Do you value your assets?
1 July 2020
Nearly all of us, when asked that question, think immediately of our apartment, our stocks, our pension, and vehicle. Perhaps some think of their factory, machines, and stock. Few consider their organization's data assets. This review will hopefully clarify that every business's (not exclusively hi-tech organizations) most important asset is its data.
Data can be many things: a customer list or suppliers, patents, thinking, production procedures. But it is much more. Assets include personal, even embarrassing information; information that can present an organization or those heading it in a less-than-positive light. Every factory, safe or vehicle, has a key and alarm to keep it safe. Are your data assets protected by a similar mechanism? The answer is usually: no.
Take John, for example. John heads a communications organization that is currently in the midst of a merge and purchase process with a much larger international organization. John is preparing for the challenges and opportunities this merge may encompass, including cutting down local headquarters so to expand the company, thus making it international.
Unfortunately, John's morning took a totally different turn. An hour into his morning, John gets a call from a journalist asking what he has to answer to the claims that the company acted in conflict of interest in a foreign country while bribing the local company not to take part in any tenders in the country. John then is contacted by the country's largest cable provider claiming John's company has been postponing his cheques for 120 days. This is it, he says. I a m through with your company. An hour later, the CEO of said international organization calls to inquire whether during the due diligence process John's company concealed the fact that their five last bids at government tenders have been rejected on grounds of inadequate corporate governance?
This outcome, paraphrasing an actual scenario, was the result of a company worker pairing with a relatively low-level hacker. Using basic tools, such as social engineering and accessing organizational email, they attempted to prevent the merging process which may have harmed the worker's position.
Original documents were planted into company servers, and by simply editing the names of their payment destinations, falsely presented decision makers with these 'transfers'. These documents were sent to journalists via the organizational email of one of the organization's CEOs, complete with a list of facts that fitted the attachments. Through another organizational email, belonging to an accountant, they sent messages to all suppliers stating that 'due to a financial crisis, the company regretfully is pending all payment". The fake tender biddings were sent to the purchasing organization, hidden among authentic documents.
These could all have been prevented by asset charting: strategic files, customer list, supplier list, encrypted data, etc.
In this case, the organization acted quickly. The organization's remaining assets were secured and mapped, while relevant evidence was collected: an in-depth forensic inspection of all computers and email correspondences revealed that this was an inside job. The material was collected as part of a legal process of legal risk hedging and considering further action, including pressing charges against the hackers, and involving the police. Thus, the inspection was kept entirely secret. Meanwhile, company workers were equipped with the right messages and all interfaces through which the fictitious correspondences were fixed.
Not every company would had taken this course of action. Admitting to such an infiltration would be considered a sign of weakness, and as such would usually be dealt with discretely. Besides, most organizations do not possess the technological and legal tools to deal with a cyber crisis. Not only does the secretive handling of this situation ironically prevents exposition, but also there is a limited timeframe during which the company can still response. Once the time is up, the company remains with no solution and substantially harmed. Many a case include a belated call for help due to a ransom demand following a simple email sent to the company. These emails contain a virus which locks all files on the computer a say or two later. All data on organization network is now encrypted, with the perpetrator holding the keys to it. Companies tend to try and solve these cases on their own. They try bargaining with the offender or recreate the data either independently or by hiring a computer support service. These tactics only enhance the infiltration, usually leading to the loss of vast amounts of financial and corporate data. The financial loss is usually immense.
Nowadays, with the coronavirus raging and remote work a necessity, many organizations are being attacked by various hackers using the 'man in the email' technique: they await in the organizational email network after hacking into it. Organization workers contact a legitimate party they know, but on its way, someone intercepts their email, altering its content and sending it back to the sender. These workers are oblivious to the fact that someone is faking both sides of the correspondence or of the illegitimate content they have received. In these cases, hundreds of thousands, sometimes even millions of dollars are stolen by someone who is fooling both sides. Only after the money has already been transferred from account to the other, yet the receiving side has not received its share, do they start asking questions. Both sides are puzzled, and such a case can harm business connections. However, once they contact each other and share copies of their correspondence, they realize that they were victims of a well-crafted scheme. Needless to say, the money has long gone by then.
We recently handled cases in which a quick response to the threat was crucial to preventing the transfer. In some cases, we intercepted transfers and, collaborating with the police and a global network of lawyers to which we belong, successfully intercepted the entire sum. In other cases, some of the sum was already withdrawn while the rest of it was successfully intercepted.
The legal technological interface in these cases is a tiebreaker when facing these adversaries. We highly advise you to seek consult.
Gilad Cohen is a strategic-technological consultant
Rami Tamam of RCTO Law specializes in managing cyber, laundering, and white-collar crises.