Cyber security: Ukraine conflict and hybrid working add to threat matrix
Companies globally face a rising tide of cybercrime, and in-house lawyers are increasingly on the frontline of protecting and preparing their organisations. In-House Perspective takes stock of the trends in cybersecurity – including how recent world events have shaped the threats companies face – and the responses required.
Cybercrime is expected to cost the world a staggering $7tn over the course of 2022, according to research published in August by cybersecurity company Secureworks. This cost, if it was measured as a country, would make it the world’s third largest economy, after those of the US and China.
The Secureworks report joins a string of recent cyberattack statistics that make for grim reading for business. Global attacks, for example, increased by 28 per cent in the third quarter of 2022, compared to the same period in 2021. Twenty-seven per cent of companies globally suffered a data breach that cost them $1-20m or more in the past three years. In the UK alone, 39 per cent of businesses fell victim to a cyberattack in the past year.
The vectors under threat
Both the number and sophistication of cyberattacks is steadily growing and this alarming trend is exacerbated by the increasing maturity and centralisation of cybercrime, says Dr Ilia Kolochenko, Founder of ImmuniWeb and an adjunct professor of cybersecurity and cyber law at Capitol Technology University in Washington, DC. ‘Cyber-threats actors are gradually becoming smarter and more pragmatic so, for example, they would rather steal secret M&A documents or trade secrets from a poorly protected law firm than from its better protected clients,’ he says.
With the proliferation of ransomware-as-a-service, even inexperienced cyber criminals can make good money working for cybercrime conglomerates. ‘Ransomware attacks become profitable in 99 per cent of cases: if the victim does not pay, its clients, partners or even suppliers may be offered to pay a ransom to avoid undesirable exposure of sensitive data related to them,’ explains Dr Kolochenko. ‘Even if all eventually refuse to pay, the stolen data will be sold at public auction on the dark web, eventually being exploited in sophisticated chained attacks or resold once again.’
The typical attack vectors used by cyber criminals remain phishing, distributed denial-of-service (DDoS) and ransomware, with the most common cybercrimes reported to the UK’s Action Fraud in September being social media and email hacking, standing at 38 per cent of reports. Overall, 41 per cent of reports were received from businesses with a turnover of less than £1.5m. However, Paul Wainwright, Head of the Counter Fraud and Intelligence team at Browne Jacobson in Birmingham, in the UK, notes that these attack vectors are changing.
The office-related cyber-attacks in 2019 highlight particular issues with supply chains, with malware being used to compromise many IT networks accessing data via emails. ‘While acknowledging the risk to business, organisations should seek to have contractual provisions in place (including warranties) and conduct suitable due diligence to ensure security standards are consistent in the supply chain,’ says Wainwright.
A pandemic and a war
Covid-19 added to companies’ cybersecurity woes: 81 per cent of global organisations faced an increase in cyber threats during the height of the pandemic, while 20 per cent of managers said they experienced a security breach due to an employee working remotely, according to research by anti-malware software provider Malwarebytes.
As many businesses adopted a work from home policy during the pandemic, new security risks were identified, says Doil Son, Senior Vice-Chair of the IBA Technology Law Committee and a partner at Yulchon in Seoul. ‘In particular, since most home network connections are unsecured, they are much more vulnerable to cyberattacks than company networks. It is therefore advisable for companies to install security solutions such as antivirus software on all information devices, encourage employees to use VPNs [virtual private networks], provide employees with remote work security training and policy, and implement URL [uniform resource locator] filtering and email security solutions,’ he says.
The number of cyberattack threats rose significantly as a result of staff working remotely, partly due to the increased number of devices being used for work purposes, says Wainwright. Staff were targeted through effective social engineering, with smishing (an attack carried out over SMS text messaging), phishing and business email compromise being common causes of cyber breaches.
‘The levels of attack, however, did not significantly alter or increase over this period, rather the sophistication of the attacks shifted from phishing (simple clicking on a rogue link or fake website) to lost/stolen or harvested credentials leading to DDOS and ransomware attacks which are highly disruptive for business,’ says Wainwright.
Reinforcing good habits with staff is key, he says. This can include training employees to report suspicious activity, to double-check requests even from ‘trusted’ sources, to quarantine emails that might contain malware and not to connect on social media with unknown people. These techniques ‘all shift the balance in favour of the business to withstand a cyber-attack,’ explains Wainwright.
As our world becomes more digitally complex, so too do the threats we face, exacerbated by geopolitical events such as the Russia-Ukraine conflict. Indeed, Russian-based phishing attacks against email addresses of European and US-based businesses have increased eight-fold since the beginning of the war in Ukraine, according to data from IT company AAG.
