[BreachExchange] Common Sense Communication Cuts Cyber Risk

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 12 20:04:43 EST 2017


http://opensources.info/common-sense-communication-cuts-cyber-risk/

It’s early in the year. Famco’s employees are looking to get their taxes
done. Anticipated refunds will ease the pain from holiday excess. The small
manufacturer’s CFO sighs in relief that the rush to complete the corporate
W-2s is done.
Down the hall, Famco’s controller opens an email from his CEO. Nothing out
of the ordinary in how it looks, but its message is a bit odd. The CEO says
she’s working on a significant project for tax purposes and needs all
employee 2016 W-2s pronto in .pdf form. She’s a hard driver. The controller
fears wasting her time if he raises questions, so he dutifully rolls all
the W-2’s into one attachment and responds.

No questions asked–just obedience–even though he knows the CEO never works
hands-on at this level. But, if that’s what she wants…

The next week, one of Famco’s sales managers stops by the CFO’s door
complaining that he couldn’t file his taxes electronically. The IRS claimed
to already have his return on file. He expects a substantial refund and is
frustrated. The next day, Famco’s logistics coordinator emails the CFO
asking about problems with the IRS refusing to accept tax returns.

Curious now, the CFO visits the IRS website. He sees an IRS Notice about
false tax returns being filed by criminal elements claiming taxpayer
refunds. The ruse is discovered when the taxpayer’s efforts to file
electronically are rejected. The Notice warns this is now a common internet
scam, “phishing”, where the scammer duplicates a corporate email style and
uses what looks like a CEO’s email address as the originating email to a
CFO or controller seeking employee W-2s. But the key to the scam is that
the email’s return domain is almost imperceptibly varied. Instead of “
CEO at famcorp.com”, it might be CEO at famcoorp.com, “CEO at famcorp.rus” or some
other slight, but significant, shift.

Famco’s CFO immediately calls his staff together. The controller mentions
the CEO’s email and how he timely and duly responded, no questions asked.
Copies of the relevant emails are produced. Indeed, the controller’s
response with the W-2s was routed not to the CEO, but rather to the
internet’s dark underbelly, putting all employee personal identifying
information, “PII” (e.g., here: names, addresses, social security numbers
and earnings), instantly in scammers’ hands. Sickened, the CFO takes this
information to the CEO.

Famco has a serious, immediate problem, and the CEO is very concerned.
Suddenly the entire cybersecurity of the company is in doubt. The company’s
counsel must be involved. The Tech Support team verifies there was no
breach of their firewalls or security in software or hardware. Costly and
embarrassing employee notifications must be issued. But how? When?
Federal or state mandated public notification may be necessary. Risk
scenarios have to be determined. Do law enforcement authorities need
notification? Is that confidential? Board or even shareholder notification
requirements may apply. Identity protection needs to be purchased for
impacted people at the company’s expense. What about cyber-risk insurance
coverage? Intercepted Famco employee refunds need recompense.

The list goes on. Even for a small company such an event can crush profits
or worse, with remediation costs running deep into the thousands, tens of
thousands of dollars or even more. Larger companies can expect remediation
costs running into the millions of dollars as the number of those impacted
skyrockets. Bad publicity, loss of goodwill and reputational damage just
pile it on.

Some corporate leaders may scoff, “that will never happen to us!” In
reality, the question is not “if”, but “when”. Thousands of upstanding
companies, large and small, around the country were scammed like this in
the past two years alone. Walter | Haverfield’s Cybersecurity Team received
a number of client calls here as tax season unfolded last year. No doubt
new scams are developing for 2017.

But this sort of phishing scam is avoidable if the company creates an
atmosphere of 360-degree verification on trade secret, intellectual
property, PII, and other confidential information. Had the controller
simply verified the email request with the CFO or even the CEO, the entire
disaster would have been avoided. A priority must be stressed within the
company of verifying questionable or even routine-looking requests for such
information up the chain of responsibility. Company policies need to be in
place – with employees trained — requiring verification either in person,
by phone, or by separate (not “reply”) email before response to such
emails, regardless of the person purportedly seeking the information.

Although Famco is a fictitious name here, these incidents are as real as
real can be. The time to “respond” to an incident is before the incident by
putting the company’s response outline in place in advance of a breach.
Only the scammer knows when that will happen. Experienced cybersecurity
attorneys can assist in developing such policies and even more importantly
can help create an Incident Response Plan or Cyber Incident Management
Plan. If disaster strikes your company—whether or not you had adequate
plans in place–make sure you have the right legal resources to help assist
in getting through these problems efficiently, effectively and economically.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170112/d8223250/attachment.html>


More information about the BreachExchange mailing list