Cybersecurity After WannaCry

Businesses and individuals are bombarded daily with information about new cybersecurity threats and data privacy risks; the deluge of recommended actions and products to reduce vulnerability to those dangers and mitigate cyber event losses can be overwhelming. However, following the May 2017 WannaCry ransomware infiltration into over 10,000 organizations and individuals in over 150 countries, it is clear that businesses across industries have no choice but to spend time and resources digesting and culling through this information barrage. WannaCry victims included companies with highly sensitive information, including banks, telecommunications companies and even healthcare providers like the National Health Service in the UK.

With in-house counsel at the helm, corporate boards, senior management and information services departments must keep up-to-date on cybersecurity regulatory standards and recommendations. In addition to the expansive cybersecurity guidelines published by the National Institute of Standards and Technology (NIST), important industry-specific guidance or requirements are frequently published by numerous acronym agencies and organizations, including the SEC, CFPB, FTC, FCC, FDA and more.

Staying ahead of the information wave and regulatory assault, and at least current on appropriate responses, is a monumental assignment.

While the WannaCry ransomware attack is a pointed reminder of the importance of investing in data security, businesses of all types are wondering what they reasonably can do to protect themselves, and where to begin. Many authors have provided lists of prudent breach prevention and response steps a company can take to diminish the risk of cyberliability. Other resources, including publications and notices from the American Bankers Association, American Bar Association, American Hospital Association and other industry governing bodies, offer vital cybersecurity advice, and afford businesses important announcements of cyber risks and cybersecurity developments. Among numerous others, best practices include:

• Adoption of security policies and procedures;
• Preparation of an incident response plan;
• Enforcing complex, revolving passwords;
• Mandating multi-factor authentication;
• Implementing mobile device management; and
• Obtaining cyberliability insurance.

Yes, a comprehensive cybersecurity program is very important for any institution. However, with so much information to digest and so many resources to reference, attempting to review and prioritize countless cybersecurity practices can lead to analysis paralysis. This is particularly likely for businesses without established information technology departments containing trained and dedicated cybersecurity personnel.

To tackle the seemingly overwhelming task of putting together a program, I recommend that companies adopt a simplified four-step starter plan: Train. Maintain. Test. Repeat.

1. Train

The overwhelming majority of cyber incidents in an organization stem from social engineering
attacks that infiltrate the system because of user error. The most prominent threats to companies continue to be phishing, and especially spear phishing, scams. There is no substitute for ongoing cybersecurity training, which should extend from the top of the organization — including general counsel, C-suite officers and senior leadership to the newest hiree. Training should be continuous, beginning with the onboarding process. Dedicate an individual or group to be responsible for conducting due diligence on the various training sources and methods available, and making recommendations on which procedures to put in place.

Beyond training company employees, practices should be in place to train customers in good cybersecurity hygiene. The benefits of providing concise, practical, and even interesting cybersecurity tips are substantial, even if not measurable. Companies can take advantage of their customer-facing platforms to include privacy tips and guidance, website blurbs, monthly statement inserts, direct mail marketing pieces, email alerts, and social media content. Incorporating best practices for data protection into these existing communications is a low risk/high return activity for cybersecurity improvement.

A growing number of financial institutions even provide a free download of virus/malware prevention software as a part of their online banking programs. While definitely a positive and laudable step, a company should not consider that service a substitute for customer cybersecurity training. Undoubtedly, many customers never download the product, and others will uninstall the program if incompatible with their existing virus protection software.

2. Maintain

The WannaCry attack emphasized that cybersecurity training alone is not enough. Computer data was encrypted by WannaCry as a result of a Windows operating system security weakness — not a typical phishing attack. Organizations could have avoided, or at least minimized, the ransomware raid through a regular, diligent program of applying updates and patches as soon as they are made available. The best example of the dangers of outdated software comes out of East Asia. On may 15, The New York Times reported that the WannaCry ransomware was especially damaging in China, home to the world's largest group of Internet users. According to the Times, a 2016 study found that over half the software installed in Chinese computers was unlicensed, and therefore ineligible for Windows security updates.