‘Many businesses are being caught in the crosshairs of nation state attacks “inspired” by the conflict as both sides seek to cause disruption,’ says Katharina Sommer, Group Head of Corporate Strategy and Public Affairs at IT security company NCC Group. The conflict caused a surge in cybersecurity attacks in the region earlier this year, particularly in the form of malware, ransomware and attacks against national infrastructure.
“Many businesses are being caught in the crosshairs of nation state attacks ‘inspired’ by the Russia-Ukraine conflict as both sides seek to cause disruption
Katharina Sommer, Group Head of Corporate Strategy and Public Affairs, NCC Group
Confronting cybersecurity in-house
All of this means challenging times for in-house lawyers, who are increasingly taking a leading role in overseeing their organisation’s cybersecurity. Indeed, a February survey by the Association of Corporate Counsel reveals that cybersecurity is one of the top three issues that chief legal officers rank as most important for their business overall.
Son says that although businesses are increasingly turning to their in-house lawyers to oversee cybersecurity, given that cybersecurity and data protection have both technical and legal aspects, it is advisable for in-house lawyers to implement a cybersecurity incident response plan that facilitates smooth communication and cooperation among both internal and external legal advisers and technical experts to handle cyberattacks.
‘Since cybersecurity and IT compliance require both legal and technical expertise, it would be difficult for an in-house lawyer to oversee the company’s entire cybersecurity without help,’ he says. ‘Outsourcing cybersecurity and IT compliance functions is usually an efficient and cost-effective option as long as one can find a competent service provider. That said, when selecting a service provider, I recommend selecting a specialist with adequate skills, experience, and knowledge to carry out the outsourced work, and suitable communication skills to convey necessary advice clearly and effectively.’
General counsel who are charged with overseeing their organisation’s cybersecurity may wish to participate in information security seminars and join private associations to keep up with information security technologies and current issues. Further, they could consult with legal and security experts on a regular basis, conduct periodic compliance check-ups to assess cybersecurity risks and provide regular cybersecurity and data protection training to employees.
Cybersecurity is of utter importance from a business perspective, not only because of the economic damage that can arise from cyberattacks but also because of the potential reputational damage if the consequences are particularly severe. In-house lawyers have a key role to play in safeguarding an organisation’s cybersecurity, says Gustavo Patricio Giay, Vice-Chair of the IBA Technology Law Committee and a partner at Marval O'Farrell & Mairal in Buenos Aires.
“[The in-house lawyer’s] two most important tasks are to generate awareness and to develop the company’s cybersecurity policy
Gustavo Patricio Giay, Vice-Chair, IBA Technology Law Committee
Writing cybersecurity policies
‘In-house lawyers have to be on top of the latest legal obligations regarding cybersecurity and data protection in the different jurisdictions where their role might take them, but their two most important tasks are to generate awareness and to develop the company’s cybersecurity policy,’ he says. ‘This means the in-house lawyer has the difficult task of sometimes even changing the culture of the company.’
Without a cybersecurity strategy, businesses cannot defend themselves or their clients, leaving both vulnerable to malicious actors. ‘Moreover, with the increase in cyberattacks and the effects of those attacks becoming more costly, having a cybersecurity strategy can be considered an investment rather than a cost,’ adds Giay.
The first step in developing a cybersecurity strategy is to identify security requirements, which can be derived from three primary sources. Firstly, by assessing the risks to the organisation, taking into account its overall strategy and objectives, which allows an in-house lawyer to identify threats, vulnerabilities and their probability of occurrence and their potential impact.
Secondly, the legal, regulatory, statutory and contractual requirements that must be met by an organisation, its business partners, contractors and service providers are also key. Finally, in drawing up a cybersecurity strategy, the in-house lawyer must be cognisant of the principles, objectives and functional requirements for information processing that an organisation has developed.
Once the security requirements and risks have been identified and decisions have been made to address these, appropriate controls should be selected and implemented to ensure that the risks are reduced to an acceptable level, says Giay.
There are a number of controls that are considered common practice for information security and which apply to most organisations and in most scenarios. These include security policy documents; the assignment of responsibilities for information security; knowledge, education and training in information security; correct processing in applications; technical vulnerability management; operational continuity management; and incident management and information security improvements.
It's also essential that the cybersecurity strategy provides a course of action for recovery and containment after a security incident and establishes how the evidence related to the incident will be captured and preserved, adds Giay.
Although it’s not possible to eradicate completely the prospect of a successful cyberattack, companies should ensure they have planned responses in place to limit the damage if they do fall victim to one, says Simon Fawell, a partner at Signature Litigation in the UK.
‘This includes ensuring there are back-up systems in place to keep your business running after an attack but also thinking in advance about what third parties might potentially be affected by a breach, what contractual and regulatory obligations you will have to notify and how you will message a breach externally,’ says Fawell. ‘In most circumstances, corporate and individual counterparties will be relatively understanding that breaches can occur. What they will not forgive is a breach response that doesn’t adequately minimise the impact on them or, worse, adds additional layers of complexity.’
