Best Practices to Protect Against Increased Cyber Threats During the Holiday Season
Wednesday, December 22, 2021
Increased Cyber Threats During the Holidays
Print Mail Download i

Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures.

As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays.

Indeed, they likely will find that a loosened semi-remote business environment offers them opportunities to exploit human and technologic weakness that allow execution of Zero Day exploits and other attacks upon corporate information systems. Through our participation in the National Chamber of Commerce Cyber Security Working Group, we have been actively interfacing with Executive Branch and Congressional officials to contribute to and to monitor the array of proposals being considered by the Congress, and the regulatory guidance being issued by federal agencies including The National Institute of Standards and Technology (“NIST”) of the Department of Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “CISA,” the Department of Health & Human Services Office of Civil Rights that deals with PHI protection, as well as the Treasury Department’s Office of Foreign Asset Control (“OFAC”). Thus, we have issued recent guidance concerning ransomware avoidance and resilience, the availability of helpful best practices tool kits from NIST and CISA, and heightened responsibilities with respect to ransomware payment decisions. We expect that the need for counselling with respect to cybersecurity and privacy compliance, data breach and ransomware response, and litigation defense is unlikely to diminish in the year ahead. From both regulatory and enforcement perspectives, government recognizes it as well.

Given, among other things, recently-demonstrated weakness throughout the critical infrastructure, and the prevalence of damaging ransomware incidents in the private sector, multiple bills are pending in the House and Senate. Given the pressure to deal with infrastructure, voting rights and national debt, it is not likely that Congress will pass definitive legislation affecting the private sector this year. 2022, however, is likely to be a different matter. For example, there is overwhelming bipartisan support for a national breach notification law, with the only real point of division being how much time the victim of a breach would have to report it. There is likely coalescence on 72 hours from confirmation, exactly what constitutes actual knowledge and verification are to be determined. In the Executive Branch, the Departments of Justice and Treasury are undertaking heightened enforcement initiatives, and the President has mandated cybersecurity requirements applicable to government agencies and federal contractors.

The continuing interest and involvement of the administration in cyber prevention, response and enforcement is highlighted by today’s open memo from the most-senior White House cybersecurity officials—Anne Neuberger and Chris Inglis—on “Protecting Against Malicious Cyber Activity before the Holidays” to corporate executives and business leaders.

The (sharable) memo says, in part—

Here are some best practices that can be implemented immediately. We recommend that you confirm with your IT teams that these are in place:

  • Updated Patching. Criminals count on victims failing to patch their systems and usually take advantage of long-known and fixable vulnerabilities. Patching should be up-to-date, against all known vulnerabilities.

  • Know your Network: Enable logs; pay attention; investigate quickly. Intrusions can be stopped before the impact. Secure organizations assume they will be compromised, but work to minimize the effect of a compromise.

  • Change Passwords and Mandate Multi-Factor Authentication (MFA). Ask your IT staff how long it has been since employees changed their passwords. Many criminals use stolen credentials, so forcing a reset (with adequate length and complexity) before the holidays can deny malicious actors access to your systems. At the same time, confirm that your organization has implemented MFA and that it is required without exception. If you have MFA available, but are not requiring it, change that—require all staff to use the security technology that you have already acquired. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into key systems.

  • Manage Schedules. Review staffing plans for your IT and security teams to ensure you have sufficient holiday coverage. Similarly, identify those IT and security employees who are on 24/7 call in the event of a cybersecurity incident or ransomware attack. Minutes count in the event of an attack and any delays in response typically magnify the consequences of a successful attack. Having current, validated information and a plan to reach out is critical.

  • Employee Awareness. Conduct spear phishing and other exercises to raise employee awareness of common attacks. Reinforce the imperative to report computers or phones exhibiting any unusual behavior. Deny the criminals the initial entry into your systems that allows them to execute attacks over the holidays and beyond.

  • Exercise Makes an Organization Healthy. Exercise your incident response plan now, so that if the worst happens you can respond quickly to minimize the impact. Conducting rigorous security stress tests now also gives you time to make needed improvements or to develop a basic plan if you do not have one.

  • Backup up your Data. Confirm that you are backing up key data. Ask your IT staff to test the backup system, and verify that that these backups are offline and COMPLETELY out of the reach of criminals. Many attacks succeed simply because the organizational back-up strategy is incomplete or permits criminals access to the backed-up information.

There are other things that you and your IT departments can do, for example, with respect to end-to-end encryption of data, the careful review of the security of open-source software, multi-factor authentication and other limitations on system access, etc. For now, we offer this update and our readiness to assist if you need help at year end and into the future.

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

The FTC Finally Pulls the Trigger on a Final Noncompete Rule, with a Few Changes, but Remains Unlikely to Ever Hit Its Target
by: Erik W. Weibust , Peter A. Steinmeyer
Employment Law This Week Episode 343 - SCOTUS Expands Title VII, EEOC’s Final PWFA Rule, AI Screening Tools [Video, Podcast]
by: George Carroll Whipple, III
EEOC Final Rule Implementing the Pregnant Workers Fairness Act
by: Jennifer Stefanick Barna , Marguerite (Maggie) McGowan Stringer
Interested in Opening a Medical Spa? Here’s What You Need to Know
by: John W. Eriksen , Nivedita B. Patel
Five Commissioners and a Vote on Noncompetes to Come
by: E. John Steren , Patricia M. Wagner
U.S. Judicial Conference Aims to Curb "Judge Shopping": New Guidance Promoting Random Civil Case Assignments
by: Lori A. Medley , Scarlett L. Freeman
FTC Vote on Rule to Ban Non-Competes Scheduled for April 23rd
by: Mark L. Daniels
Insignificant Harm Not So Insignificant in Proving Title VII Transfer Violation - SCOTUS Today
by: Stuart M. Gerson
Maryland Expected to Expand Pay Transparency Requirements in Fall 2024
by: Ann Knuckles Mahoney , Tammy Tran
Employment Law This Week Episode 342 - Spilling Secrets: Navigating Physician Non-Compete Litigation [Video, Podcast]
by: Jill K. Bigler , Daniel L. Fahey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins