If you work at a typical company, employee actions and inadvertent disclosures present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile.
In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we assisted our clients with over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17 percent of incidents were inadvertent disclosures and 11 percent were due to stolen or lost devices.
Because people are fallible, training is not enough. Technological safety nets are needed. Companies should consider implementing the following data security measures, which can make it more difficult for criminals to succeed with attacks that prey upon employee vulnerabilities:
Employee Training and Education
- Conduct regular phishing training, including test phishing campaigns. Routine tests aid in identifying employees who need additional training. They also keep security at the forefront of awareness for all employees.
- Educate employees to not provide login credentials or to use the same credentials for multiple sites or services.
- Teach employees to never take an email from an ostensibly familiar source at face value. Users should test a link by hovering their cursor over it to reveal the web address (URL). Employees should think twice before opening a link or attachment from the CEO or an HR executive, as phishing emails are often spoofed to appear as coming from an executive.
- Instruct employees to use an independent verification method when confirming wire transfer instructions or when providing sensitive information such as W-2s. This practice is particularly important during tax season.
- Implement multifactor authentication (MFA) to remotely access any part of the company’s network or data. MFA is not only a best practice, but it is also increasingly seen by regulators as an expected practice.
- Disable remote desktop protocol on all Internet-facing systems. RDP is among the most common means for ransomware attacks, with administrator credentials often compromised through brute-force attacks.
- Implement a process whereby external emails are clearly identified. Email marking serves as a visual clue to remind employees to be cautious. Marking can also assist in identifying phishing emails designed to appear as though they came from a company executive.
- Require complex passwords and a password change at least every 90 days.
- Remove administrative rights from normal users and limit the number of accounts with administrative privileges. Do not allow users to share administrator accounts or to use an administrator account for their personal work.
- Implement and monitor a software patch management system that requires critical patches to be installed promptly.
- Segregate subnetworks that contain valuable data from other parts of the network. Also, routinely investigate the types of sensitive data maintained and determine if the data is business-necessary. It is not uncommon for a security incident to involve sensitive information that no longer has a business purpose at the time of the incident.
- Utilize threat intelligence and endpoint protection tools that use reputational searches and behavioral patterns.
- Enable encryption requirements for documents and systems that contain sensitive information.
- Disable auto-forwarding capabilities. Forwarding rules are routinely used by attackers to conceal their actions and to engage in wire-fraud, W-2 phishing and other scams with a compromised account.
In addition to the above training and safeguards, companies should enable logging on email and other systems that contain sensitive data. Logging should be retained for at least one year, preferably longer. In many security incidents, the existence of logging is crucial to determining an attacker’s actions and to limiting notifications to information that is known to have been accessed or acquired without authorization.
Finally, consider one common fact pattern that BakerHostetler witnessed repeatedly this year and which could have been avoided — or at least minimized — through proper training and technical safeguards.
- A company utilizes web based email access but has not enabled multi-factor authentication.
- A company employee receives an email from a trusted client. In reality, the email was sent by an attacker who had gained access to the client’s email system. The employee clicks on a link in the email and enters his credentials when prompted. The link fails to open and the busy employee moves on to other tasks.
- Armed with the email credentials, the attacker quickly begins searching for invoices, client lists and wire transfer information within the email account.
- The attacker sets up forwarding rules so that all email communications to and from a client target are concealed from the compromised employee. The attacker also sets up an auto-forwarding rule to send copies of email traffic to his personal account.
- The attacker emails several clients found to have pending invoices, instructing them to direct payment to a new bank account that the attacker owns. The emails come from the actual account of the company employee and are carefully designed to use the same language the attacker found in other emails in the employee account.
- The company’s clients respond via email to confirm that the new wire instruction is accurate. The clients do not know it, but they are communicating with the attacker. The emails are never seen by the employee, as they are auto-routed to a hidden folder.
- The clients comply with the attacker’s request and send payment to the new bank account. The attacker immediately withdraws all of the funds from the account except for a small amount to avoid suspicion.
- Several weeks later, the company’s accounts payable group contacts the clients to inquire about the outstanding invoices. The clients report that they did make the payments — to the “new account” the company’s accounting staff had provided.
- The company inquires with the bank and FBI but learns that the payments cannot be recovered. With the assistance of privacy counsel, the company also investigates what sensitive information may have been accessed or acquired by the attacker that could create a notification obligation.
Unfortunately, this scenario is far from hypothetical. It has been repeated many times in 2017 and will likely continue to be repeated throughout 2018 and beyond. By implementing proper training and technical security measures, companies can make it more difficult for criminals to succeed with this and other attacks that prey upon employee vulnerabilities.