Executives are highly targeted for social engineering and other efforts to gain access to their information. Whether the data is from the recent-Yahoo breach (or any other breach), there is an active market for information, including information from your employees and executives. This information can be used to access accounts, build a spear-phishing profile, gather intelligence on execs or simply embarass them. Some thoughts:
Uniquely exposed and privy to the most sensitive information, executives should be a key focus of technologically-savvy employment lawyers. They are at risk on the road, targeted by adversaries at home, subject to the most vile forms of retaliation, are the victims of concerted spear-phishing and are required to act as if their emails are, in fact, public.
The world of managing cyber risk demands nothing less than a sharp focus on execs, including recognizing that every denizen of the c-suite should be carefully subject to the principle of least privilege and that executive agreements require careful drafting to include technology and data both during work and after termination. Here are a number of pieces on the subject, with many more to follow.
Attacks against employees (and by extension, against your company) can extend to their homes (see here on doxing and swatting executives).
One concern is home Wi-Fi systems – which can present an open threat vector when an employee links corporate assets to it. Some thoughts on ensuring that home networks do not become a major cyber threat:
A Computer Fraud and Abuse Act case involving the Houston Astros and St. Louis Cardinals provides some key lessons for employers and their lawyers about cybersecurity. While this case is getting press because it involves Major League Baseball, nothing in this matter is surprising and everything was avoidable.
This month’s Wired Magazine has an interesting sidebar about preventing doxing (sometimes, doxxing), which, acccording to authors Laura Hudson and Anita Sarkeesiana,occurs when:
[p]erpetrators publish your address or other info online, exposing you to escalating abuse, even physical violence.
Doxing is related, in a way, to Swatting, during which a caller convinces law enforcement that there is an emergency (such as a hostage situation) at the address of the victim of the hoax – thereby triggering a massive police response.
Both depend on the availability of information about the victim in the online environment.
Two well-known doxing attacks – the Sony hack of late last year and the Ashley Madison attack – make it clear that this is a serious problem. As The Atlantic puts it, ‘[w]elcome to the age of organizational doxxing.” Other, lesser known attacks, show that the problem is increasing against celebrities and executives.
Unfortunately, this is relevant to readers of this blog – employers and their lawyers — because employees will increasingly become victims of these kinds of attacks, especially if the employee is high profile or otherwise controversial.
In addition to those set out by Wired, defenses include:
- Excellent corporate cyber-security, including elevating human resources systems to the highest level of protection.
- Excellent personal cyber-security, including using two-factor authentication on every service – and not using those that do not have it.
- Excellent privacy policies in HR, to ensure that information is shared only according to protocol
- Good address protection. Executives who may be subject to any of these kinds of should sit with their lawyers to work on this problem.
- Use opt-out tools from data brokers. See Ken Gagne’s excellent guidance, here.
- Recognition that the cyber and physical security of executives – and the services provided by those departments – may extend well beyond the walls of the enterprise. Comprehensive assessing, planning and testing by all security professionals is essential. Note that some security work may end up being a taxable fringe benefit if not done properly.
Employees who travel, especially internationally, are subject to unique cybersecurity and privacy risks – and risk of legal trouble if they carry the wrong kinds of data. Employers ought to develop comprehensive travel policies to protect their data.
The following is a checklist, with some explanations, of what such a policy ought to contain.
“Never write if you can speak; never speak if you can nod; never nod if you can wink.”
Prescient advice for the age of data theft from gilded-age politician Martin Lomasney.