4 minute read
Laura Gillespie
Columnist
Laura Gillespie,
Partner, Pinsent Masons (Belfast)
Murky World of Cyber Criminals
Laura Gillespie looks at how cyber criminals could hold your business to ransom.
The pandemic has seen a surge in the reliance upon technology in most aspects of business and professional life; almost all businesses rely more than ever on technology to function and it is this reliance that has presented the latest opportunity for cyber criminals.
A recent UK government report into cyber security breaches found that four in ten businesses report having suffered a cyber security breach in the last 12 months. In that time, the dedicated Pinsent Masons cyber team in Belfast has supported clients in all sectors, responding to many forms of cyber security incident. We share some insights.
Ransomware – a showstopper
Cyber criminals enjoy the luxury of not having to leave home to cause havoc; that can be done from the comfort of their armchairs. There has been a surge in ransomware attacks, leading the UK National Cyber Security Centre to issue a warning of the increased threat in February. Typically, these sorts of attack involve the threat actor gaining access to IT systems and encrypting them, rendering all the content inaccessible to the business and holding that information to ransom. This can be a complete showstopper, as if the business relies on those systems to function, it essentially becomes paralysed. The only option to remedy the situation is either restore the IT system from back-ups (if available and not also encrypted), or to seek decryption.
The good, the bad and the ugly
Not all cyber criminals share the same motivation. “White hat hackers” can and do explore vulnerabilities in IT systems, looking for back doors and outdated technologies but with the intent only of ensuring the business rectifies the situation. However, the hardened cyber criminal has a more malicious intent. Looking back 12 months on how ransomware attacks were being carried out, typically, the threat actor would encrypt the system and on occasions, leave a ransom demand hoping to elicit a payment for decryption. However, if a business was able to restore systems and didn’t engage, the attacker often simply moved on to their next victim. That has changed. There is a real and growing trend whereby cyber criminals now deploy ransomware, make their demand and demonstrate “proof of life”. Usually, this amounts to providing extracts of personal data which have been taken from the IT system and when the ransom demand is made, so the threat is made of release of the information either into the public domain, or onto the dark web. The threat therefore is not only to ongoing business continuity, but also of the potential fines and compensation claims which may arise from a personal data breach.
Responding to a ransomware attack
When an attack occurs, a clear plan of action is needed to ensure the myriad of practical and legal issues are addressed. Emails may not be available, payroll may not be capable of being run, staff may be unable to do any work at all. It is essential that the response can still be co-ordinated at board level to include actually communicating with one another and external advisers. Forensic IT support can assist with assessing the extent of the damage and how best to restore from back-ups, if they are held.
However, in some situations, whether no back-ups are available, they are also encrypted or it will simply take too long to restore, some businesses feel they have no option but to consider engaging with the threat actor to seek a decryption key through a ransom payment. Negotiations can and sometimes do ensue. In fact, some cyber criminals will see the value in good “customer service” to encourage other victims in the future to engage. Such dialogue clearly comes with its own risks, not least that the business commits an offence by making payment to sanctioned organisations.
The ramifications are broader still – if personal data is caught up on the attack (HR files, ability to pay salary, for example), then unless the people affected are unlikely to have their rights and freedoms impacted by the incident, a report will have to be made to the Information Commissioner’s Office within 72 hours of becoming aware. In some circumstances, it may also be necessary (in law) to tell the people concerned that the attack has occurred.
Learning from experience
Ransomware attacks are targeted against all sorts of businesses, and all sizes too. To best equip your business in the face of this growing threat you should:
1. Review IT security and document your process. Make sure patches and updates are applied and consider how best to protect business-critical or sensitive information – this may involve using encryption on certain parts of your IT infrastructure. Ensure your staff are trained and understand the importance of following IT security policies and protocols. 2. Keep regular back-ups (and separate to your network and systems). It is obviously crucial to also know how to restore from these back-ups in a secure way, preventing any system from becoming re-infected. 3. Prepare for an incident. Know how you will communicate if systems are down, who will take the lead and how to contact key advisers such as insurers, legal advisers and forensic support. In the initial hours of an attack, it will be crucial to have a clear response strategy not only seeking to minimise the business continuity risk, but also to manage the risks to business and personal information as well managing any communications with the attacker.
The murky world of cyber crime is evolving constantly and lurks in many dark corners. Ensure you have reviewed your business’s preparedness in facing that challenge. Pinsent Masons has launched “Cyturion”, a response platform for preparing for and responding to cyber attacks.