Within the work environment, employees that regularly visit the company's website from within the company network can make those websites attractive targets for a “watering hole attack.” [In a watering hole attack, a hacker poisons a site with malware with the goal of infecting the visitor's computer, and eventually gaining network access.] Equally destructive, a distributed denial of service (DDoS) attack on an organization's website may make the site inaccessible to customers, which at best only results in a reputational black eye. Ensuring that the appropriate firewalls and intrusion detection systems are in place and up-to-date should prevent the attack from succeeding.

3. Test

There are a number of valuable methods to test an organization's cybersecurity program. The most common is penetration testing (“pen testing”), where a third party is hired to try to gain unauthorized computer network access from outside the organization. Businesses should seriously consider undergoing a pen test on a regular, perhaps annual, basis. Testing should also extend to an institution's public-facing applications, which often are over-looked as an avenue for intrusion or infection.

Beyond vendor testing, businesses are encouraged to implement their own internal pen testing on a periodic, more frequent interval. Because the organization's systems analysts and network administrators are the most familiar with the organization's own systems and network, they are uniquely situated to detect security issues. In addition, ongoing “table-top” exercises can help pinpoint potential security weaknesses and educate technology associates on cybersecurity risks.

As an added bonus, the technology team will receive a boost of confidence in their individual and collective abilities to spot cyber threats before they become cyber events. Vacations occur, illnesses happen, and cell phone batteries die. To ensure that internal tests simulate real-world conditions, include scenarios where certain personnel are unavailable.

In addition to cybersecurity training programs and tests, organizations periodically should cast phishing email lures to their own personnel, interns and CEO alike. Companies tend to be pleasantly surprised at the low number of employees who click on the fake infected link or open the phony malicious attachment, and those who do fall prey to the manufactured scam learn an invaluable lesson about healthy skepticism. In either instance, this periodic testing raises cybersecurity awareness throughout the organization, and helps target cybersecurity training.

4. Repeat

Training, maintaining and testing are not boxes to be checked off or one-time activities. Organizations must train, maintain and test on an ongoing basis as a part of a continuous and enhanced cybersecurity program.

Conclusion

Corporate counsel who understand cyber risk and mitigation measures are in a prime position to ensure that leadership at all levels communicates and reinforces that message throughout the company.

*****
Anthony (Tony) McFarland is a partner in the Nashville office of Bass, Berry & Sims. Reach him at [email protected].

Businesses and individuals are bombarded daily with information about new cybersecurity threats and data privacy risks; the deluge of recommended actions and products to reduce vulnerability to those dangers and mitigate cyber event losses can be overwhelming. However, following the May 2017 WannaCry ransomware infiltration into over 10,000 organizations and individuals in over 150 countries, it is clear that businesses across industries have no choice but to spend time and resources digesting and culling through this information barrage. WannaCry victims included companies with highly sensitive information, including banks, telecommunications companies and even healthcare providers like the National Health Service in the UK.

With in-house counsel at the helm, corporate boards, senior management and information services departments must keep up-to-date on cybersecurity regulatory standards and recommendations. In addition to the expansive cybersecurity guidelines published by the National Institute of Standards and Technology (NIST), important industry-specific guidance or requirements are frequently published by numerous acronym agencies and organizations, including the SEC, CFPB, FTC, FCC, FDA and more.

Staying ahead of the information wave and regulatory assault, and at least current on appropriate responses, is a monumental assignment.

While the WannaCry ransomware attack is a pointed reminder of the importance of investing in data security, businesses of all types are wondering what they reasonably can do to protect themselves, and where to begin. Many authors have provided lists of prudent breach prevention and response steps a company can take to diminish the risk of cyberliability. Other resources, including publications and notices from the American Bankers Association, American Bar Association, American Hospital Association and other industry governing bodies, offer vital cybersecurity advice, and afford businesses important announcements of cyber risks and cybersecurity developments. Among numerous others, best practices include:

• Adoption of security policies and procedures;
• Preparation of an incident response plan;
• Enforcing complex, revolving passwords;
• Mandating multi-factor authentication;
• Implementing mobile device management; and
• Obtaining cyberliability insurance.

Yes, a comprehensive cybersecurity program is very important for any institution. However, with so much information to digest and so many resources to reference, attempting to review and prioritize countless cybersecurity practices can lead to analysis paralysis. This is particularly likely for businesses without established information technology departments containing trained and dedicated cybersecurity personnel.

To tackle the seemingly overwhelming task of putting together a program, I recommend that companies adopt a simplified four-step starter plan: Train. Maintain. Test. Repeat.

