Category Archives: Technology

Educate Your Employees on Spear Phishing Attacks Now

The latest victim….the White House.  That tells you all you need to know about just how effective spear phishing is as a tactic to infiltrate a computer system.  If the attack is effective against that target then you better believe it could happen to your business.  It happens to businesses across the country on a daily basis.  If you haven’t taken this matter seriously, now is the time to do so.  Educate your employees on how criminals employ the tactic.  Educate your employees on what to look for to avoid your business becoming a victim.  Take steps to protect your business before it becomes a victim.  And develop a plan of action to respond if it fails.

Why are Criminals Targeting Smaller Businesses for Spear Phishing Attacks?

Simple answer, they are easier targets.  Small companies tend to not have the same IT infrastructure and security that larger companies have in place.  They also tend to have less formal rules and restrictions on employee use of company computers.  This creates an easy target for criminals.

Small business have access to information that is just as valuable to hackers as larger companies.  Small businesses often provide services to government agencies or other larger public companies and as such, have valuable information in their possession or offer a pipeline into these more lucrative targets.

What is “spear phishing?”

Spear phishing is a specific type of cyber attack that appears to be from someone or some company you know.  The target receives an email, often with some information about the individual or business contained in the email such as a person’s name, the company’s phone system, or bank.  Where does that information come from?  The target’s online presence.  Think about how much information is readily available regarding your business and the people working for it.  Do you have a contact page on your website with names and email addresses?

This spear phishing email comes with a ZIP file attached or a camouflaged link to an automatic download.  Sometimes the ZIP file is described as a PDF or other harmless file type.  Click to open the attachment or the link and the target is caught.

What happens after your caught?

It depends.  Some attacks are passive, meaning the hackers are simply accessing your computer system to observe and acquire information.  There is at least one case where the hackers had access to a company’s system for over a year before anyone noticed! Hackers can monitor passwords and company activity.  This can affect individual employees accessing personal accounts from work as well as the company.  If the employee types in ID and password information to access a personal or business bank account, the hacker now has that information.  Think about the potential exposure of your company’s trade secrets too.

Some attacks are active, meaning the hackers are accessing your computer system in an attempt to gain control over some portion in order to further their goals.  The hackers then use that control to continue their efforts within your business or using your business as cover.  In the White House breach, for example, it is widely reported that the attack came after hackers infiltrated the State Department to gain control over a legitimate email address which they then used to hack into the White House system.

In other cases the hackers take control of your system and hold it hostage.  Once in your system, they take control of your company files then encrypt them and prevent your business from having access to them.  The next thing you receive is a ransom demand.  Pay up or lose the files forever.  You can read about some of these cases in an NPR story here.  It happens to police departments as well.  Even law firms have been victims.

How Much Could A Spear Phishing Attack Cost Your Business?

Smaller attacks are relatively cheap.  A few hundred dollars paid by the deadline will get you the encryption key to unlock your files in some cases.

In other cases, the potential financial exposure is much higher.  The attacks are becoming much more sophisticated.  More sophisticated programs will search out more valuable files. And if it locates them, guess what?  The price goes up.  The CAD designs for that $30 million dollar construction project are going to cost you a lot more to get back than the generic everyday company files.

Don’t forget the potential liability your company may have to third parties as well.  If your files are compromised and the information accessed by the hackers includes personal information protected under privacy laws, then your business may be in for some significant expenses.  Many states (including Texas) have breach notification laws.  Fail to comply with the breach notification laws and your company could face significant fines.  If the information is used by the attackers and a third party suffers a loss, your business could be subject to a law suit as well.

There is also lost business to consider.  If your client learns that its confidential information was lost because your company didn’t take adequate measures to protect it, then how long do you think you will have that client?

 

Cybersecurity: Understanding a Texas Business’s Exposure to Liability (Part I)

With a number of recent cyber security events making the headlines, businesses across Texas are wondering what type of liability they could be subject to if such an event were to strike their business as well as what type of liability they may be subject to for inappropriately accessing electronic data.  This is the first in a two-part series that will help answer those questions.

In general, there are three potential types of liability that a Texas business is exposed to under either of these scenarios: statutory liability; contractual liability; and tort liability.  This post will focus on statutory liability with a subsequent post addressing contractual and tort liability issues.

There are both federal and state statutes regulating access to and use of electronic information.

The Federal Cybersecurity Laws

At the federal level, business owners and managers should be familiar with the Stored Communications Act (“SCA”), the Electronic Communications and Privacy Act (“ECPA”), as well as the Computer Fraud and Abuse Act (“CFAA”).

Stored Communications Act.  The Stored Communications Act prohibits an individual from willfully or intentionally accessing, without authorization, a facility through which an electronic communication services is provided or exceeding its authority to access that facility and thereby obtaining, altering, or preventing authorized access to an electronic communication while it is in electronic storage in such system.  The SCA most often impacts employers when accessing communications stored on company owned electronic devices or third-party service providers if the company is not a party to that communication.  For example, reading an employees personal email stored on his or her company issued phone.  There is a developing body of case law interpreting the SCA that identifies the circumstances under which  an employer may access these (and other) types of communications on an electronic device or a service provider’s server when the company is not a party to the communication.

Electronic Communications and Privacy Act. The Electronic Communications and Privacy Act prohibits the interception of electronic communications as well as the use or disclosure of intercepted communications without authorization.  The  ECPA also impacts employers attempting to monitor or investigate the activities of their employees.  This ECPA differs from the SCA in that it prohibits the interception of an electronic communication while the SCA prohibits accessing a communication in storage.  Companies should consider the ECPA’s prohibitions any time it considers implementing a monitoring program that will intercept emails or other electronic communications.

Computer Fraud and Abuse Act.  The Computer Fraud and Abuse Act makes the unauthorized access of a private computer system a criminal offense and allows an individual (or business) affected by such activity to bring a private cause of action.  For employers, the CFAA most often comes into play when an employee or former employee is found to have accessed information on the company’s computer system without authorization.  The CFAA clearly applies to the activities of former employees or other outsiders, however, the interpretation and application of the CFAA to current employees has varied widely across federal circuits.  In Texas, the focus in determining whether the CFAA applies to an employee’s activity generally looks at whether the access violated the company’s terms of use policies and whether the employee knew of that policy.

Texas Cybersecurity Law

At the state level, the Texas Business & Commerce Code imposes a duty upon businesses to implement reasonable procedures, including taking any appropriate corrective action, to protect the unlawful use or disclosure of any sensitive personal information collected or maintained by a company in the regular course of business.  This applies to information collected or maintained about customers as well as employees.  The TBCC also mandates specific procedures for the destruction of records that contain sensitive personal information.

The TBCC imposes a number of notification requirements and procedures upon businesses that are subject to a breach of system security if the breach is reasonably believed to have resulted in the disclosure of sensitive personal information.  Texas recently expanded the breach notification requirements to include notification to any individual whose information was potentially exposed, regardless of that person’s state of residency.