Answering burning questions from victims of cyber events.
The more I read in the news about cyberattacks, the more I worry about all the information that could wind up in the wrong hands. Social media sites, law firms, and consultancies have a tremendous amount of information about their clients.
Can you provide some tips on how to encourage our employees not to share information via social media? And are there questions I can ask our third-party partners, those who may have access to and retain our information, so we can better understand their cybersecurity practices?
— HIDING IN PLAIN SIGHT
DEAR HIDING IN PLAIN SIGHT:
You raise a great question. The amount of information we trust both in the public domain as well as with trusted third parties is astounding. Social media aside, sharing information with trusted third parties is sometimes mission-critical for the success of the business. Law firms and consultancies can have access to vital company intellectual property like documents for pre-patent filings, non-public information, and competitive pricing information. Losing control of data in these categories can significantly impact a business’ ability to operate competitively. In some instances, they may be forced to close.
While social media is different, it has similarities. Individuals’ information, while not detrimental to the direct performance of a company, can still impact business success. Tweeting raw remarks, sharing misinformation, and even listing personal details in a profile can affect both the perception of the company as well as provide ammunition for a threat actor to leverage. Both situations present their own set of unique challenges.
Social media entanglement
Facebook, for example, contains information on billions of individuals. While some profiles are more complete than others, Facebook also gathers information on your web browsing and purchasing habits.
In 2018, Facebook along with Cambridge-Analytica entered serious hot water with both the U.S. and U.K. government agencies for each of their roles in the exposure of millions of users’ personal information. Cambridge-Analytica used the information to build profiles of the users and evaluate their political allegiances. Unfortunately, none of the users were aware that a third party was accessing their information.
While the Facebook/Cambridge-Analytica event was focused on aiding business, the cybersecurity and intelligence community has long scrutinized social media, viewing it as a treasure trove of information that threat actors can misuse. If someone willingly displays their personal information, a malicious threat actor can easily exploit it, for example, by crafting a spear-phishing email, building a password dictionary based on profile keywords, or even impersonating the individual. People can be very creative. If given access to information and an unlimited amount of time to make use of it, they can achieve both good and bad use cases.
Facebook isn’t the only social media site to be considered a security threat. At one point, Grindr was identified as a national security threat by the U.S. government. LinkedIn has tons of professional history that threat actors could leverage for illicit gain. Spokeo found itself entangled in a lawsuit about the collection and aggregation of personal information. Social media, if not controlled, can lead to severe challenges with protecting remote access and cloud accounts.
Third parties can be anyone: temporary contractors, outsourced IT, legal teams, PR teams, or even specialized consultants. Typically, these third parties have specialized knowledge, and businesses hire them to help solve both simplistic (staff augmentation) and complex (bankruptcy restructuring or monitorship) issues.
These third parties are provided access to all the information they need to complete their assignments. For example, legal teams often use external law firms to assist with complex legal challenges. These external law firms gain access to company financials, personnel information, benefits information, or non-public data. Additionally, they may copy this information from the business’ network to their own. Data transfer is not exclusive to the law firm relationship; any third party can transfer data with pre-approved consent from the business.
Again, many law firms and consultants transfer data to their own networks to perform their analyses and provide recommendations. The challenge is how to verify and enforce adequate protection of the information after it leaves the business’ control.
Many companies rely on a contractual agreement that lists out specific information or cybersecurity provisions. For example, it could include the use of encryption to protect information in transit, notification if a breach is detected or suspected (potentially involving their data), and adherence to applicable security rules and regulations based on both the data type and physical location of the data. Remember, contractual obligations are negotiable; laws and regulations are not. Disclaimer: I am not an attorney, and this is not legal advice. Consult a legal professional for actual guidance.
The professional services industry is not immune to cyberattacks
Both law firms and consultancies have been victims of cyberattacks. Arete incident response (IR) personnel have responded to thousands of cyberattacks to companies across all industries, with one-third of all cases in professional services and 10% in legal services.
Business email compromise (BEC) and ransomware cyberattacks total 89% of the matters that Arete has investigated, with ransomware edging slightly higher at 47%. Unfortunately, neither investigation is better to encounter.
Of the BEC victims, 60% of the investigations led to data breach analysis. This is the process of detecting, identifying, and qualifying specific data types within a data set that a threat actor may have accessed or exfiltrated. Data exfiltration is the process by which an unauthorized user transfers data outside the possession of the company. Here, the legal team determines which types of covered information the threat actor accessed (think HIPAA, credit card numbers, social security numbers) and subsequently, prepares a notification list to inform the regulators and individuals. Sixty percent is substantial, and that number will continue to rise.
By contrast, victims within the legal services profession who experienced a ransomware attack have opted to forego data breach analysis when threat actors exfiltrate their data sets. Instead, they choose to notify all their clients. In 95% of those investigations, Arete IR identified with high confidence the data set that was exfiltrated. During these situations, the victim already knew the data types contained within the data set and was able to work with their external legal teams to build a notification and public relations strategy instead of incurring additional costs with data breach analysis.
Cyberattacks and data breaches are expensive
The actual cost of a breach is extremely hard to calculate due to many factors, including impact to brand and reputation, identity monitoring, cost of professional services, and in some cases, ransom payments. It’s no shock that the ransom demands are growing but having to balance the need to pursue a payment for data recovery in addition to all the other investigative and legal services will certainly and significantly increase costs.
Whether you educate your employees on the importance of social media sharing or perform a cyber breach readiness assessment, each small step can go a long way in hardening your organization’s security posture.
Top tips to enhance a cybersecurity program
- Obtain cyber insurance.
- Replace traditional antivirus with a behavioral-based endpoint detection and response (EDR) solution.
- Secure backups.
- Leverage the 3-2-1 strategy: three (3) copies of data, including your production files; two (2) copies backed up to different media; and one (1) copy stored off-site.
- Store backups offsite or within a segmented network.
- Test backups and your restoration team often.
- Strengthen remote access by enforcing virtual private network (VPN) connectivity with multifactor authentication (MFA).
- Plan for downtime to maintain business operations without technology.
- Perform a security assessment.
- Perform a phishing exercise on top executives and their assistants using information from social media sites, resumes, and other publicly available information.
- Implement or enhance end-user awareness training with specific modules focused on social media.
- Limit sharing of data with third parties to only necessary information.
- Provide encrypted loaner laptops to third parties for access to the information.
- Leverage secure transfer sites or data rooms that allow editing in place; limit the ability to download from the data room.
- Leverage contractual clauses to protect data, agree to methods for securely storing data, destruction of data, and notification in the event of a breach.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at DearRamey@areteir.com. Arete wants to help by sharing our insight and experience.