Introduction

The cybersecurity threat landscape continues to evolve and present new challenges pertaining to the protection of electronically stored information. Innovative “hacking” tactics constantly emerge and metamorphous; however, threat actors continue to target common system vulnerabilities – where available – to gain initial unauthorized access to an organization’s computer networks, systems, servers, email accounts, etc. This means that initial unauthorized access oftentimes can be prevented by implementation of known security controls and practices to erase common vulnerabilities, which may incentivize threat actors to simply move on to easier targets. This article outlines common vulnerabilities exploited by threat actors to gain unauthorized access to an organization’s environment and electronically stored information, as well as recommended privacy and security controls to mitigate the risk and severity of potential cyber security incidents and/or data breaches. Business Email Security

Business Email Security

Business email compromise (“BEC”) is the most common, financially devastating category of cybersecurity incidents. As reported in its 2021 Internet Crime Report, the FBI received approximately 20,000 BEC complaints with losses of close to $2.4 billion in 2021, and it is anticipated that the figures reflected in the FBI’s annual report for 2022 will increase significantly.

Threat actors typically rely on one of two methods to effectuate BECs: phishing emails or credential compromises. In the phishing email context, a threat actor sends an email from a “spoofed” email account – i.e., using an email address with slight variations from the legitimate email address or via a different domain – to trick recipients into thinking that the spoofed email address is legitimate. Alternatively, in the credential compromise scenario, the threat actor utilizes malicious software to gain unauthorized access to an organization’s systems and email accounts, allowing the threat actor to then interject into and/or intercept legitimate email threads.

Phishing emails or credential compromises allow the threat actor to perpetuate various fraudulent and unlawful acts. The contents of a spoofed email may induce the email recipient to click on a malicious link or open a malicious file. Depending on the sophistication of the threat actor, the malicious link or file may grant the threat actor unauthorized access to an email account by one or more of the following methods: redirecting the email recipient to a fake login page, prompting the email recipient to enter valid login credentials, subsequently instigating exfiltration of the contents of the email recipient’s inbox, and/ or initiating malware installation for the threat actor’s subsequent unauthorized access, exfiltration, etc.

Once within the account, threat actor may attempt to gain additional access to other accounts using the legitimate email address, promulgate additional malware to email contacts, or attempt social engineering attacks to facilitate financial transactions.

While BECs account for most cyber-attacks, they are among the easiest to prevent, for example, by implementing the following recommended technical and operational protocols: First, multi-factor authentication (“MFA”), where a system requires a user to provide a combination of two or more credentials to verify the user's identity for login. MFA is easy to implement, minimally intrusive, and affordable. MFA is often also a requirement for coverage under cyber insurance policies. Second, forced password resets on a routine basis and across all user accounts are invaluable in mitigating the risk of attacks originating from acquisition of compromised credentials. Third, the implementation of policies for data retention, storage, and electronic transfer. Finally, organizations should strongly consider implementing cybersecurity awareness training with emphasis on phishing training (to spot suspicious links and domain/email address inaccuracies). A combination of protections can deter a threat actor from pursuing unauthorized access to an organization’s systems and data.

Ransomware Prevention Ransomware refers to the unauthorized encryption of data, with a decryption utility available for a fee payable to a threat actor. Encryption is a legitimate utility for data security, and works by transforming plain text into cipher text using an algorithm which generally has a single known solution. The cipher text can only be converted back to plain text by using the solution, often referred to as a decryption key. When used responsibly, encryption is an excellent way to protect the confidentiality of data both at rest and in transit. Ransomware presents a malicious use case for an otherwise-valid (and highly effective) security tool.

The overwhelming majority of ransomware attacks begins with one of three attack vectors: unauthorized or unknown use of Remote Desktop Protocol (“RDP”), phishing attacks, and vulnerabilities or misconfigurations of legitimate software preexisting in the environment.

Once within the environment, threat actors will typically attempt lateral movement to systems which appear to be mission-critical, contain high-value data, and in particular, will target intra-network backups. Once their initial reconnaissance efforts are complete, the threat actor will deploy the ransomware binary on each infected machine, and drop a ransom note (typically a .txt file), which will contain a link to a TOR/dark-web site, with an invitation to contact the threat actor.

