By Michael Canfield, originally published in Buffalo Law Journal, Buffalo Business First on Jan 8, 2018, 12:02pm EST Updated Jan 9, 2018, 9:46am.

Front-line Workers Key to Defense in Cyber Attacks

Special Report: Cyber Security/Data Storage

Businesses are attacked on a daily basis by hackers looking to gain access to protected information, and it’s not just cybersecurity personnel who have to deal with the issue.

Front-line employees are often the target of attacks through email accounts, whether it’s an email asking for specific information or asking an employee to click on a malicious link or open an attachment.

Indeed, the stakes are high: One mistake by one employee can cost millions of dollars.

Training employees is vitally important, said William Prohn, managing partner of Dopkins System Consultants. The first step is educating employees about what information the business is looking to protect.

“You have to train employees on what you want them to do,” Prohn said. “If they don’t know, you have to tell them that. As an employee, what should they be worried about?”

Different businesses require different levels of protection, he said. It’s up to the employer to clarify the priorities.

“If you don’t tell people, they’re not going to be able to guess,” he said.

It’s also important to inform employees of the steps being taken to protect company information, Prohn said. For instance, if the employer decides to block certain websites, workers must be notified. Otherwise they may assume their system is broken and look for work-arounds, circumventing what the employer is trying to accomplish.

“If people aren’t aware, they get frustrated,” Prohn said. “Tell them, ‘This is what I’m doing and why.’ ”

When training employees to be on guard for possible attacks, it’s far better to use emails that have actually been sent to the firm or business, as opposed to stories from other places.

“People hear the stories and think it doesn’t apply to them,” he said.

Examples from the workplace drive the point home, Prohn said.

“It’s so much more insightful if it happened to the guy sitting next to you,” he said. “It’s so much more meaningful to see real examples.”

But training employees in a large group can backfire. He said if the trainer is talking to someone in their 50s, a 20-something might not tune in. It’s better to separate groups and tailor the training. The millennial generation grew up with computers and may have different questions than older employees.

Using subscription services that simulate phishing attacks can be helpful because they help employers identify who may need additional training. Such services will get employees talking, and that leads to workers helping each other, Prohn said.

“It shows you who got the message and who didn’t get the message,” he said.

Law firms present a target to hackers because they have information that can be used for blackmail or have intellectual property or trade secrets, said security expert David Newell of loptr LLC.

“It’s information that can be pretty valuable to the bad guys,” he said.

Once employers and employees understand why their company may be targeted, they can be proactive and look ahead to what they can do to prevent a breach or security incident. Along with training, that could include monitoring computers to see if they’re acting differently. For law firms, it’s important to monitor activity in the network. It’s a blindspot, according to Newell, and is usually undertaken by the IT staff.

“They don’t actually spot when a computer connects to a network in Russia and starts transferring data from the computer to a server in Russia,” he said. “Monitoring information coming into and going out of the network is a key thing in seeing if you’ve been compromised.”

Phishing attacks and business email compromise (BEC) attacks have become more sophisticated, Newell said. In a BEC attack, a hacker tries to get an employee to make a money transfer or to send personal data to the attacker. To that end, hackers will put in a lot of work in order to appear legitimate. One way is by registering an email account containing the name of a law firm’s partner. Once they have the address, they’ll send an email to the firm, pretending to be the partner. For instance, if they discover from social media that the partner is traveling in Europe, the email may ask for money, acting as the partner and saying that he or she is stranded and in need of assistance.

“That becomes compelling because they’re actually using information that is accurate,” Newell said.

Attackers may also use what is called a “typo attack,” he said. They may register a domain that is similar to a firm’s or use a misspelling of a name to make it appear similar.

“Those attacks can be really hard to spot,” he said.

Hacking hints

Cyber security experts used to tell people to be on the alert for bad grammar or misspellings, he said, because most phishing emails were written by non-English speaking attackers and were badly written. However, phishing attacks are now well-written and more difficult to distinguish from legitimate emails.

Attackers have also started using secure websites in their attacks.

“If they create a fake website tricking you into giving them your paypal credentials, what they can do is register a domain and put the word paypal in the domain somewhere,” Newell said. “When you are looking at it, you’ll see something like ‘paypal.com.evilhacker.org.’ What you don’t notice is that ‘evilhacker.org’ is on the end of paypal.com. You see the paypal and would think it’s legit.”

Poor grammar, misspellings and secure websites are signals of a possible attack, Newell said.

Law firms should consider using a service such as dropbox to transmit files, as opposed to email, he added.

Dennis Vacco, partner at Lippes Mathias Wexler Friedman, has experience in working with clients after cyber attacks. Companies are realizing that it’s just not the IT department that needs to be aware of cyber attacks.

“The best front-line defense is the aware and cognizant employee,” he said.

Vacco worked recently with a local company where an employee received an email that appeared to come from the CEO requesting personnel records to be transmitted to a third party. The employee started sending the material but because it was a large amount, it had to be sent piecemail. She contacted a supervisor to ask if she should be doing it that way. That’s when it was discovered that the email address was not really the CEO’s.

“Unfortunately, there was a data breach based upon that very simple, but fraudulent, email,” he said.

The incident underscores that the “best-in-class” companies need to constantly be training and reminding their staff of protocols, Vacco said. The attack may happen in any department.

A response plan is critical, according to Vacco, and must be implemented as soon as a breach is detected.

Companies with a plan are the “most likely to limit the damage of a cyber attack,” he said.

Employees must be vigilant.

“From my perspective, if it doesn’t look right, it probably isn’t,” Vacco said.

Jennifer Beckage, a partner at Phillips Lytle, said employees should ask questions if they don’t understand a protocol when it comes to cyber security. The company culture must promote that, she said, encouraging workers to ask questions along the way.

“You have to create a culture where people are comfortable saying something,” she said. “You want people to be approachable and comfortable with management.”

It’s better to ask questions than fall victim to an attack, Beckage said.

“Hackers are clever,” she said.