The first 24 hours: data breach checklist for legal and compliance

By: Nate Latessa, Vice President of Corporate Services

Every 11 seconds this year, a business will experience a ransomware attack, according to a projection by Cybersecurity Ventures. Back in 2016, the frequency was about every 40 seconds.

Cyberattacks were burgeoning even before COVID-19. The surge in remote work during the pandemic has only opened up more cybersecurity vulnerabilities and increased opportunities for hackers.

The good news is there are things your organization can do to beat a data breach.

Innovative Discovery recently convened a panel of cybersecurity experts to discuss how companies can enhance their preparedness, response, and mitigation in the event of a breach.

What are the ways business email compromises occur?

One of the most common ways to compromise business email accounts is with phishing. In a nutshell, a hacker sends an email purporting to be from someone you know or a company you’ve done business with and tries to fool you into clicking on a link.

Phishing can cause a data breach either by leading you to a malicious website designed to harvest your credentials or by sending a link to the malware.

These emails are designed to prey on human psychology of wanting to be helpful and follow rules.

Social engineering also can play a role in compromising business email. The threat actor sends an email from an address that is similar to one that you know but with slight differences. You open the email and provide information requested in the message because you think you know the sender.

Another way that hackers break into email accounts is by finding your already breached passwords online and trying them on different accounts. If you use the same password for multiple accounts and websites, the hacker could enter your email by trying out a password you use for another service.

You can help prevent this kind of breach by using a different password for each service and using two-factor verification. If you tend to gravitate toward the same passwords, you might want to consider a password manager, some of which have a function that prevents you from using a password more than once.

A less common method of hacking email is stealing a physical device. If a computer or phone wasn’t secured properly, the thief might be able to get into the device and access data and credentials within.

Who at the company is the most vulnerable to business email compromise, and what signature vulnerabilities are exploited for these targets?

Vulnerabilities depend largely on the hacker’s objectives and the nature of the target. Let’s say the objective is to get someone to wire money to a place where it shouldn’t be going. The hacker, or threat actor, might target the accounts payable department in hope that the proper protocols aren’t in place or that the clerical staff doesn’t follow protocol because the request looks legitimate.

Businesses that have vendors or customers overseas where you would expect to see email traffic from other countries, for example, might not find it suspicious if someone in Thailand asked to change the wire instructions to send the money to Vietnam.

In other instances, threat actors may attempt to get a CFO’s email address so that they can send emails that look authoritative to other employees in the company and obtain information from them. The threat actor might instruct an employee to send money somewhere and hope there won’t be any secondary checks to make sure doing so makes sense.

Another scheme involves targeting employees in the human resources department, which keeps personal identifiable information and confidential health information (HIPAA). The threat actor might send emails from a doppelganger account as a way to access other employees’ email credentials.

Other strategies to look out for are urgent requests for invoice payments in the accounts payable department or bogus emails pretending to be regulatory compliance.

Should every entity have an incidence response plan, and is a plan all that you need to be proactively prepared?

Not every business needs a data breach incidence response plan. If you are a small company with only a handful of employees you might not need a plan unless you deal with highly sensitive data.

For example, if your function is to distribute funds to developing nation farmers and take donations from corporate entities and donors, which involve wire transfers, your organization is high risk.

Larger companies with more than one person handling core business functions are at higher risk and probably need an incidence response plan, especially if there are so many employees that not everyone knows each other.

A good incidence response plan should identify whom to call first, what steps need to be taken in chronological order, and whom else to inform and involve. The plan needs to be written down on paper in case online files are inaccessible during the data breach, updated periodically, and kept in a place you can find it. The plan should include important contact information for the company’s cybersecurity lawyer, insurance broker, and other key figures who will help in response and mitigation. Include a one-page summary on the top because in an active crisis, time is of essence.

Typically, a company’s lawyer is the first person to call because they can help you understand your next steps and responsibilities. Later, a legal services company like Innovative Discovery can step in and identify the extent of potentially breached data, what information is there, how sensitive it is, and notification requirements.

How can regulatory obligations be made less costly?

Being proactive before crisis strikes can greatly reduce the cost associated with a data breach. Here are our experts’ tips on how to minimize your liability in the event of a breach:

  • Implement strict retention policies to decrease the amount of material accessible to threat actors. Use machine learning and artificial intelligence (AI) to minimize live content to only what employees need to perform their work.
  • Minimize or stop automatic forwarding especially at the executive level. When there’s a data breach, automatic forwards create extra work during mitigation.
  • Monitor activity on your network with AI-powered tools to look for malware and other threats within your organization.
  • Train all of your employees in cybersecurity.
  • Get cyber insurance. Use a broker who understands what cybersecurity insurance should include and set up sub-limits for social engineering and phishing. Make sure your cybersecurity policy and premise liability policy are not in conflict with each other.

Some of these measures may feel inconvenient, but it is more inconvenient to have to remediate a data breach in which millions of documents were compromised. Having these protocols and procedures in place can reduce your organization’s exposure significantly.

View ID’s webinar on the same topic here.

Previous PostNext Post