Even as many lawyers continue to display “a curious ambivalence” toward technology, compliance officers and counsel responsible for cybersecurity need to overcome that ambivalence and commit to acquiring and maintaining technological competence. But there is exceptionally little guidance for compliance officers and compliance counsel on what constitutes technological competence in the context of cybersecurity. Even the best cybersecurity frameworks do not indicate what kinds of technological knowledge compliance officers and counsel need to perform their functions effectively.
While they do not need to know the niceties of programming in Python or filtering bogons, compliance officers at a minimum should remain informed, even at a fairly basic level, about major trends in cyberthreats and cybercrime that are likely to affect their companies. One highly reliable source of periodic reporting on such threats is the APWG (formerly the Anti-Phishing Working Group). Now in its fifteenth year, the APWG is an international coalition with more than 1,800 organizational memberships in the industry, government, and law-enforcement sectors and non-governmental organization communities.
One of the APWG’s most useful resources for compliance officers and information-security officers alike is its quarterly phishing activity trends report. The most recent quarterly report, for the first quarter of 2018 (issued July 31), included a number of findings on phishing trends in 1Q 2018:
- The total number of phish detected was 263,538 — a 46 percent increase from the 180,577 observed in 4Q 2017, and a 38 percent increase from the 190,942 observed in 3Q 2017.
- 113,897 unique phishing Web sites were detected in March 2018 – an 87 percent increase from the 60,887 unique sites detected in January.
- The most targeted industry sectors were payment (39.4 percent), Software as a Service/Webmail (18.7 percent), financial institution (14.2 percent), and cloud storage/file hosting (11.3 percent).
- 13,594 unique domains were used in phishing attacks.
- More than a third of phishing attacks were hosted on Web sites that had HTTPS and SSL certificates, which could deceive Internet users into believing that those sites were secure.
Such data could provide compliance offices and counsel with a more informed basis to discuss with their information security teams whether their companies’ cybersecurity measures and internal controls are keeping pace with these trends.