Wednesday, May 18, 2022

BY GORDON PLATT

Cybersecurity Gordon Platt

If you use the internet (as all businesses do), no company is immune from cyberattacks, and you’re likely to become a victim, if you haven’t already. This applies to small firms and companies as well as larger multinationals

that are in the news. While the so-called “whales” provide huge paydays for cybercriminals, they are more difficult to access because they often have robust security measures in place. Smaller organizations often make easier targets because they are usually less well-protected and provide easier pickings for hackers looking for a source of regular income.

According to well-established statistics, it’s a matter of when—and not if—a company will fall victim to a cybercrime or data breach. According to the Identity Theft Resource Center, there were 1,862 data breaches in 2021, surpassing both 2020’s total of 1,108 and the previous record of 1,506 set in 2017. That’s a 68 percent increase in 2021, affecting some 294 million records. And data breaches are just one type of cybercrime that can play havoc with your business’ computer network; others include email and identity fraud, not to mention a wide variety of credit card scams.

This is happening in our industry, sadly. At the 2021 CD/NLA Show in Dallas, Derek Maxwell of Aurora Payments offered his advice during his session, Don’t Let Ransomware Hold Your Business Hostage.

Did you know?

    • Cybercriminals have various ways to attack your company, including malware, phishing emails, and business continuity interruptions.
    • Sometimes the attack can come from inside your organization as departing or disgruntled employees take data with them. According to cybersecurity specialists Tessian, the most common positions that pilfer info are HR, sales, and marketing professionals—and they usually do it long before their two-week notice.
    • If you have a loss, you’re generally going to have a hard time getting (and maybe even renewing) a cyber policy in the future—so get one before you need it, and work with professionals to create a plan.
    • Nearly 60 percent of small or midsize businesses that get hit by a cyberattack without a recovery plan and backups don’t last six months. It’s just too big and too scary to recover from. Even if you do recover, 92 percent of businesses lose some data. Have. A. Plan.
    • If you suspect you’ve gotten hacked, power off your systems and disconnect all the network cables; even though it’s likely too late, you might stop it from spreading. Contact your local law enforcement immediately.
    • Get the right help—and that doesn’t mean your local IT guy. You need someone who specializes in these situations to either get your backup data restored or to figure out if you have to get your data back by paying ransom.
    • Back up your email—if you use Google 365, they likely DON’T back up that data, so if it’s important to you, you need to do it.
    • Consider two backups, which could include one with your network provider and an additional backup on an air-gapped system (i.e., not connected to your system or the internet).
    A cyberattack typically occurs when perpetrators find a way into a network system, often by taking advantage of a human vulnerability like getting an employee to click on a link that enables malware to penetrate a corporate network, a technique known as “phishing.” Once inside a system, the intruders gain access to administrator privileges, and then go on to hijack or cause other disruptions to a network’s data and infrastructure—and it may not be immediate. This malicious software could be roaming around your system for days, weeks, or even months before cybercriminals flip the switch and paralyze your network. The costs to a business, not to mention the associated damage done to reputation and client relationships, can be fatal. In the first half of 2021 the average ransomware demand was $570,000, an 82 percent increase from the year before, according to Unit 42, an industry consulting group. The amounts demanded from smaller companies may be more modest, but in the scheme of things, even more devastating.

    OK, these are sobering and possibly scary stats, but the positive news is there are precautions that you can take today that will significantly decrease the odds of becoming a victim tomorrow. Nothing is 100 percent, but the harder you make it to steal your data, the better your chances will be that a cybercriminal will move on to a less-protected target.
    • Initiate employee training: Engage an online or in-person training program that will make everyone in your company aware of the risks associated with cyberattacks and introduce the precautions that they should take. This should include regular training with the embedding of “phishing” emails and frequent follow-up. Grammar patterns and “reply to” email addresses are often dead giveaways.
    • Conduct a network audit and implement patches: Have your computer network evaluated for vulnerabilities and weaknesses and then have patches applied to the system. When a service like WordPress or your internet provider tells you to update your system, make sure you do. Systems that are not updated are ripe for exploitation.
    • Use multi-factor authentication and strong passwords: Ensure that all of your employees use strong passwords (e.g., not “123456”) that they are required to change on a regular basis. Next, introduce multi-factor authentication, a process in which you sign on and the site sends an addition authentication code to your phone via text. The protection afforded by a slight delay in signing on is more than compensated for by the enhanced security afforded. 
    • Implement a backup system: Make sure that your entire system is backed up, both online and locally. This will enable you to restore your network infrastructure and data in the event that cyber attackers hold your system hostage. Recently, hackers have been gaining access to online backup systems, so make sure you retain one that’s completely off-line.
    • Create and test a robust incident response plan: Do not wait until your system is attacked to figure out what to do. Create a plan and test it to verify that you’re able to respond efficiently and effectively in the event of an attack or system failure. Furthermore, make sure that you test that system. The best incident response plan is worthless if it just collects dust on a bookshelf. 
    • Obtain cyber insurance: While insurance does not prevent an attack from occurring, it can certainly diminish the financial impact that a cyberattack can cause. Cyber incidents are not covered in your typical business insurance plan, so make sure you confer with your broker about it directly. It can quite literally save your business.
    Creating a global protection and response plan can be overwhelming and is often beyond the scope of a company’s in-house capabilities. Although some tasks may be handled by various vendors, especially technical audits, it is advisable to have the overall process coordinated by a single team. The ideal solution is often to engage an attorney to coordinate and to handle many of the tasks. A law firm can ensure that you are legally protected and also that the work being done under its auspices is covered by the attorney-client privilege in case a lawsuit is filed at some point down the road. 

    The threat to cybersecurity is always evolving and authorities are constantly playing defense to criminals highly motivated by financial rewards. Maintaining cybersecurity is not a one-and-done task, and the process of protecting your network is necessarily ongoing. What worked yesterday may well be outdated by tomorrow. While the threat cannot be eliminated entirely, the risk and accompanying financial and legal liability can be dramatically reduced by implementing a dynamic cyber security plan.    [CD0422]

    Gordon Platt is a New York-based attorney with a focus on cybersecurity, privacy, and investigations. He can be reached at gplatt@gordonplattlaw.com.