Anthony P. Schoenberg is a partner in the law firm Farella Braun+Martel LLP, which was founded in 1962 and has offices in San Francisco and Napa. He is a co-founder of the firm’s Privacy and Cybersecurity Team and helps clients mitigate the significant risks presented by cyberthreats. He also works with clients to investigate suspected data breaches and navigate clients through the thicket of legal obligations that accompany such breaches.
The Business Journal asked Schoenberg to discuss some of the cybersecurity issues businesses face today.
A business’ data and other critical information seems fair game for theft — or ransoming. What’s driving these attacks and do businesses at all levels just lack awareness of their vulnerability?
ANTHONY SHOENBERG:Business data is often valuable to thieves. Patent information, M&A insight, and PII stored by human resources, and credit card information are some examples.
As for ransomware, some organizations pay the ransom, so there is value for the thief there. On the other hand, organizations have been known to pay the ransom but not receive the decryption codes.
Awareness of vulnerability is probably increasing with widespread reports of successful attacks, but not all organizations are successfully protecting themselves. A popular file-transfer service was hacked — again — on Aug. 31.
It has been conventional wisdom for the past several years that law firms are particularly vulnerable. They have possession of confidential client data, and while the client’s systems may be locked down, law firms’ systems have been configured for convenience more than security.
This is changing. Law firms have become aware of security lapses through a variety of avenues, including specific client data security requirements. Law firms have positioned themselves for significantly increased security in the past few years.
What are some of the common ways businesses are leaving themselves open to becoming a victim of cybercrime?
SHOENBERG: I suggest the humans working for the business are the biggest risk. They may not have the proper training to avoid clicking on phishing links or opening malicious attachments. They may have a level of awareness but succumb to temptation, curiosity, or an email that looks legitimate. They may give up their credentials to a web site that seems legitimate. They may not protect their credentials sufficiently. They may use the same username and password for all sites they use, for the sake of convenience.
Physical security is also problematic. Offices are full of piles of files and other paperwork, some so much so that the denizen of the office wouldn’t even realize if a file went missing.
If a business could do one or two things now that would offer some protection of critical information, what would you recommend IT do?
SHOENBERG: Create a security awareness program for employees, make attendance mandatory and make the program ongoing, not “one and done.”
Most commonly, what groups or types of people are committing this crime and what makes it challenging to stop them?
SHOENBERG: Probably people with a level of sophistication and knowledge that allows them to get unauthorized access to systems and profit by doing so. There are also those who are simply malicious and get perverse pleasure out of getting away with criminal activity.
It is challenging to stop them because of the human factor mentioned above, and also because statistics show that a threat actor may have access to an organization’s systems for 18 months before being discovered. That’s ample opportunity to have a look around and find useful information!