By Paul Ferrillo and Randi Singer*
They may be based in North Korea, Russia, China, or the United States. They may call themselves “Deep Panda,” “Axiom,” Group 72,” the “Shell_Crew,” the “Guardians of Peace,” or the “Syrian Electronic Army.” But no matter how exotic or mundane the origins of a particular cyber-criminal organization, all that it needs to initiate a major cyberattack is to entice one of your employees to click on a malicious link in an email, inadvertently disseminate malware throughout the network servers, and potentially cause tremendous damage and loss of business.[i]
Indeed, “spear phishing” is a tactic used by cyber-criminals that involves sending phony, but seemingly legitimate, emails to specific individuals, company divisions, or even business executives, among other typically unwitting targets. Unlike spam, these emails usually appear to be from someone the recipient knows and in many cases can appear completely legitimate, or at least unassuming. If the recipient opens any attachments or clicks any links, havoc can ensue. Such spear phishing emails are suspected to have caused many of the recent major cyber attacks.
Despite fancy-sounding defensive cybersecurity devices at companies and financial institutions, “spear phishing with malware attachments” is often the easiest route into a sophisticated network.[ii] One report recently noted that, “Compared to the ‘spam-phishing’ emails of days past, which most people have learned to identify and avoid over the years, spear-phishing emails are astronomically more effective. Whereas the current open rate for spam emails is a meager 3%, the open rate for spear-phishing emails is a staggering 70% (not to mention 50% of those who open these emails also click the links they contain). A study published by Cisco found 1,000 spear-phishing emails generate ten times more data revenue for hackers than sending 1,000,000 spam-phishing emails.”[iii] According to another recent study, 90 percent of all hacks in the first half of 2014 were preventable, and more than 25 percent were caused by employees.[iv]
For these reasons, it is absolutely crucial that a company provide training to its employees to detect and avoid spear phishing attacks, and more broadly, avoid common lapses in judgment or awareness that can expose a company to a cyber-incident. For example, companies can easily offer training that improves password protection, helps avoid workplace theft, and better protects employee-owned devices without password protection such as smartphones, laptops, and tablets. Though no one particular training regimen can provide guaranteed protection from a cyber-attack, statistics support their inclusion as a critical part of a company’s overall security posture.
Anti-Spear Phishing Training
Weeks after the announcement of the Anthem attack, which, like that on Sony Pictures, was likely caused by a sophisticated spear phishing operation, cybersecurity guru Brian Krebs noted that others were attempting to prey upon the misfortune of over 80 million patients by sending their own spoofed emails to affected customers.[v] Other “cold-calling” scams apparently were perpetrated at about the same time as the fake emails were sent:
Now, if you were a terrified Anthem patient whose personal health information was potentially stolen, this sort of an email communication would not be unexpected, and would be very appealing; it would be natural to click the link. In reality, clicking on the fraudulent “free credit protection link” would only have touched off a whole new world of pain.
Here is another example illustrating the growing sophistication of spear phishing attacks. What if you were an existing customer of HSBC and received this email? Would you click on the link, or ignore it and potentially let your account be suspended by “the bank”?[vi]
But the potential price for opening a link that does not appear to be obviously suspicious can be breathtakingly high. In an era where there is so much personal information about everyone on the Internet, it would not be hard for even a high-school student to create an authentic-looking email that could catch us when we least suspect a cyber-attack (especially the Anthem “customer email”). Even higher-level employees are vulnerable to spear phishing (often called “whaling” when high-level executives are targeted), and the corresponding damage can be exponentially worse.[vii]
How do you guard against a socially engineered spear phishing attack? You train and you train, and then you train some more. Many corporate IT departments already periodically send out fake emails to their employees hoping for a “bite.” Many more companies regularly train their employees monthly on anti-spear phishing using automated computer programs that send emails to employees from exact website addresses to see who will unwittingly click on the links.[viii] Records can be kept of successes (and failures). Some companies might award prizes to employees who religiously resist getting tricked, gaining loyalty while simultaneously lowering risk. Lowering the risks of an employee clicking on a malware-infected spear phishing email can be substantial.[ix]
Password Protection and Awareness
There has also been a tremendous amount of publicity over the inadequacy of employee passwords. A January 2013 report by Deloitte suggests that an astonishing 90 percent of user passwords are vulnerable to hacking.[x] There are a few rules of the road:
Other Simple (Non-Hardware) Ideas to Protect Company Data
Cybersecurity is the ultimate team sport, and every person in the company, from a director down to an entry-level employee, needs to be invested in its cybersecurity:
The infamous Sony hack, the systematic attacks of Heartbleed and Shellshock targeting core internet services and technologies, and the new wave of mass mobile threats have placed the topic of security center stage. Organizations are dramatically increasing their IT budgets to ward off attack but will continue to be vulnerable if they over-invest in technology while failing to engage their workforce as part of their overarching security solution. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our organizations.”[xii]
We cannot claim that any of these ideas are cure-alls for the hacking problem in the United States (in fact, none are complete solutions). We can only subscribe to the theory that failing to implement basic cybersecurity “blocking and tackling” practices is the functional equivalent of forgetting to lock the back door.
*Randi Singer is a litigation partner in Weil’s New York office and a member of the Firm’s Intellectual Property & Media practice. She focuses primarily on copyright, Lanham Act false advertising, and trademark litigation, privacy, cybersecurity, and social media counseling, and music licensing, First Amendment, right of publicity, and other intellectual property issues, in addition to complex commercial litigation and bankruptcy proceedings.
****
[i] See “Learning from the Mistakes of Others: Sony, NSA, G2O, & DoD Hacks,” available here; also see, e.g. “Data Breach at Health Insurer Anthem Could Impact Millions,” available here.
[ii] See “‘Spear Phishing’ Attacks Infiltrate Banks’ Networks,” available here.
[iii] See above at footnote 1.
[iv] See “Over 90 percent of data breaches in first half of 2014 were preventable,” available here; also see “The Weakest Link Is Your Strongest Security Asset,” available here (noting, “According to PwC, employees and corporate partners are responsible for 60% of data breaches. Verizon’s research suggests the number is even higher, at almost 80%.”).
[v] See “Phishers Pounce on Anthem,” available here.
[vii] See “Hacking the Street, FIN4 Likely Playing the Market,” available here.
[viii] See e.g. the anti-spear phishing training offered by a company called Phishme, available here.
[ix] See “KnowBe4 Security Awareness Training Blog: Train Employees And Cut Cyber Risks Up To 70 Percent,” available here.
[x] See “90 percent of passwords vulnerable to hacking,” available here.
[xii] See “The Weakest Link Is Your Strongest Security Asset,” available here.