In April of this year, which seems far longer than eight months ago, we posted about an alert from federal agencies warning that cyber threat actors were exploiting the coronavirus pandemic to fuel phishing and other attacks. Those efforts have continued throughout the year with attackers now retooling their messaging around the COVID-19 vaccine. Criminal

In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.

Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.

Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.

Before an Attack

  1. Build the right team
  • Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
  1. Secure the systems
  • Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
  1. Make your employees aware of the risks and steps they must take in case of an attack
  • This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
  • Employees should avoid revealing personal or financial information about themselves,  other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
  • Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
  1. Maintain backups
  • Backup data early and often.
  • Keep backup files disconnected from the network and in separate locations.
  1. Develop and practice an “Incident Response Plan”
  • Identify the internal team (e.g., leadership, IT, general counsel, and HR).
  • Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
  • Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
  • Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
  • Plan to identify, assess, and comply with legal and contractual obligations.
  • Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.

After an Attack
Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to

Human Resources (“HR”) and information technology (“IT”) departments play unique and important roles within an organization. With instances of data breaches on the rise, however, companies should be mindful of the importance of regular communication and collaboration between employees in these departments with respect to issues of data security. Addressing such issues should not be

News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company’s brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles

A proposed regulation would require federal contractors to conduct privacy training on at least 7 key areas before being given access to government records or handling personally identifiable information. Failing to provide the training potentially would put a halt to the contractor’s government work.
Continue Reading Federal Contractors Required to Conduct Privacy Training Under Proposed Regulations

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling

The Washington Post is reporting another inadvertent disclosure of sensitive information involving “peer-to-peer” or “P2P” technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee