In 2016, businesses and consumers encountered some of the largest computer breaches and attacks on record. These include the 2014 breach at Yahoo! with the hacking of 500 million user accounts, the proliferation of ransomware hitting nearly half of all U.S. businesses and persisting questions about the extent to which hacking infiltrated our national election.
Unfortunately, ominous threats will continue to proliferate. Employee vigilance and training must be persistent. A company's preventative measures must be built across cross-functional sectors, not just information-technology personnel. The following is a list of evolving threats.
n Extortion hacks. Attackers threaten to release sensitive company or customer data if the victim doesn't pay up or meet some other demand. Many of these schemes derive from social-engineering tactics tricking users into activating malware. Even if you have backed up your data, public release of the data could hurt the company and/or customers. The most notable extortion hack occurred to the online dating site Ashley Madison in 2015, when millions of usernames were released to the general public.
n Data integrity issues. The phrase "data integrity" is often used interchangeably with "data security" but carries a distinct meaning. Data integrity refers to the continuing accuracy and validity of information, particularly as it changes hands. Data integrity is a central focus of an effective data-security program. Tampering with the integrity of data is very difficult to detect. Changes to data can be minimal, yet have dire consequences. Imagine a bug introduced to the Dow Jones trading application that manipulates stock prices by a penny.
n Credit card fraud. Although retailers are using chip and PIN technology to encrypt credit card transactions, the rise of credit card fraud continues. Fraud for "card-not-present" transactions, those completed over the phone or online, increased from 30 percent to 69 percent in 2016.
n Unsecured Internet of Things devices. More than a billion devices (such as DVRs, web cameras, wireless routers, refrigerators and televisions) are connected to the internet. Many of these devices have lax security. We will see an increase in attacks, such as the Distributed Denial of Service attack launched using about 100,000 internet-connected devices to shut down the domain-name service provider, Dyn. DNS is the web routing system that turns a website name, such as Google.com, into a computer-readable internet protocol address, such as 18.104.22.168. Without a DNS, a web browser cannot find the website you want to view. All users of IoT devices, such as wireless routers, should change the default admin password.
n Network backdoors. In 2016, a backdoor, found on Juniper firewalls, gave the attacker the ability to decrypt traffic running through the virtual private network. As a result, there is speculation that other network-manufacturing companies will find these unwelcome backdoors built into their products.
n Phishing for W-2s. Last year, numerous businesses were victimized by phishing scams where unsuspecting employees sent employee W-2s in response to emails purporting to be from senior management. The IRS has recently issued an urgent alert that these continuing scams have extended beyond the business sector and are now targeting school districts, tribal organizations and nonprofits. The scammers are coupling their efforts to steal W-2s with a scheme requesting wire transfers, thereby victimizing some organizations twice. Organizations should educate payroll, finance and human-resource personnel on how to identify specious emails and implement strict internal policies on distributing W-2s and conducting wire transfers with appropriate levels of controls. •
Steven M. Richard is a business litigator at Nixon Peabody.