Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures. As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays. Indeed, they likely will find that a loosened semi-remote business environment offers them opportunities to exploit human and technologic weakness that allow execution of Zero Day exploits and other attacks upon corporate information systems. Through our participation in the National Chamber of Commerce Cyber Security Working Group, we have been actively interfacing with Executive Branch and Congressional officials to contribute to and to monitor the array of proposals being considered by the Congress, and the regulatory guidance being issued by federal agencies including The National Institute of Standards and Technology (“NIST”) of the Department of Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “CISA,” the Department of Health & Human Services Office of Civil Rights that deals with PHI protection, as well as the Treasury Department’s Office of Foreign Asset Control (“OFAC”). Thus, we have issued recent guidance concerning ransomware avoidance and resilience, the availability of helpful best practices tool kits from NIST and CISA, and heightened responsibilities with respect to ransomware payment decisions. We expect that the need for counselling with respect to cybersecurity and privacy compliance, data breach and ransomware response, and litigation defense is unlikely to diminish in the year ahead. From both regulatory and enforcement perspectives, government recognizes it as well.
Given, among other things, recently-demonstrated weakness throughout the critical infrastructure, and the prevalence of damaging ransomware incidents in the private sector, multiple bills are pending in the House and Senate. Given the pressure to deal with infrastructure, voting rights and national debt, it is not likely that Congress will pass definitive legislation affecting the private sector this year. 2022, however, is likely to be a different matter. For example, there is overwhelming bipartisan support for a national breach notification law, with the only real point of division being how much time the victim of a breach would have to report it. There is likely coalescence on 72 hours from confirmation, exactly what constitutes actual knowledge and verification are to be determined. In the Executive Branch, the Departments of Justice and Treasury are undertaking heightened enforcement initiatives, and the President has mandated cybersecurity requirements applicable to government agencies and federal contractors.
The continuing interest and involvement of the administration in cyber prevention, response and enforcement is highlighted by today’s open memo from the most-senior White House cybersecurity officials—Anne Neuberger and Chris Inglis—on “Protecting Against Malicious Cyber Activity before the Holidays” to corporate executives and business leaders.
The (sharable) memo says, in part—
Here are some best practices that can be implemented immediately. We recommend that you confirm with your IT teams that these are in place:
Updated Patching. Criminals count on victims failing to patch their systems and usually take advantage of long-known and fixable vulnerabilities. Patching should be up-to-date, against all known vulnerabilities.
Know your Network: Enable logs; pay attention; investigate quickly. Intrusions can be stopped before the impact. Secure organizations assume they will be compromised, but work to minimize the effect of a compromise.
Change Passwords and Mandate Multi-Factor Authentication (MFA). Ask your IT staff how long it has been since employees changed their passwords. Many criminals use stolen credentials, so forcing a reset (with adequate length and complexity) before the holidays can deny malicious actors access to your systems. At the same time, confirm that your organization has implemented MFA and that it is required without exception. If you have MFA available, but are not requiring it, change that—require all staff to use the security technology that you have already acquired. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into key systems.
Manage Schedules. Review staffing plans for your IT and security teams to ensure you have sufficient holiday coverage. Similarly, identify those IT and security employees who are on 24/7 call in the event of a cybersecurity incident or ransomware attack. Minutes count in the event of an attack and any delays in response typically magnify the consequences of a successful attack. Having current, validated information and a plan to reach out is critical.
Employee Awareness. Conduct spear phishing and other exercises to raise employee awareness of common attacks. Reinforce the imperative to report computers or phones exhibiting any unusual behavior. Deny the criminals the initial entry into your systems that allows them to execute attacks over the holidays and beyond.
Exercise Makes an Organization Healthy. Exercise your incident response plan now, so that if the worst happens you can respond quickly to minimize the impact. Conducting rigorous security stress tests now also gives you time to make needed improvements or to develop a basic plan if you do not have one.
Backup up your Data. Confirm that you are backing up key data. Ask your IT staff to test the backup system, and verify that that these backups are offline and COMPLETELY out of the reach of criminals. Many attacks succeed simply because the organizational back-up strategy is incomplete or permits criminals access to the backed-up information.
There are other things that you and your IT departments can do, for example, with respect to end-to-end encryption of data, the careful review of the security of open-source software, multi-factor authentication and other limitations on system access, etc.
©2021 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XI, Number 352