Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.
Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.”
RECOMMENDATIONS FOR MITIGATING RISKS
Your business may be subject to data privacy and security laws like the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR § 500 et seq.), the Health Insurance Portability and Accountability Act (45 C.F.R. § 160.103), the EU’s General Data Protection Regulation ((EU) 2016/679), and soon the California Consumer Protection Act (Cal. Civil Code § 1798.100 et seq.). These laws and regulations require reasonable security procedures and in some cases, specific methods and processes to safeguard corporate data. Even if your organization is not subject to geographic or industry requirements, it should consider these steps to help manage and mitigate risk:
Personnel Training: Threat actors frequently play a numbers game. They bank on the fact that in any organization, regardless of size, any one employee could click on a phishing email, and it only takes one human error to bring the system down. As such, it is a good time to remind your employees to be cautious of potential phishing emails and questionable websites, particularly during the holiday promotional season. Employees should be reminded to not open any suspicious emails, or links or attachments contained therein, and they should immediately report these attempts to IT. If one employee receives such a phishing email, chances are hackers are also targeting other employees.
Observe Least-Access Principles for All Accounts: Where a privileged (administrator) account is compromised, it is easier for threat actors to move around your system. Especially for privileged accounts, any accounts that are not being used should be disabled, and privileges should only be provided to users as necessary to carry out their job responsibilities.
Use Enhanced Authentication Where Available: Everyone has heard about using complex passwords, but multifactor authentication (MFA) can serve as a speed bump—or even a roadblock—to threat actors. MFA is based on a conventional login, plus something that only the user possesses (a hard or soft token, access to a particular mobile device, etc.). MFAs should be a consideration for all users but especially for privileged accounts—where enterprise security needs could outweigh the cost and the slight additional inconvenience during login.
Having Separate Backups: A key defense to a ransomware attack is to have a viable backup of your company’s systems at the ready. This defense can be enhanced by having backups that are isolated so that threat actors cannot easily reach them. Companies should test their backups and ensure that if their systems become infected they can fully restore without the risk of data loss. A backup is worthless if it is also encrypted by the ransomware.
Update and Patch Your Computer Systems: Continuing to update the software and operating systems of those devices connected to your company’s network is an effective way of preventing most attacks, as malware will often target those applications or operating systems that are out of date. This also applies to endpoint protection, which should be kept up to date.
Dykema’s Global Privacy and Data Security Team is available 2/47 to assist your organization with any security incident response needs, as well as risk management and training.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.