Cybercrimes are becoming more brazen, shutting down major energy suppliers, stealing sensitive patient records from hospitals, and extorting businesses to pay millions of dollars in ransom every year to get back stolen information, including personal customer data illegally obtained by hackers.
Attorney Karen Painter Randall, who chairs the Connell Foley law firm’s cybersecurity incident response group, spoke at NJBIA’s recent Insights and Outlooks Forum on the expanding threat of cyberattacks and why businesses need to be more proactive in protecting themselves.
“Most of these cyberattacks are caused by tricking a human within your organization,” Randall said, referring to phishing, which dupes an unsuspecting employee to click on a malicious email link that installs malware or locks down a business’s IT system as part of a ransomware attack.
Other causes include an IT department’s failure to install critical software patches in a timely manner or having an open Remote Desktop Protocol (RDP) port, which are meant to allow employees or vendors to access the IT system remotely but can also let in hackers if inadvertently left exposed.
“These attackers will scan the Internet; they look for it,” Randall said. “If you have an open RDP port they get in and they move laterally very quickly.”
However, artificial intelligence (AI) programs are also something to be careful about, Randall said.
“ChatGPT is a perfect example,” Randall said, referring to the new AI chatbot that was launched in November 2022, which can summarize key elements in a well-known piece of literature, write computer code, and even draft news articles and cover letters.
“It’s fun; the kids like to use it. They’re creating their college essays, maybe, from it,” Randall said. “But what people don’t realize is that ChatGPT can be used to draft a wonderful social engineering phishing email that sounds very legitimate that can be sent to your organization to trick someone to open an email so that malware is dropped and then you have a cyberattack underway.”
“There are dangers with some of these fun tools,” Randall said when ChatGPT or the popular social media video streaming app TikTok are installed on company-issued computers and phones. TikTok, owned by a video hosting service in China, is already banned on government-issued devices in the U.S., Canada, and European Union due to security concerns that sensitive information may be exposed when the app is downloaded to an organization’s device.
“How many people in this room have sent out an email or circulated a policy on whether or not you can use TikTok or ChatGPT on your organization-issued devices?” Randall asked. “I strongly recommend that you give some consideration to rolling out a policy like that within your organization – law firms especially.”
Boards of directors can be held liable for breaching their fiduciary duty to their company and shareholders in a cyberattack, Randall pointed out. Therefore, data security oversight must start at the top with the board of directors, instead of being delegated only to the IT department, she said.
Companies risk lost business, regulatory fines, lawsuits, and long-term reputational damage, making cybercrime the No. 1 risk to business today, she said.
According to Cybersecurity Ventures, the leading global researcher on the cyber economy, cybercrime will cost the world $8 trillion in 2023. If measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China.
Randall said cybercrime to the “Wild, Wild West” of the internet.
“They are stealing the new oil of the 21st century: personally identifiable information, protected health information, intellectual property, and even embarrassing information,” she said. “Why rob the banks when you can sit in your basement and attack people for financial gain?”