One of the most common forms of data or security breaches is the compromise of a business e-mail account that allows a threat actor to obtain financial or other sensitive information. Security professionals report that business e-mail compromises account for more than half of all data security incidents, and the FBI calls it “one of the most financially damaging online crimes.” Commentators predict that these types of breaches will continue to grow, based partly on the number of employees working from home, the general increase in cryptocurrency usage, and the implementation of artificial intelligence and deep fakes. With the likelihood that these breaches will increase in the coming years, companies should take action now.
Despite the fact that these breaches may be nearly inevitable, there are things you can do to protect yourself and your company and to make it easier to deal with, and recover from, one of these breaches.
- Create, implement, and follow data and information security policies and procedures. One of the benefits of having these policies in place is it forces you and your company to be conscious of this issue and to take steps to protect against it. Note that this item says create, implement, and follow the policies and procedures. It is not enough to create and implement them. Actually, this item should also include reviewing the policies and procedures at least annually and amending them where needed.
- Train your company on data and information security. Many companies provide web-based training on security. Consider making this mandatory. If your company cannot afford retaining an outside consultant to provide training, at least meet with your people and talk about security. Make them aware of the policies and procedures. They need to understand that security is taken seriously. Let them know the downside. The average cost of a data breach can be more than $1 million.
- Get insured. Purchase cybersecurity insurance and purchase it in an adequate amount. We recommend at least $1 million in coverage. This is not an area where you want to skimp to save money. Also, make sure you understand what is covered. Some policies only cover lost and damaged data. You will want coverage that is broader. Make sure your coverage includes the attorney’s fees and expenses of any breach counsel you might need to retain.
- Don’t reuse passwords. No one wants to remember dozens of different passwords, but reusing passwords is not a good idea. If a threat actor is able to hack into something like an employee’s social media account, you can bet she or he will try those same credentials to see if they will work on the employee’s work e-mail account. Educate your people on this, and make it mandatory that they are not permitted to reuse passwords.
- Implement and follow data and document retention and destruction policies and procedures. There are many good things to say about data and document retention policies. Equally good points can be made about data and document destruction policies. When data and documents are beyond the point at which they are needed and/or required to be retained, they should be destroyed. In fact, before they even get to that point, they should be moved to a secure network and out of a business mailbox. The more data and documents that are housed in a compromised mailbox, the greater the tasks will be to determine what data and documents may have been accessed and/or exfiltrated (and the more it will cost).
- Enable all audit logs. Audit logs will help retrace the threat actor’s movements while she or he has access to your compromised mailbox. If these logs are not enabled, you and your company may miss out on a valuable tool to help the forensic investigator determine the scope of the compromise. Be aware that some logs default to being “off” and will need to manually be enabled.
- Don’t delete anything. Similar to the above, being able to see what e-mails a threat actor sent while posing as the owner of the mailbox may help the forensic investigator determine the scope of the compromise. The same is true for email rules the threat actor may have created. If possible, do not destroy the evidence before the investigator reviews it. If something must be destroyed, take a screen print of it first.
- Retain a consultant to ensure the threat actor is kicked out. This tip is critical. As soon as you have discovered that you or your company have suffered an email compromise, retain a consultant to ensure the threat actor’s access has been terminated and that your systems are no longer compromised. Beware that anything you say to this consultant may be discoverable in any later litigation. Your discussions should be limited to taking the steps to ensure the threat actor’s access has been terminated. Everything else should be discussed with your legal counsel.
- Retain legal counsel. Your legal counsel can help with much more than merely worrying about litigation. Your counsel will help you navigate through the steps of retaining a forensic investigator to determine what, if any, data was accessed and/or exfiltrated. Your counsel also will help you determine any obligations you may have to notify individuals whose data was in the compromised mailbox and/or government regulators.
- Talk to your people. Make the people - who need to know - aware of the fact that an incident has occurred. It is normal for them to be unsure and scared of what this means for the company and what it means for them. Let them know that immediate steps have been taken to secure everything. Tell them about continuity of operations and what steps they need to take to continue to perform their work. Let them know that you have retained legal counsel to help navigate through the intricacies of the process. Also, let them know that they should not talk about this, and that if they get asked any questions, they should refer those questions to you and/or your counsel.
The above tips are not an exhaustive list of the actions you and your company should take to guard against and respond to a business email compromise, but they are a good start to becoming aware of the types of actions that should be taken to address these types of incidents.