologies, and the new wave of mass mobile threats have placed the topic of security center stage. Organizations are dramatically increasing their IT budgets to ward off attack but will continue to be vulnerable if they over-invest in technology while failing to engage their workforce as part of their overarching security solution. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our organizations.”[xii]
We cannot claim that any of these ideas are cure-alls for the hacking problem in the United States (in fact, none are complete solutions). We can only subscribe to the theory that failing to implement basic cybersecurity “blocking and tackling” practices is the functional equivalent of forgetting to lock the back door.
[iii] See above at footnote 1.
[iv] See “Over 90 percent of data breaches in first half of 2014 were preventable,” available here; also see “The Weakest Link Is Your Strongest Security Asset,” available here (noting, “According to PwC, employees and corporate partners are responsible for 60% of data breaches. Verizon’s research suggests the number is even higher, at almost 80%.”).