Cybersecurity was a hot topic at the National Native American Human Resources Association IT summit this week.
Paul Tucker, Chief Information Security Officer for BOK Financial discussed the overlap of cybersecurity and human resources within tribal organizations.
Tucker said there are some risks specific to tribal organizations associated with cybersecurity data breaches including:
· Unauthorized disclosure of protected records
· Theft (business email compromise)
· Extortion (ransomware)
· Intentional disruption
· Being used to attack business partners
· Failure to comply with regulatory requirements
Tucker said that while these risks are present for most businesses and organizations there is a higher concentration of risk within human services and tribal health, tribal law enforcement, treasury, gaming operations and human resources records.
“Companies that have sensitive data in regulated areas like these are exposed to civil litigation,” said Tucker. “These companies should absolutely put a plan in place to create safe harbor of sorts from such litigation.”
Tucker said there are a variety of methods fraudsters use to get sensitive company data including credential abuse, social engineering and vulnerability exploitation. This could look like bot attacks, account takeovers, fake job applicants, account redirections, phishing or SIM swapping.
Credential abuse is a very common form of cyber attack,” said Tucker. He added that some ways to avoid credential abuse are using pass phrases instead of simple passwords, using multifactor authentication, using a password vault and avoid storing passwords in browsers.
“Within the gaming industry in particular we’re seeing a prevalence of flat networks, a lack of multifactor authentication, and a general lack of response plan for cyber incidents,” Tucker told the group. “The impact of this is often unauthorized disclosure of customer information, inability to operate (which is a direct hit to revenue), brand and reputation damage, increased insurance costs, regulatory action and civil litigation.”
Tucker recommends that these tribal businesses that are handling sensitive data conduct employee education and enforce cybersecurity policies and processes.
“After stolen records become public and litigation is threatened, be ready to show your papers,” Tucker told the tribal members. This includes current risk assessment and corrective action plan; evidence of an annual policy review, employee awareness training and tabletop exercise; and quarterly access authorization reviews. “In many states this creates a safe harbor from litigation and some regulatory actions,” Tucker said.
· Ultimately, Tucker encouraged tribal HR and IT leaders to foster a culture of cybersecurity across their organizations. That includes: Leadership commitment
· Establish clear policies and procedures
· Encourage open communication
· Invest in ongoing training and education
· Appointing internal “cyber champions”
· Integrating security into the broader business strategy.
