5 cyber tips for corporations after the Russian hacker indictments
Private corporations can fall prey to hackers even if they have top-notch cybersecurity.
The indictment handed down against 12 Russian nationals over the hacks of the Clinton campaign and the Democratic National Committee ahead of the 2016 U.S. elections are a reminder than even sophisticated organizations aren’t immune to cyberattacks.
Related: Insurance and corporate vigilance against cyber breaches: 5 steps to take
That includes private corporations, which can also fall prey to hackers, even if they have top-notch cybersecurity.
“Whether your in-house counsel or outside counsel involved in the cybersecurity world, what happened in the presidential election plus other incidents that have been reported in the media [prove that] nobody is safe,” Gary M. Schober, a partner at Hogsdon Russ, said.
Related: Cybersecurity best practices
We spoke to two attorneys focused on cybersecurity about what corporations can learn from the hack against Hillary Clinton and DNC. Here’s how they said companies can best protect their information and respond to an attack.
1. Be prepared for it to happen … it will. Whether or not a cyberattack is imminent, companies should have a plan in place for dealing with those attacks so there is little delay in handling their aftermath, said Schober. “You should first and foremost have your process for what you’re going to do set up before the breach,” he said.
2. Find ways to protect against spear phishing. According to the indictment, the Russian nationals first infiltrated the DNC though spear phishing attacks: the use of personalized emails to get network access. Edward McAndrew, a partner at Ballard Spahr, said there are a number of programs to curb the chances of getting hit with this type of hack. One is Domain-based Message Authentication, Reporting and Conformance (DMARC), which McAndrew said allows a computer to recognize that a domain used in an email is not coming from the correct place.
3. Train away. It’s unclear what type of cyber training the Clinton campaign and the DNC engaged in with their employees, but it can be a big help in stopping the next attack. “Education is a key part of this. We all need to educate our people on the necessity and importance of protecting data,” Schober said. Without learning of the risks, employees are more likely to open files attached to malicious emails which allow hackers to gain access to the data, he added.
4. Create an incentive for self-reporting. The indictment does not mention if someone who clicked on a malicious email in the case of the election hacks reported the email. But McAndrew said that in general, in interviews with employees in the aftermath of a breach, many of them say they didn’t think to report the suspicious link they clicked on. He said that the sooner an employee discloses clicking on a link, the sooner the company can investigate and mitigate the damage done. “There are a lot of disincentives for employees to be open about clicking on the wrong email,” McAndrew said.
5. Report the hack. When the breach has happened, make sure the company is reporting to all of the right authorities. Schober said that companies should be knowledgeable about where they do business and what notification requirements are in those jurisdictions, so they don’t face potential fines. The DNC reported the hack it experienced in June 2016, shortly after it was discovered.
Related: New study urges comprehensive approach is needed to manage cyber risks
Dan Clark (dclark@alm.com) covers cyber security, legal operations and intellectual property for the ALM publication, Corporate Counsel. Follow him on Twitter @Danclarkalm.