2020 was among the worst years on record for cyberattacks and data breaches. Recent data from Risk Based Security revealed that the number of records exposed has increased to a staggering 36 billion in just the first three quarters of 2020.
In this third installment of our Q&A video series focused on “What You Need to Know About Data Privacy and Cybersecurity,” McAfee & Taft attorneys Zach Oubre and Anna Wolfe discuss what businesses can do if they become victims of cybersecurity attacks and discover potential data breaches, and what they should be doing now to help prevent future cybersecurity attacks.
Q: What do I do if my company has been a victim of a cybersecurity attack?
Zach Oubre: The first step is to stop the attack and secure your operations. How you do this depends on the nature of the attack and the systems affected. But in general, you should try to isolate the system that you know is infected, to protect your other data systems. For example, if your HR or accounting data is on a separate database or in the cloud from your other file management systems, and your file management system is what you know has been under attack, do your best to isolate your file management system and to protect your HR and accounting data. Once an attack is contained, it’s easier to eliminate the threat and ascertain what information may have been attacked. Your IT team may be able to help you with these tasks. But you should absolutely consider hiring an independent outside forensic expert to help you determine whether or not you’ve isolated the attack. And what systems and what information were the subject of the attack. Because the worst thing than one data breach or multiple data breaches that have occurred because you haven’t isolated a threat, or haven’t really fully determined what the threat was.
Q: Is containing and eliminating the attack enough?
Anna Wolfe: No. The second step in responding to a cyber security breach, is assessing to determine how the attack occurred, and what data if any, may have been compromised. So, if you’ve hired a forensic firm to assist you in responding to the breach, you’ll work with those experts. So what they’re gonna do is look at network logs to the extent possible to verify the information that was compromised, and the number of people that were impacted. Knowing how the attack occurred is critical to ensuring that you have completely eliminated the threat. For example, you wanna be able to look for, and completely remove all of the malware that the attacker might have left. Second, knowing how the attack occurred, will ensure that you take steps to prevent a feature similar attack from occurring.
Q: If we are subject to a cybersecurity attack, do I need to report the attack to anyone or any governmental agency?
Oubre: That depends, so this is the third step in a cybersecurity incident, which is figuring out where your legal obligations are, with respect to the information that has been accessed. Federal and State law are pretty very wide as to when an attack requires a notification be sent to the subject of the information accessed. Every State differs but in general, unencrypted personal financial or health information is generally gonna trigger an obligation to send some type of notification to the person that is the subject of that information. But again, state law varies. And other federal laws may be impacted. So it is important that you consult the counsel to figure out what your reporting obligations are. And, a company doesn’t necessarily need a formal obligation under law to notify affected individuals. Sometimes business and other PR concerns are important letting people know what’s happened.
Q: What else should we be doing in responding to a cybersecurity attack?
Oubre: The final and probably the most important step in any data security incident, is to try to do your best to mitigate the risk of a subsequent attack. This is done by performing a security audit of your networks and computer systems, to try to fix other vulnerabilities in your system, that the same attacker or different attacker might try to use for subsequent attack. Now you can get some of this information when you do an assessment of an attack that has been done to you. But it’s important that you look at your entire network, your entire system. And all of your policies to try to mitigate the risk of a follow up attack. And again, if you have hired a forensic team work with that team to look at your other systems for malicious code or malware that an attacker may have left behind in a cybersecurity incident, hoping for a second bite at the app
Q: What should we be doing now to help prevent a future cybersecurity attack?
Wolfe: There are four pretty low hanging things that have been identified by experts that are best practices that a company should implement to eliminate common causes of data breaches. The first is weak passwords. We know that weak passwords, insecure passwords, are one of the easiest ways for hackers to gain unauthorized access to a protected network. So, it’s important that you have a strong IT policy regarding passwords. That requires them to include numbers, letters, characters and capitalization. The second leading cause of a data breach is lack of training and human error. People just not knowing what they shouldn’t be doing. So, routinely training your workforce to know how to identify and not respond to a phishing email, where if they click the link, they’re going to install malware on the system. Or if they get an email from a purported trusted member of the team that instructs them to wire money to an account, that they don’t. Because it’s a fraudster, and there’s signs that they can look for and then identify that it is in fact a fraudster. Or they can confirm in another manner before they actually take that action that cannot be immediately recalled. It is letting them know when they should not use certain devices to confidential business. So, not using unencrypted devices. Not using data transfer services from unknown sources. The third way to mitigate a common cause of data breaches is to avoid using out of date software. Or to ensure that you’re patching known network vulnerabilities. For example, Windows 7 is no longer supported by Microsoft. And so, if you’re using Windows 7, you’re exposed to malware. If you want to ensure that you have a system, that is the best security for your type of business and for your employees, it’s important to stay up to date on the technology that you’re using. The fourth and final best practice to eliminate common causes of data breaches, is to vet your vendors. It’s become commonplace for a cyber criminal to attack a smaller company that they know to work with a larger company, either to gain access to the larger company’s network. What comes to mind is Target, where there was a vendor who had access to their system. That relationship was exploited and the cyber criminals gained access to Target’s cardholder data. We also know that smaller companies, partners of larger companies host that information. So, you might have their intellectual property, you might be their payroll company who hosts protected financial information, personally identifying information of those individuals, and those smaller companies might not have the same level of cybersecurity safeguards as those larger companies, so there’ll be low hanging fruit. So, best practice is to when you’re entering into these vendor relationships, it’s to determine what those vendors cybersecurity practices are. And then also contractually detail what they need to do if they experience a data breach, to avoid that trusted vendor becoming adversary.
Captioning/transcript provided by Rev.