With headlines about data breaches, ransomware, viruses, and other cyberthreats becoming routine, it seems no one is immune, especially now with the rise of the “internet of things”—all those devices capable of accessing the internet and collecting and exchanging data. Today’s malicious hackers have no shortage of opportunities to wreak havoc. 
Such a pervasive and complicated problem may lead the human resources department to feel powerless, but that thinking is a mistake, according to an attorney and “certified ethical hacker” who offers ideas on how to prevent and recover from attacks.
Daniel C. Nelson, an attorney with the Armstrong Teasdale LLP law firm in Denver, Colorado, recently presented a Business and Legal Resources webinar titled “Global Ransomware Attacks: Your HR and IT Emergency Prevention and Response Plan.” His program focused on ransomware in the wake of the massive WannaCry attack that infected computer users globally in May, but organizations can be hit with a variety of cyberattacks at any time.
Nelson stresses that IT’s role focuses on technical controls, but the weakest link in an organization’s defense against cyberthreats isn’t flawed technology. Instead, it’s the human side. Technical controls, though often a step behind hackers, can largely keep pace with threats, Nelson says, “But humans—us—we have not developed any better security for ourselves. We are just as hurried, distracted, ego-driven, prone to make mistakes as we always were.”
What HR can do
Nelson touts a layered approach to cybersecurity: prevention, detection, containment, and remediation. The success of the strategy in large part depends on user awareness, and that’s where HR comes in.
The introduction of malware often starts with employees clicking on a poison link, opening a bad email, or downloading something from a website they shouldn’t have visited. If HR—in concert with IT and other departments—can develop policies and procedures governing computer use, many problems can be avoided, Nelson says. Without sound policies, employees are almost guaranteed to do risky things, he says.
But just having policies isn’t enough. Success depends on a culture shift, Nelson says. For example, if employees make a mistake and click on a sketchy link, they may be hesitant to report what they’ve done if they fear consequences from the employer. Scared computer users are a huge liability to employers, he says, since problems can be avoided or contained through quick reporting.
But if employees know they can report what they’ve done without sanction from the employer, they’ll be empowered users who “will save the company from disaster,” Nelson says. Employers need to communicate that they understand malware schemes are insidious and can be convincing and that employees don’t need to be afraid to report what they’ve done.
If users call on IT when they suspect something might be wrong, they provide a powerful form of detection. In a lot of ransomware attacks, early notice can make a difference since it takes a while for the data to be encrypted and then held for ransom, Nelson says.
HR also plays a role in containing attacks. Policies prohibiting employees from sharing logins and passwords, limiting who’s allowed to install programs and change settings on computers, etc. may be unpopular. But communicating the reasons for the rules can go a long way toward making employees understand and comply, Nelson says.
Insidious ransomware
One of the major threats employers need to understand is ransomware, a type of malware that encrypts data on a computer or server and renders it inaccessible without a “key,” which has 30 or more characters. Nelson says the odds of guessing a key are one in 3 duodecillion (that’s three followed by 39 zeros). “The bottom line is, with a few exceptions, you’re not going to be able to solve a ransomware issue by guessing at or hiring somebody to get your data back through decryption,” he says.
Ransomware usually starts with a human attack factor. Someone does something that allows a small downloader to infect a computer and download an encryption program. Once files are encrypted, a ransom note goes out demanding payment in exchange for recovering the files.
Even users who pay the ransom aren’t assured of getting their data back, Nelson says, since the decryption isn’t always successful. But many of the more prominent ransomware purveyors will try to help their victims retrieve data, even offering help desks to guide computer users through the process of paying the ransom and recovering data.
Nelson warns that ransomware isn’t going to go away. He cites statistics from a 2016 study by technology giant Cisco Systems. Researchers looked at a single ransomware campaign and estimated that one campaign using 147 servers per month, each hitting 90,000 targets per day resulting in an estimated 9,515 ransom payments per month yielded $34 million in annual revenue.
“When you have economics like that, this is a problem we’re going to continue to see get worse,” Nelson says.
Need to learn more? Join us at the 22nd Advanced Employment Issues Symposium in Las Vegas on November 16-17. Meyers, Roman, Friedberg & Lewis attorney Jonathan Hyman will present #ProtectingInformationSystems: When Policies Outlining Social Media and Email Ownership and Usage Are Likely to Hold Up under Federal Law—and When They Aren’t. This session will cover how far can you legally go, though, to monitor and restrict the ways in which employees are using information systems like email and online social media accounts. Armstrong Teasdale attorney and certified ethical hacker Lucas Amodio will present Is Your TV Watching You? Cybersecurity Protection from the Internet of Things. This session will focus on what cybersecurity thought leaders are doing to assist companies with protecting their cyber assets amid the IoT superhighway. For more information on AEIS, click here.