Protecting Your Company from Rogue Employees

While employee malfeasance rarely takes down entire companies, it can result in serious fines, sanctions, court judgments, settlements and reputational damage. Big data analytics is one way leading companies are able to mitigate risk, by proactively detecting threatening or illegal behavior.

Traditional ERM Approaches Won’t Do

Compliance officers do their best. They generally work within enterprise risk management (ERM) frameworks to introduce corporate policies and procedures, conduct risk avoidance training and audits, and create inter-disciplinary committees. They work with IT to run compliance auditing software on critical structured data, including financial databases and transactional applications.

By targeting only well-behaved structured data, however, compliance officers can lose sight of one key fact—structured data is a small percentage of organizational data. Data storage analysts report that most organizational data are only 15% to 20% structured data and 80% to 85% unstructured. This leaves a huge volume of data that presents serious compliance risk to IP, especially electronic communications.

While e-mail, instant messaging, texting and social media are ingrained in our culture, traditional auditing software does not focus on communications. These threats often evade notice until the damage is done.

Here are some ways threats can escape the radar of employers that have traditional ERM approaches:

  • Limited ability to analyze unstructured data. The inability to monitor unstructured data leaves the company open to regulatory consequences and other risk.
  • Keyword searching to winnow down data sets often delivers a high volume of false positive results. Filtering techniques such as keyword searches may not be highly accurate and require intensive manual review. The result is higher cost and longer timeframes for manual-review projects.
  • Potential security issues. Communication platforms are rapidly proliferating. Employees might be sharing inappropriate corporate information on social media, yet these mentions often go unmonitored by the company, potentially missing evidence of employee misconduct.
  • Complex regulatory changes. Many governmental and industry regulations are already complicated, and their revisions only intensify complexity. For example, since introducing Dodd-Frank, regulators have written 224 of 400 expected rules and continue to modify existing rules.
  • Case-by-case approaches. Case-centric approaches to litigation, investigations and regulatory compliance matters impede applying learning and attorney work product on these cases to other matters. This inability lengthens legal reviews and investigations and multiplies costs. Case-based discovery also makes it difficult to discover widespread risky communications between employee groups and outside organizations.
  • Geographic and organizational silos. Relevant data is spread across different storage locations and eDiscovery platforms, creating distinct data silos.

A Cautionary Tale

Here is an example of risk that can go undetected until it’s too late, as it did at Wells Fargo. Banker 1 is responsible for reaching high quarterly sales goals. His manager increases his sales goals for the next quarter. Banker 1 emails a colleague complaining about how his goals are impossible to meet. Banker 2 suggests he try a creative process called “pinning,” which consists of a banker enrolling an actual customer in online banking to create a “sale.” The banker fills in the customer’s name and address but puts in a fake email address so the customer never receives banking communications. The banker meets his sales goals—and hopes the customer never finds out.

How Big Data Analytics Can Help

Analytics tools are already omnipresent in eDiscovery and compliance reviews. They include predictive coding, email threading and concept searching. They are highly useful for culling large data volumes to more manageable sizes. They also locate meaningful text and concept patterns so that reviewers can strategically work with high priority documents.

The catch is that these analytics can only filter to a point, and only work on a single-case basis. No matter how the case management software learns from tagging and work product, that learning cannot be applied across multiple matters if it resides on different review platforms or with different vendors. Each time a new case begins, reviewers and their software must start over. This leads to very long and repetitive document review processes, already the single most expensive activity in eDiscovery. Clients and attorneys also risk exposing sensitive information as the matter makes its way between document review platforms and multiple stakeholders.

A big data approach, versus specific analytics tools can continuously consolidate billions of documents into a central repository. It can also apply machine and human learning to enable the reporting of trends, new data relationships, and fresh insights into data across all cases—not just a single matter—for greater efficiency, cost control and risk mitigation.

Going Lo-Fi At Sea May Mitigate Cyberrisk

Cyberthreats have become seaborne in recent years, and preventative measures are on the radars of governments and the shipping industry.

GPS and other electronic systems have proven to help ensure safe and accurate navigation, but they have also put digital bullseyes on ship decks. These technology upgrades have unwittingly exposed ships to cyberrisk because their signals are weak enough for remote perpetrators to jam.

When ships and crew members rely solely on GPS systems, they can be at the mercy of a cyberhacker seeking to provide wrong positions (or “spoof”), endanger the crew and their cargo, or hold the crew, cargo or sensitive information for ransom.

These risks are exacerbated by the fact that ships typically do not have automatic backup systems, and younger crew members are increasingly reliant upon the newer electronic navigation tools.

Allianz’s Safety and Shipping Review 2017 highlighted the growing threat of cybercrime in the sector, and noted the increasing level of activity in the last five years. For example, World Fuel Services fell victim to an online bunkering scam in 2014 when it agreed to participate in a tender for a large amount of fuel from what it believed to be the United States Defense Logistics Agency. Cybercriminals collected $18 million from that successful impersonation. In 2016, hundreds of South Korean vessels had to return to their ports after North Korea allegedly jammed their GPS signals.

The report noted that most maritime cyberattacks have been aimed at breaching corporate security, rather than taking control of vessels, but warned that such attacks could occur.

Captain Rahul Khanna, head of marine risk consulting at Allianz Global Corporate & Specialty, noted in the report that more, larger-scale attacks are imminent if the risks are not appropriately addressed. “We can’t put IT security on the backburner,” Khanna said. “Just imagine if hackers were able to take control of a large container ship on a strategically-important route. They could block transits for a long period of time, causing significant economic damage.”

The report also stressed that “crew education and identifying measures to back up and restore systems should be implemented” to reduce cyberrisk.

Looking Back For a Signal Forward
Some companies and governments have heeded the warnings and are identifying these indicators of attack. Preventative measures may lie in a maritime tool that had taken a backseat to the prevalence of GPS—a backup radio technology called Enhanced Long-Range Navigation (eLoran), which was developed in the United States in the mid-1990s. It has continental reach, emits strong signals via a low-frequency and relies on land-based transmitters that reveal a limited number of fixed positions. These once-limiting traits could be the automatic backup systems ships need in the event of jamming or spoofing.

On July 20, 2017, when the Department of Homeland Security Authorization Act (H.R. 2825) passed the floor of the U.S. House of Representatives, eLoran’s importance was stressed. The act includes a section titled “Backup Global Positioning System,” which features provisions for the U.S. Secretary of Transportation to initiate an eLoran system. H.R. 2825 proposes that eLoran be made available as a “reliable…positioning, navigation and timing system,” with the purpose of providing “a complement to, and backup for the Global Positioning System to ensure availability of uncorrupted and nondegraded positioning, navigation and timing signals for military and civilian users.”

Reuters this week reported that South Korea’s Ministry of Oceans and Fisheries is looking to establish the technology in a test form by 2019.

Time will tell if eLoran is the most practical and cost-efficient method to mitigate cyberthreats at sea. It seems if companies want to mitigate maritime cyberrisk now, the first steps would be to look to the technology of the past and turn on the radio.

Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.

North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.