TheCorporateCounsel.net

Consider this for upcoming board and committee discussions — especially since cybersecurity disclosures are already bound to be on your agenda. Last week, the Department of Homeland Security announced the release of a report summarizing findings by the Cyber Safety Review Board regarding certain cyber incidents in 2021 and 2022 involving a particular threat actor group that impacted dozens of well-resourced organizations. The CSRB engaged nearly 40 organizations and individuals to discuss these incidents, including threat intelligence firms, incident response firms, targeted organizations, law enforcement, individual researchers and subject matter experts.

This post on the Jackson Lewis Workplace Privacy, Data Management & Security Report blog summarizes key highlights, specifically:

– The multi-factor authentication (MFA) widely used today is insufficient; one-time passcodes and push notifications sent via SMS can be intercepted, making application or token-based MFA methods preferred
– Employees can be compromised with monetary incentives and have handed over access credentials, approved upstream MFA requests, conducted SIM swaps, and otherwise assisted attackers in gaining access to an organization’s systems
– Threat actors also leverage third-party service providers to target downstream customers through secure file transfer services

Yikes! Some of these findings were surprising (to me) and — at least for some companies — may be worthy of board time and attention, including a discussion about how management is addressing these risks. To that end, here’s a further excerpt from the blog:

The Board outlines several recommendations, some are more likely to be within an organization’s power to mitigate risk than others. The recommendations fall into four main categories

– strengthening identity and access management (IAM);
– mitigating telecommunications and reseller vulnerabilities;
– building resiliency across multi-party systems with a focus on business process outsourcers (BPOs); and
– addressing law enforcement challenges and juvenile cybercrime.

As noted above, one of the strongest suggestions for enhancing IAM is moving away from passwords. The Board encourages increased use of Fast IDentity Online (FIDO)2-compliant, hardware backed solutions. In short, FIDO authentication would permit users to sign in with passkeys, usually a biometric or security key. Of course, biometrics raise other compliance risks, but the Board observes this technology avoids the vulnerability and suboptimal practices that have developed around passwords.

Another recommendation is to develop and test cyber incident response plans. As we have discussed on this blog several times (e.g., here and here), no system of safeguards is perfect. So, as an organization works to prevent an attack, it also must plan to respond should one be successful.

I also want to note that the title of this blog isn’t just clickbait. The opening message of the report references the 1983 movie WarGames and identifies parallels with modern-day real life, including that “teenagers are compromising well-defended organizations using a creative application of many techniques.”

– Meredith Ervine