Children know that picking a good team can be the key to success on the playground. For example, in choosing a team for a pickup basketball game, a young "captain" will try to pick the most capable individuals available to form a unit that can excel at dribbling, passing, shooting, defending, and rebounding.
Cybercrime is not child's play. However, organized cyber criminals use a similar approach to build their gangs: they assemble groups of specialists who collaboratively target and profit from victims' information, assets, and systems. Among other things, sophisticated cybercrime groups—which have the advantage of knowing exactly what attacks they intend to launch—include specialists to hack into systems, write malware, conduct social engineering, navigate inside networks, extract data, and/or launder money.
Unfortunately, many innocent organizations—unlike cybercriminals—fail to heed these simple playground lessons in forming incident response teams. For example, some entities fail to pick a team at all and scramble to find help during rapidly deteriorating incidents. According to the Association of Corporate Counsel Foundation's survey of in-house legal counsel, 30 percent of companies lack a formal data breach response team.
Other organizations may select a team in advance, but rely too heavily on one discipline, such as information technology, and fail to secure other essential expertise. For example, the above-mentioned survey revealed that only 33 percent of companies have proactively engaged outside counsel, and only 24 percent have retained a computer forensics firm.
The range of skills needed to respond to incidents is broad. An organization cannot know exactly when and how cybercriminals will strike. Yet, it must be ready to address incidents that include denials of service, virulent malware, zero-day exploits, physical theft, social engineering, malicious or careless insiders, spear phishing, and/or email spoofing. By skillfully selecting an incident response team before an incident happens, an organization can position itself to respond to these and the many other cyber incidents it may face.
Business email compromises (BECs), an increasingly common information security incident, highlight the need for a multidisciplinary incident response team. According to the FBI, the number of dollars targeted in BEC scams increased by 1,300% from January 2015 to June 2016. From October 2013 to May 2016, BECs victimized more than 14,000 businesses in the United States. There are many variations of BEC schemes, but BECs commonly include the following four steps:
First, the attacker studies the intended victim and identifies a company's employee or employees responsible for maintaining sensitive information or making wire transfers. These employees normally work in a finance department.
Second, the attacker either hacks or spoofs the business or personal email account of a company's executive, often the chief executive officer or president.
Third, the attacker uses the compromised or spoofed email account of the CEO, president, or other executive to pose as the executive and send a fraudulent message to an employee identified in step one requesting that the employee either wire money or send data to a specified recipient.
And fourth, if the targeted employee wires the money or sends the requested data, the attacker collects proceeds from the wire transfer or monetizes the data it receives.
Earlier this year, an unknown criminal party sent a spear phishing email to an employee of a company requesting copies of all employees' Forms W-2 for the 2015 tax year. An employee replied to the email by sending the information for thousands of employees, which included names, addresses, Social Security Numbers, and total earnings. In its letter notifying employees of the breach, the company stated that it would provide two years of credit monitoring to its employees, determine what process changes the incident warranted, and take other appropriate actions. Employees subsequently sued the company in a putative class action.
After learning of such a BEC compromise, a response team must act quickly. In doing so, the team will rely upon the expertise of members trained in several disciplines. Among other things, the following actions likely would occur:
- In-house counsel, working with outside counsel, would ensure that attorney-client privilege and work product protections are maintained throughout the response;
- Risk management would notify the company's cyber insurance carrier of the event;
- The information technology department would work with a computer forensics firm to determine whether the incident involved a digital intrusion and exfiltration and decide whether any remediation is needed;
- The information technology department would review the effectiveness of digital controls on the breached information and assess how they might have failed or been circumvented;
- In-house counsel, working with outside counsel, would interview witnesses and review evidence to determine whether relevant employees followed required controls;
- Human resources professionals will facilitate the review of relevant employees' files for any evidence that might support the attorneys' investigation;
- In-house counsel, working with outside counsel and possibly an external vendor, would satisfy the company's breach notification requirements;
- A finance executive would review the adequacy of financial controls; and
- The communications department, possibly working with a crisis communications firm, would manage internal and external messaging through various media.
Overall, the company's response team would take countless other actions to mitigate the harm resulting from the BEC—including preparing to defend a lawsuit that likely will scrutinize its actions. According to the Ponemon Institute's 2016 Cost of Data Breach Study, business continuity management—which incorporates the efforts of incident response teams—significantly reduces the costs, duration, and recurrence rate of data breaches.
To enjoy such results, senior executives must think carefully about how they select their response teams. Have they chosen the most capable members? Have they filled all needed roles? Have they engaged necessary third parties in advance? Some executives must ask if they even have a team.
These questions seem simple, but answering them can be difficult; after all, picking an effective information security incident response team is not a game. Yet companies that do it successfully begin with one important understanding: The ball is in their court.
Originally published by Legaltech News, October 10, 2016
Visit us at mayerbrown.com
© Copyright 2016. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.