If well-prepared, an organization can thwart a ransomware attack at the intrusion phase. Beyond the anti-phishing measures described above, a significant volume of ransomware Colin H. Black Associate Chicago Bruce A. Radke Shareholder Chicago Anna K. Schall Attorney Kansas City DATA RIGHTS AND RISK MITIGATION STRATEGIES CONTINUED ON PAGE 14 polsinelli.com TECH TRANSACTIONS & DATA PRIVACY: 2023 REPORT | 14 incidents could have been averted by removing access to RDP (typically by closing Port 3389 to outside traffic). Relatedly, remote access tools such as TeamViewer, AnyDesk, and SupRemo should be blocked unless absolutely necessary. Relatedly, software patching should be routine to avoid the exploitation of outdated versions. While patching will not necessarily defend against Zero-Day attacks (attacks where the software developer learns of a vulnerability after exploitation in the wild), routine patching can mitigate the exposure of such vulnerabilities.

Third Party & Regulatory Risk Mitigation

Another significant area of cyber risk exists from outside the organization altogether. While most cybersecurity and data privacy professionals are generally familiar with the prevalence of third-party risk, Polsinelli continues to see incidents arising as the result of a compromise of a third-party.

As a preliminary matter, it is important to note that an organization will not be discharged of its privacy and security obligations because another party processes or hosts its data. In most instances, as a matter of default, the data owner will ultimately be responsible for the appropriate response, investigation, and notification to individuals in the event of a cybersecurity incident or data breach. Thus, it falls to the data owners themselves to ensure adequate privacy and security controls are in place or be subject to the harms of a data breach.

As a result, sophisticated enterprises are increasingly requiring its vendors and business partners to maintain certain cybersecurity minimum requirements, carry sufficient cyber insurance, and to notify the data owner on an expedited basis in the event of a cybersecurity incident. By contrast, less agile or sophisticated organizations continue to rely on outside business partners, and often fall victim to the self-inflicted harm associated with the failure to appropriately measure and account for risk.

Public companies face even greater exposure. Publicly-traded companies have heightened privacy and security obligations in that they must comply with industry best practices as well as meet standards of prudence, including on issues of privacy and security. For example, a fictional entity might have thirty to sixty days from the point that it determines a reportable breach has occurred to notify impacted individuals. By contrast, if this entity happens to be publicly traded, the same entity might only have four days from the point it reasonably should have determined that it has experienced a material cybersecurity incident to file an 8-K or 10-K as appropriate under proposed rules by the SEC. Further, reasonable security measures are increasingly becoming components of state and federal law for all organizations.

Going into 2023, every organization should be reviewing its contractual agreements to confirm its potential exposure, with particular emphasis on data retention, indemnity, and notification. Additionally, agrowing number of states' laws, and industry guidance, require organizations to include specific language in their vendor contracts related to cybersecurity protections for sensitive information. Organizations should require their data processors to maintain cyber insurance commensurate with their exposure. 2023 is a good time to revisit an organization’s vendor due diligence program to adequately and systematically vet vendors before they gain access to an organization’s sensitive data to reduce the risk of third-party incidents.

For organizations that are publicly-traded, operate in highly-regulated or infrastructural sectors, or that own or process personal data, it is strongly recommended that organizations develop and/or update their incident response and data retention plans. In order to be prepared to comply with the SEC’s proposed rules on cybersecurity risk management and cybersecurity incident report, public companies must have an established incident response plan to identify potential incidents, contain, remediate and respond to such incidents and quickly assess the materiality of such incidents (both individually and in the aggregate). Public companies should also to develop and implement cybersecurity risk assessment programs and collaborate with SEC and cybersecurity counsel to draft required disclosures for inclusion in their 10-K.

Cybersecurity To-Dos for 2023

The below list, while not comprehensive, will go a long way toward mitigating the risk of a cybersecurity incident or data breach.

• Implement (and enforce!) application-based MFA for all users.
• Implement Office 365, Office 365 Defender, or similar email applications that automatically flag and delete suspicious emails and/or provide alerts regarding sender verification.
• Implement cybersecurity awareness training with emphasis on phishing training (to spot suspicious links and domain/email address inaccuracies).
• Implement regular ethical phishing testing.
• Establish and implement a records and data retention and disposition policy, including email retention.
• Confirm that credentials meet certain length, age, and sophistication requirements.
• Block all non-essential RDP access.
• Block all non-essential Remote Access Tools.
• Implement a routine patch schedule for all software.
• Conduct an immediate review of all vendor agreements to confirm data protection, data retention, indemnity, notification, and insurance provisions.
• Update incident response plans to comply with upcoming abbreviated reporting obligations.
• Update data retention policies to adhere to data minimization principles.
• Talk to and educate employees and business partners about their cybersecurity practices.