Don’t wait until you’ve been hit to take action against cyberattacks

This article was originally published in the Business Post on 8 August 2021 and is reproduced with permission from the publisher.

We are witnessing a growing surge in cyberattacks and data breaches, with organisations rightly looking at the steps they can take to mitigate risk and protect against threats.

While such attacks and breaches are often the result of sophisticated assaults launched by cybercriminals, remote working and advancements in technology have exacerbated accidental data breaches linked to employees, highlighting the need for increased staff training and internal security measures.

There were 6,615 data breaches notified to the Data Protection Commission (DPC) here [in Ireland] in the 12 months to January 2021, the sixth highest level across Europe and the third highest on a per capita basis.

Employee-related breaches come in many different forms. We are continuing to see significant volumes of unauthorised disclosure as a result of individuals using the auto-complete feature when inputting email addresses, as well as an increase in reports related to individuals using the CC function instead of the BCC function, exposing personal data of the recipient. The DPC has highlighted the continued prevalence of such breaches as an area requiring additional enforcement.

We are also seeing an increase in incidents related to unauthorised access to data as the pandemic accelerated the digitisation of business and the shift to remote working, with IT updates and outsourcing of technology to facilitate this shift inadvertently resulting in more access points for hackers, creating significant data security risks.

As organisations continue to adapt to a changing work environment, we anticipate a future increase in incidents related to unauthorised access to data and unauthorised disclosure.

Organisations that fall victim to a cyberattack or extensive data breach not only experience short-term financial and operational impacts, but also face long-term impacts from customers, partners and stakeholders losing trust as well as potentially years of expensive and time-consuming litigation and investigations.

With cybercriminals becoming more and more sophisticated, it is becoming increasingly difficult to trace or identify the source of attack with organisations often left with few options but to pay the hefty ransom. Although this might seem like the only solution, there are significant legal issues associated with paying ransoms in the context of ransomware attacks, in particular the possibility that payment can lead to breaches of anti-money-laundering and counter-terrorist financing rules.

Indeed, recent guidance from the US Department of Treasury’s Office of Foreign Assets Control (OFAC) advised companies providing services to victims of ransomware attacks of potential “sanctions risks” for facilitating ransomware payments, highlight multiple malicious cyber actors failing under the scope of OFAC’s cyber-related sanctions programme.

There are also insurance implications related to the increased frequency and severity of ransomware attacks as the rise in ransomware-related claims drives up the cost of cyber insurance and insurers begin to reassess what they will and will not cover in the event of an attack.

Insurers now have increasingly higher expectations of the organisations to which they sell cover and the security measures these organisations should have in place. As a result, companies with weak security measures are finding it harder to buy cyber insurance. Organisations of all shapes are at risk of cyberattack, highlighting the importance of robust cyber security for all organisations, regardless of current threat level.

There are a number of steps organisations can take to ensure they are protected. Firstly, develop and internal process for identifying, assessing and mitigating cyber-security risks and ensure all employees know what their role is within this process.

With the increased risk of enforcement, claims and litigation, multinational businesses are increasingly involving legal teams as core stakeholders in their incident response teams.

Carry out periodic reviews of internal process and IT security measures. Don’t assume that because you haven’t been affected, your internal cyber security process is without fault. Carry out regular reviews and stress tests of internal processes and IT security measures and make any necessary updates. Ensure updates or changes are applied and detailed to staff at all levels.

Putting a reporting framework in place means employees of all levels know what to do and how to report any potential risks without delay. Cybersecurity and data breaches can trigger many reporting requirements both internally and externally to regulators, law enforcement, customers, suppliers, insurers and other stakeholders.

Carry out regular staff training to ensure employees are up to date on evolving threats and the current framework for notifying of breaches. Encourage staff to bring any potential or accidental threats or risks forward by promoting a no-blame culture.

Many think that becoming the victim of a cyberattack is unavoidable, and in some cases this is perhaps true, but there are steps you can and should take to ensure you’re as protected as possible. Don’t wait until you’ve been hit to take them.