The role of the “human factor” in protecting information

BY JACK PRINGLE

All attorneys owe various ethical (competency, confidentiality and safeguarding client property) and legal (a host of state and federal laws) obligations to protect information. We’re in an age of great potential technological “upside” (blockchains, artificial intelligence, machine learning, big data, cloud computing, etc.) and “downside” (large-scale data breaches, nation-state espionage and ransomware attacks). Given that computer technologies seemingly offer so much promise and so many problems, it is not surprising that attorneys would look to computer technologies to “solve” their information security challenges.

However, no computer technology product or service alone will protect information. Put another way, appropriate tools like firewalls, encryption, anti-malware software, etc. may be necessary, but not sufficient. People, processes and technology are equally crucial elements of an effective security program, and security incidents are most often the result of human failures, not “technology failures.” Often these failures result from “the human factor”—“the instincts of curiosity and trust that lead well-intentioned people to click, download, install, move funds and more every day.” (The Human Factor 2018: People-Centered Threats Define the Landscape.)

Learning to recognize where the “human factor” can be exploited is an important part of building an effective law firm security program. Start with three necessary foundational points:

1. Internets and computer devices were not built with security in mind. Networks and devices do not default to secure when you take them out of the box, hook them up or turn them on.
2. Most, if not all, business now takes place through digital technology and electronic communications;
3. All business transactions are vulnerable to numerous threats. (SEC Report of Cyber-Related Frauds.)

Bluntly, we’re doing business exclusively in our inboxes and online, and that’s where we can expect the threats. However, our technologies won’t address the threats without people baking security into our computers and networks, and using them securely.

The human by default: Distractible

We all consider ourselves to be “rational” decision makers, meaning we follow an objective process when we make choices. One model for this process, used by fighter pilots and others, is the “OODA,” or “Observe, Orient, Decide, Act.” For this piece, focus on the importance of “decide” as the rational step in the process (“I know this is the right thing to do”). Social engineering (broadly the use of deception to convince people to divulge confidential information) uses several tactics to remove the “decide” step and keep us from acting intentionally.

Consider an example familiar to attorneys: The Business Email Compromise (BEC). This scheme targets businesses that regularly perform wire transfer payments. Wire transfers are an integral part of real estate closings conducted by attorneys, and as described above, electronic communications are how business is being done.

The BEC scam is just another confidence game where the bad actors convince humans either to 1) click on bad links or attachments (enabling the bad actor to install malware on the company’s computer system, or 2) mistakenly believe that the sender of an email attaching wiring instructions or seeking information is making a legitimate, authorized request. Technology is part of the scheme, but the scam cannot succeed without human assistance.

And the BEC scam works. In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 BEC/EAC complaints with adjusted losses of over $1.2 billion. Put into context, those figures represent a 29 percent increase in the number of complaints, and a 77 percent increase in adjusted losses, when compared to the IC3’s 2017 numbers.

Consider how social engineering tactics apply to BEC schemes:

Conveying urgency (“I need this wire transfer executed now”)

Appealing to authority (“This would mean a lot to the firm if you could help us out here”)

Imitating trusted brands (“This looks like a message from the law firm handling this closing”)

Preying on our natural curiosity (“It might be a payment to the firm”)

Taking advantage of conditioned responses to frequent events (“I dutifully click to update software, so I will just do so here”)

Social engineering succeeds because people can be distracted away from following important processes. And even when social engineering is not involved, human mistakes configuring and maintaining computer technologies (e.g. getting distracted from performing updates) creates vulnerabilities. Therefore, we need additional tools (training for awareness, policies to follow) to steer us toward consistently performing the “decide” piece of the process.

Exploiting the defaults

Consider the effects of human error in the following security breach incidents:

Anthem, Inc. (personal data of over 78 million individuals): “The data breach began when a user within one of Anthem’s Subsidiaries opened a phishing email containing malicious content.”

Target (credit card and personal data of over 110 million customers): “The breach … appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.”

South Carolina Department of Revenue (3.9 million tax returns and 387,000 credit and debit card numbers exposed): “A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised.”

JP Morgan (information of 76 million households and 7 million businesses): “But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.”

Equifax (personal information of 143 million individuals): “Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.”

These breaches happened because individuals were distracted from making proper decisions. These attacks succeed largely because they exploit human characteristics. People are susceptible to the very things (curiosity, trust, fatigue, impatience, and greed) that can hinder the critical thinking necessary to avoid being scammed. Likewise, failing to follow a rule or policy, such as upgrading software or using strong passwords, is also distinctly human.

People will not be an effective part of your security program if they don’t understand risks and use the right processes and computer technology to mitigate those risks. Using the BEC scam as an example, anyone who handles electronic funds transfers must be aware of the ways in which communications can be compromised. That’s one way to strengthen the “people” prong of your security program.

Just as important is having funds transfer processes (usually written down as policies) that all employees (especially including attorneys) follow. In order to make sure that an appropriate decision-making process is followed when a change in electronic payment type or bank is requested, involve more than one person in the decision and use a way of communications other than email. Doing so makes it less likely that processes are not ignored when convenience, perceived urgency, or greed intrude.

If terms like “processes” and “policies” sound too formal or foreign, consider the use of checklists as a way to memorialize and share best practices, training and other methods. For more on this (admittedly broad) topic, I highly recommend Atul Gawande’s The Checklist Manifesto: How to Get Things Right.

Law firms must make sure that all of their people are a well-trained and knowledgeable “security layer” working with processes and computer technology—to protect information. And making yourself and your office aware of the vulnerabilities caused by the “human factor” is a significant part of that process.

Jack Pringle, partner at Adams and Reese, counsels clients in matters relating to privacy, information security, information governance, administrative and regulatory law, public utilities, securities, and class action litigation. He can be reached at [email protected].