Peebles Kidder Offers Guidance For Tribes Seeking to Prevent Cybercrime

Cybercrime is becoming more frequent and sophisticated, with criminals using advanced tools and tactics to carry out their attacks. According to a 2022 report released by the FBI's Internet Crime Complaint Center (IC3), the number of reported cybercrime incidents increased by 69% between 2019 and 2020. The report further states that reported losses due to internet crime totaled $4.2B in 2021, a 20% increase from 2019. Of that amount, $1.8 billion, or 43% of all reported loss, was attributable to business email compromise (also known as "BEC"). Ransomware attacks, in particular, have become increasingly prevalent, with cybercriminals using this technique to lock up computer systems and demand payment in exchange for restoring access.

In short, cybercrime continues to pose a significant threat to businesses and individuals, with criminals becoming more sophisticated in their tactics and techniques. It is therefore important for tribal governments to stay vigilant and take proactive measures to prevent cybercrime. For instance, Tribal Councils can implement a multi-pronged approach that combines technical measures, policies and procedures, and education and awareness initiatives. Here are some specific steps that tribal governments can consider taking to prevent cybercrime:

1. Develop and enforce cyber security policies: Tribal Councils and tribal human resource departments should establish clear policies and procedures related to cyber security, including password management, network security, access controls, and incident response. These policies should be communicated clearly to all employees.
2. Conduct regular security assessments: Tribal information technology ("IT") departments should conduct regular security assessments to identify potential vulnerabilities and risks as well as to assess the efficacy of incident response policies. These assessments should be followed by remediation efforts to address identified issues.
3. Implement access controls: Tribal IT departments should implement access controls to restrict access to sensitive data and systems to authorized personnel only. This can include the use of two-factor authentication, network segmentation, file access restrictions, and other access control mechanisms.
4. Train tribal employees: Employees should be provided with regular cyber security training to help them recognize potential threats and take appropriate action. This should include training on phishing scams, password management, insider threats, and other common cyber security issues.
5. Use encryption: Tribal departments should use encryption to protect sensitive data in transit and at rest. This can include the use of virtual private networks ("VPNs") and encryption protocols such as Secure Sockets Layer ("SSL") and Transport Layer Security ("TLS"). Data at rest should be encrypted with trusted algorithms such as Pretty Good Privacy ("PGP") or the Advanced Encryption Standard ("AES") with a 256-bit key.
6. Secure mobile devices: Tribal Councils should implement policies and procedures to secure mobile devices used by employees. This can include the use of mobile device management ("MDM") software, which enables remote management and security of mobile devices.
7. Monitor for threats: Tribal IT departments should implement monitoring and detection tools to identify potential threats and security breaches. This can include the use of intrusion detection systems ("IDS"), Endpoint Detection and Response ("EDR") as well as security information and event management ("SIEM") software.

By implementing these steps, Indian tribes can significantly reduce the risk of falling victim to cybercrime and protect their sensitive data and systems. Additionally, it is important to stay up to date with the latest cyber security trends and threats to ensure that security measures remain effective over time.

Peebles Kidder Bergin & Robinson LLP encourages tribal leaders to contact Sacramento partner Patrick R. Bergin at (916) 441-2700, if they have questions or require legal advice on cybersecurity protocols and policies.