NYLJ.COM |
White-Collar Crime | MONDAY, SEPTEMBER 26, 2016 | S5
Password security requires a degree of effort that cannot simply be passed along to an IT group or tech vendor. The low-tech aspect of the attack is a useful lesson: Cyber- security does not end upon software updates, the updating of hardware and devotion of time and resources to audits.
Rather, cybersecurity carries a major human resources component as well. The prevalence of remote access to company systems makes the sort of low-tech entry into a target’s systems all the more danger- ous, as the form of access itself will not trig- ger any alarm bells. These days, employee identification numbers or email addresses and a password are often all that is needed to access a workplace’s network.
For that reason, it is critical to assess employee passwords on a regular basis. With new employees, they affirmatively should be asked whether they have used their password anywhere before. Better yet, they should be asked if they have even used a similar pass- word in the past. For example, an employee using a password based upon his son’s name and numeric birthdate, a password that has never been used by him in the past, will be dangerous if, at his previous employer, he used a password based on his daughter’s name and numeric birthdate—it’s just too easy to figure out for the sort of low-tech hacker, with access to former passwords. An explicit expression of the need for safe- guarding company data should be a foremost concern with any new employee.
In the case of part-time employees, it goes without saying that an employee should pro- vide assurances that they are using different passwords at their different jobs. In the case of vendors, confirming that any password- enabled access they are permitted is pre- mised upon unique passwords should be mandated and in writing.
The continued sophistication and even cutting-edge methods of would-be hackers make the world of cybersecurity difficult enough. However, failing to recognize the
low-tech or even no-tech aspects of password protection and rampant remote access can have far more damaging consequences, as the existence of a breach may go unnoticed for a significant amount of time. As in almost all business concerns, effective cybersecurity should start with effective communication to employees and vendors and not ignore obvi- ous common sense considerations.
One of the first tasks upon the hiring of a new employee is to create an employee log- in. Regularly addressing the cybersecurity aspect of the new-hire process then, at an easy and natural moment, can avoid dooming the organization to costly audits and other consequences of a breach, like governmental scrutiny.
By carefully establishing and implementing workplace initiation policies that immediately address cybersecurity, the need to resort to and rely upon software safeguards and, worse yet, breach insurance coverage, may be avoided. Careful adherence to the human resources aspect of cybersecurity can only serve to strengthen overall security.
•••••••••••••••••••••••••••••
1. Tyler Kepner, “Astors’ G.M. Jeff Luhnow Delegates With a Drive for Data,” THE NEW YORK TIMES (June 19, 2015), http://www.nytimes.com/2015/06/20/sports/base- ball/cardinals-scandal-astros-jeff-luhnow-target-of-hack- ing-was-helped-and-hindered-by-technology.html?_r=0.
2. “Christopher Correa, Former Cardinals Executive, Sentenced to Four Years for Hacking Astros’ Database,” THE NEW YORK TIMES (July 18, 2016), http://www. nytimes.com/2016/07/19/sports/baseball/christopher- correa-a-former-cardinals-executive-sentenced-to-four- years-for-hacking-astros-database.html.
3. The loss was calculated in part by accounting for how the Cardinals altered their drafting based upon the information that was obtained from Ground Control.
4. One need only look toward how quickly the Tom Brady/National Football League “deflategate” case pro- gressed. Incredible amounts of money hinge on the per- formance of sports teams and athletes.
5. Although only Correa was charged, news reports quote Cardinals officials as blaming the conduct on “roguish behavior by a handful of individuals.”
6. This report comes from the aforementioned Times article, though Astros executives have stated emphati- cally that all former Cardinal employee passwords were different than those previously used in St. Louis.
marcumllp.com/nylj