For ice cream aficionados, “Phish Food” is the familiar name of a Ben and Jerry’s ice cream flavor which includes chocolate ice cream with gooey marshmallow swirls, caramel swirls, and fudge fish. Phish itself is a “jam band” featuring many different genres of music with extended improvisation and instrumentals. In the compliance space however, the term “phishing” takes on a much more sinister and less enjoyable meaning.
Generally speaking, phishing is a form of social engineering, which looks to take advantage of human psychology and, in particular, looks to create a sense of fear or
urgency to manipulate a user into divulging confidential information. Frequently, phishing takes the form of an email or text message, which seeks to prod a victim into revealing confidential information.
Unfortunately, your agency is a prime target. Read on to learn more about phishing and how to prevent it from undoing years of hard work.
One example of phishing is an email from an online service advising of a security alert requiring an immediate password change with a link to do so. The linked site looks identical to a legitimate site. When the link is clicked, the unsuspecting users enter their current credentials and new password. These items are then sent to the hacker, who will use them to hack into the company for whom the employee works. What many employers may not realize is that their own employees can create significant liability risk when they are not properly educated and trained to combat this insidious form of cyberattack.
Consider the following scenario: You are the CEO of your company and an employee in your payroll department receives a phishing email which appears to come from you asking for W-2 forms and payroll information of all current and former employees. Of course, you did not send that email. That email was sent by a phishing hacker. However, when your employee divulged all this confidential information to hackers, the net result was that an extremely costly class-action lawsuit was filed against your company for this data breach.
This scenario, or some similar variation, has been successfully deployed by hackers in several cases. Even Snapchat has reported that this type of phishing attack was successfully used against them. According to a 2017 IBM study the average cost of a data breach is $3.62 million!
Typical claims which are asserted against companies in these data breach cases, caused by employees, are for negligence in failing to train employees in data security, failing to maintain and update firewalls and phishing prevention software, and failing to maintain retention, safeguarding, and destruction protocols and policies and procedures for nonpublic personal information, including dates of birth, Social Security numbers, and bank account information, all of which can be gleaned from payroll records, among other sources.
What can be done to combat this threat? Well for starters, your payroll department should be instructed, in no uncertain terms, that they are not to divulge any payroll information without first having a face-to-face conversation with the CEO of the company!
More important, however, is the concept of having a compliance system in place to set expectations and policy on data security, training your employees, audit and, in regard to social engineering attacks like the phishing attack described above, to recognize the appeal to human psychology — typically using fear or greed to motivate security compromising conduct.
So the takeaway here is that data breaches and cybersecurity will continue to represent a growing threat to each and every business in America. As Equifax and other hacking targets continue to occupy the headlines, increased regulatory scrutiny will be focused on company responsibility for data security, company response timelines to data breaches, and the cost and remedies which companies should pay for regarding consumers whose NPI has been leaked. Remember, those affected could be at risk for the rest of their lifetimes!
While we can unequivocally recommend enjoying a pint of Phish Food while kicking back and listening to your favorite tunes, a much less relaxed approach is required to prevent your company from becoming tomorrow’s news headline regarding a data security/breach or phishing event.DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without you retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney- client relationship is being created by your review or use of this material. ©2018 Robert J. Wilson