While there’s an ongoing game of ‘cat and mouse’ between those developing IT security systems and those trying to breach them, the biggest weak spot in any system will virtually always be individual users and the vast majority of cyber breaches arise from user error, he says. ‘It’s the person who inadvertently provides their user details in response to a phishing email or even the person who politely holds open the door to a secure area for someone they don’t know,’ he explains.
The first line of defence in minimising human error is education – and often a ‘less is more’ approach is the most effective, he adds. Companies may want to explore messaging on a less frequent basis – focusing on two or three key points each time – rather than a constant stream of educational material and alerts, which can lead to fatigue and key messages being missed or ignored. ‘In a similar vein, changing the format for cybersecurity messaging can help, for example, by avoiding the temptation always to send messages by email and instead using other formats such as posters in communal areas,’ adds Fawell.
Senior legal teams should also consider investing in cyber security risk management training and development to enable them to identify and manage high impact cyber risks.
‘Modern GRC [governance, risk and compliance] systems will interface into cyber management tools such as security information and event management (SIEM) systems, enabling technical incidents to drive risk management processes,’ says Deryck Mitchelson, Chief Information Security Officer for the EMEA at Check Point Software. ‘Chief information security officers should provide legal counsel with an executive view or dashboard of cyber risks showing the current threat landscape and demonstrating reduction in risk through a robust cyber improvement programme.’
A bespoke cybersecurity policy should be introduced by every organisation to help staff understand their rights and responsibilities, says Wainwright. As a minimum this should explain the requirements of using passwords, email management, mobile and work equipment usage and of reporting suspicious activity.
“Cyber security is woven into each part of your organisation, from the factory floor to the board, from finance to HR, from IT to legal. Everyone plays a part
Martijn Hoogesteger, Head of Cyber Security for the Netherlands, S-RM Intelligence and Risk Consulting
‘It should be read in conjunction with employment obligations under contract for confidentiality, social media and IT policies as well as whistleblowing and antifraud and anti-money-laundering policies,’ says Wainwright. ‘It should also spell out consequences for misuse while striking a balance to ensure that staff are not inhibited from reporting mistakes or errors, to ensure all incidents are noted.’
A cybersecurity policy can assess, in terms of confidentiality, integrity and availability, which parts of your business are more and less relevant in relation to cybersecurity. ‘Each IT service, employee, each bit of information, personal or otherwise relevant, moving and “at rest”, will have risks associated with it, and a policy should define how these risks are mitigated. It’s never just one policy,’ explains Martijn Hoogesteger, Head of Cyber Security for the Netherlands at S-RM Intelligence and Risk Consulting. ‘Cyber security is woven into each part of your organisation, from the factory floor to the board, from finance to HR, from IT to legal. Everyone plays a part.’
Giay warns that companies suffering due to the energy and cost-of-living crises should beware of seeking to reduce their expenditure by spending less on cybersecurity because they may not see it as a top priority. ‘This makes companies more vulnerable, which can translate into an increase in cyberattacks,’ he says. ‘It is thus essential that companies begin to see cybersecurity as an investment – recognising risks is as important as seeing opportunities.’
The EU Cyber Resilience Act
Some solace for those worried about the increasing threat of cybercrime may be found in the European Commission’s proposal, published in September, for a Cyber Resilience Act (CRA) – the first EU-wide legislation to introduce ‘cybersecurity requirements for products with digital elements, throughout their whole lifecycle’.
‘Products with digital elements’ here means any software or hardware and its remote data processing solutions, including software or hardware components to be placed on the market separately.
The CRA, explains Son, will have the advantage of reducing overall cybersecurity risks and the damage caused by cyberattacks in the EU, but will impose an increased regulatory burden on manufacturers, sellers and distributors of such products. ‘If the proposed CRA is passed, the manufacturers of products with digital elements will be required to consider cybersecurity from their products’ design and development stages and remain responsible for the cybersecurity of such products throughout their expected life cycle,’ he explains. ‘Distributors and importers will also have certain obligations. The CRA could therefore increase the cost of regulatory compliance for businesses affected.’
For those in charge of cybersecurity, particularly within organisations operating internationally, the CRA will add a further piece of regulation to an already complex landscape of requirements, says Sommer. ‘As with any introduction of new requirements, it will be critical for organisations to structure their security approach in a holistic way to meet them, rather than a piecemeal approach that loses sight of the ultimate goal – improved cyber resilience.’
While imposing security standards and some form of accountability on private vendors is important to curb cybercrime, it will likely be futile if performed in isolation from other activities, says Dr Kolochenko. ‘For instance, the EU’s law enforcement agencies need urgent funding to expand their cybercrime investigation capabilities and capacities: all EU countries currently have understaffed and underfunded cyber police units.’