Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.

Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.” 

RECOMMENDATIONS FOR MITIGATING RISKS

Your business may be subject to data privacy and security laws like the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR § 500 et seq.), the Health Insurance Portability and Accountability Act (45 C.F.R. § 160.103), the EU’s General Data Protection Regulation ((EU) 2016/679), and soon the California Consumer Protection Act (Cal. Civil Code § 1798.100 et seq.). These laws and regulations require reasonable security procedures and in some cases, specific methods and processes to safeguard corporate data. Even if your organization is not subject to geographic or industry requirements, it should consider these steps to help manage and mitigate risk:

Personnel Training: Threat actors frequently play a numbers game. They bank on the fact that in any organization, regardless of size, any one employee could click on a phishing email, and it only takes one human error to bring the system down. As such, it is a good time to remind your employees to be cautious of potential phishing emails and questionable websites, particularly during the holiday promotional season. Employees should be reminded to not open any suspicious emails, or links or attachments contained therein, and they should immediately report these attempts to IT. If one employee receives such a phishing email, chances are hackers are also targeting other employees.

Observe Least-Access Principles for All Accounts: Where a privileged (administrator) account is compromised, it is easier for threat actors to move around your system. Especially for privileged accounts, any accounts that are not being used should be disabled, and privileges should only be provided to users as necessary to carry out their job responsibilities.

Use Enhanced Authentication Where Available: Everyone has heard about using complex passwords, but multifactor authentication (MFA) can serve as a speed bump—or even a roadblock—to threat actors. MFA is based on a conventional login, plus something that only the user possesses (a hard or soft token, access to a particular mobile device, etc.). MFAs should be a consideration for all users but especially for privileged accounts—where enterprise security needs could outweigh the cost and the slight additional inconvenience during login.

Having Separate Backups: A key defense to a ransomware attack is to have a viable backup of your company’s systems at the ready. This defense can be enhanced by having backups that are isolated so that threat actors cannot easily reach them. Companies should test their backups and ensure that if their systems become infected they can fully restore without the risk of data loss. A backup is worthless if it is also encrypted by the ransomware.

Update and Patch Your Computer Systems: Continuing to update the software and operating systems of those devices connected to your company’s network is an effective way of preventing most attacks, as malware will often target those applications or operating systems that are out of date. This also applies to endpoint protection, which should be kept up to date.

Dykema’s Global Privacy and Data Security Team is available 2/47 to assist your organization with any security incident response needs, as well as risk management and training.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.

Print:
EmailTweetLikeLinkedIn
Photo of Cinthia Granados Motley Cinthia Granados Motley

Cinthia Granados Motley is the Director of Dykema’s Global Data Privacy and Information Security practice group. She has an active national and international practice assisting clients implement effective information security practices, address current and emerging regulatory compliance issues, including cross-border data transfer and…

Cinthia Granados Motley is the Director of Dykema’s Global Data Privacy and Information Security practice group. She has an active national and international practice assisting clients implement effective information security practices, address current and emerging regulatory compliance issues, including cross-border data transfer and information governance, as well as litigation readiness and regulatory inquiry matters. She routinely acts as incident response counsel to national and multi-national entities, as well as privacy litigation counsel. In her litigation practice, Cinthia handles consumer and privacy litigation, international contract disputes, directors and officers liability, ERISA, e-discovery and  professional liability matters. She routinely counsels clients in complex commercial disputes both domestically and abroad.

Photo of Dante A. Stella Dante A. Stella

Dante Stella is a creative, logical, and efficient problem solver who focuses his practice on litigation and investigations that involve challenging legal, factual, and data management issues. He also provides non-litigation counseling to clients on information lifecycle management, information infrastructure, and electronic discovery…

Dante Stella is a creative, logical, and efficient problem solver who focuses his practice on litigation and investigations that involve challenging legal, factual, and data management issues. He also provides non-litigation counseling to clients on information lifecycle management, information infrastructure, and electronic discovery readiness planning.

Photo of Matthew M. Dybas Matthew M. Dybas

Matthew Dybas is an associate in Dykema’s privacy and data security group. Mr. Dybas’ privacy and data security practice includes advising domestic and international clients on issues of breach response, employee training, risk assessment, policies and procedures, corporate compliance projects and revising services…

Matthew Dybas is an associate in Dykema’s privacy and data security group. Mr. Dybas’ privacy and data security practice includes advising domestic and international clients on issues of breach response, employee training, risk assessment, policies and procedures, corporate compliance projects and revising services agreements to include adequate privacy and data security protections. Within this realm, Mr. Dybas has notable experience handling compliance matters related to the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Illinois Biometric Information Privacy Act (BIPA), the Health Insurance Portability and Accountability Act (HIPAA) and the Telephone Consumer Protection Act (TCPA). He is a Certified Information Privacy Professional (CIPP/US), as certified by the International Association of Privacy Professionals (IAPP), and a member of the Sedona Conference Working Group 11 – Data Security and Privacy Liability.