1. Train

The overwhelming majority of cyber incidents in an organization stem from social engineering
attacks that infiltrate the system because of user error. The most prominent threats to companies continue to be phishing, and especially spear phishing, scams. There is no substitute for ongoing cybersecurity training, which should extend from the top of the organization — including general counsel, C-suite officers and senior leadership to the newest hiree. Training should be continuous, beginning with the onboarding process. Dedicate an individual or group to be responsible for conducting due diligence on the various training sources and methods available, and making recommendations on which procedures to put in place.

Beyond training company employees, practices should be in place to train customers in good cybersecurity hygiene. The benefits of providing concise, practical, and even interesting cybersecurity tips are substantial, even if not measurable. Companies can take advantage of their customer-facing platforms to include privacy tips and guidance, website blurbs, monthly statement inserts, direct mail marketing pieces, email alerts, and social media content. Incorporating best practices for data protection into these existing communications is a low risk/high return activity for cybersecurity improvement.

A growing number of financial institutions even provide a free download of virus/malware prevention software as a part of their online banking programs. While definitely a positive and laudable step, a company should not consider that service a substitute for customer cybersecurity training. Undoubtedly, many customers never download the product, and others will uninstall the program if incompatible with their existing virus protection software.

2. Maintain

The WannaCry attack emphasized that cybersecurity training alone is not enough. Computer data was encrypted by WannaCry as a result of a Windows operating system security weakness — not a typical phishing attack. Organizations could have avoided, or at least minimized, the ransomware raid through a regular, diligent program of applying updates and patches as soon as they are made available. The best example of the dangers of outdated software comes out of East Asia. On may 15, The New York Times reported that the WannaCry ransomware was especially damaging in China, home to the world's largest group of Internet users. According to the Times, a 2016 study found that over half the software installed in Chinese computers was unlicensed, and therefore ineligible for Windows security updates.

Within the work environment, employees that regularly visit the company's website from within the company network can make those websites attractive targets for a “watering hole attack.” [In a watering hole attack, a hacker poisons a site with malware with the goal of infecting the visitor's computer, and eventually gaining network access.] Equally destructive, a distributed denial of service (DDoS) attack on an organization's website may make the site inaccessible to customers, which at best only results in a reputational black eye. Ensuring that the appropriate firewalls and intrusion detection systems are in place and up-to-date should prevent the attack from succeeding.

3. Test

There are a number of valuable methods to test an organization's cybersecurity program. The most common is penetration testing (“pen testing”), where a third party is hired to try to gain unauthorized computer network access from outside the organization. Businesses should seriously consider undergoing a pen test on a regular, perhaps annual, basis. Testing should also extend to an institution's public-facing applications, which often are over-looked as an avenue for intrusion or infection.

Beyond vendor testing, businesses are encouraged to implement their own internal pen testing on a periodic, more frequent interval. Because the organization's systems analysts and network administrators are the most familiar with the organization's own systems and network, they are uniquely situated to detect security issues. In addition, ongoing “table-top” exercises can help pinpoint potential security weaknesses and educate technology associates on cybersecurity risks.

As an added bonus, the technology team will receive a boost of confidence in their individual and collective abilities to spot cyber threats before they become cyber events. Vacations occur, illnesses happen, and cell phone batteries die. To ensure that internal tests simulate real-world conditions, include scenarios where certain personnel are unavailable.

In addition to cybersecurity training programs and tests, organizations periodically should cast phishing email lures to their own personnel, interns and CEO alike. Companies tend to be pleasantly surprised at the low number of employees who click on the fake infected link or open the phony malicious attachment, and those who do fall prey to the manufactured scam learn an invaluable lesson about healthy skepticism. In either instance, this periodic testing raises cybersecurity awareness throughout the organization, and helps target cybersecurity training.

4. Repeat

Training, maintaining and testing are not boxes to be checked off or one-time activities. Organizations must train, maintain and test on an ongoing basis as a part of a continuous and enhanced cybersecurity program.

Conclusion

Corporate counsel who understand cyber risk and mitigation measures are in a prime position to ensure that leadership at all levels communicates and reinforces that message throughout the company.

*****
Anthony (Tony) McFarland is a partner in the Nashville office of Bass, Berry & Sims. Reach him at [email protected].