As 2022 peeks from the corner, there is anticipation that the year will, maybe, witness better security management to address the continued sophistication of cyberattacks, as witnessed in 2021.
The banking and finance industry, health care, critical infrastructure, and government undertakings are the most targeted and vulnerable to phishing attacks.
Angelo A. Stio III, Partner at Troutman Pepper, in an interaction with Minu Sirsalewala, Editorial Consultant, CISO MAG, shared his thoughts on how other manufacturing entities and educational institutes are continuously targeted by phishing attacks. He also reflected on the preparedness of incidence response, compliance, and safety at organizations.
Angelo is a partner at Troutman Pepper and first-chair litigator who tries cases in courts and arbitration tribunals throughout the U.S. His data privacy and security experience include counseling clients on cyber-breach response and defending clients in individual and class action matters. He works with clients across various sectors to investigate sensitive privacy and security issues and advise on applicable federal, state, and international laws.
Angelo opined, “Threat actors capitalize on impersonation attacks where they send phishing emails attributed to trusted vendors, buyers, and suppliers in the hope of intercepting invoices and redirecting payments to the threat actors account. Manufacturing entities that do not collect PII from consumers are susceptible because they believe the information related to their business-to-business transactions is not the type that threat actors will target. Unfortunately, threat actors look for a quick financial gain by intercepting business to business communications to redirect payments.”
The education industry also saw a surge in cyberattacks due to the sudden on-and-off shift to remote learning and online coaching. Universities and research centers made attractive targets for adversaries, with students logging in from their home networks using their personal devices. It was like opening a jar of bees, and the sting was evident.
Challenges Faced by Educational Institutes
Check Point Research (CPR) revealed that the education/research sector has displayed the highest number of attacks than other sectors. In July 2021, there was a 29% increase in attacks against organizations in the education sector compared to H121. By region, organizations in the education/research sector in South Asia are most targeted, followed by East Asia and ANZ. By country, Indian education organizations are the most targeted, followed by those in Italy and Israel.
“Institutes of higher education face challenges in privacy in security because they have many constituents with access to their networks (faculty, staff, administrators, alumni, students and vendors), utilize multiple applications and platforms in the delivery of their services, may utilize unsafe devices to allow remote access, and have budgetary challenges and resource constraints to conduct training on information practices,” said Angelo.
He added, “Higher education institutions in 2021 were targeted because of the large amounts of student data that they collect, maintain, and process. When counseling clients, we recommend enhanced user verification through multi-factor authentication across their networks, limiting privilege access based on the need to access the information, and engaging in monitoring (either internally or through an external provider) for anomalies and threats to their environment.”
As the attacks do not seem to dwindle, the situation is exacerbated by the management of these cyberattacks. Being prepared for incidence response and taking legal recourse is essential to any organization with a digital presence.
Incidence Response
Though some industries are well equipped and have incorporated incidence response in the security design stage, it is still a desirable phase for most organizations. “Highly regulated organizations in the financial sector (which are subject to the GLBA) and health care sector (subject to HIPAA) are most prepared in terms of their information security policies and response to incidents. This is the case because these entities are subject to comprehensive information security schemes and regulators are ensuring compliance with applicable regulations.” It is essential that businesses start incorporating privacy and security into the design phase to ensure compliance and safety.
Privacy By Design
“There is a concept known as privacy by design, which focuses on embedding concepts of privacy into the design and architecture of IT systems, product development, and business practices. Businesses are well-served to incorporate principles and privacy at the development stage of all business practices to embed security throughout the lifecycle of information being collected. In other words, privacy by design requires components of security to be implemented from the first element of data being collected through the deletion of that data from a company’s systems,” Angelo added.
Risk of Non-compliance
Organizations are realizing the importance of cybersecurity and the governing regulations. If they do not follow compliance, the risk exposure is significant and can be very damaging both in the short and long run. Non-compliance could result in exposure to regulatory investigations, fines, penalties, statutory damages, and a major increase in private litigations being pursued on an individual and class-wide bases.
“We will continue to see more and more states move to more comprehensive state laws like the CCPA to enhance security practices and provide individuals with rights to access, correct, modify and delete their personal information.”
With increased data collaboration and global stakeholders, compliance needs to be more than just a checklist to ensure data security.
About the Interviewer
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.
