Cybercrime is no longer just about fraud and theft and is experiencing a golden era, according to cyber data protection expert Deirdre Crowley, who is a partner in Matheson’s Technology and Innovation Group. “Cybercrime takes many different forms,” she says. “We have seen a lot of activity in the ransomware and extortion spaces. Very recently, double and even triple extortion are the crimes of choice. Double extortion is where cyber criminals exfiltrate a victim’s data in addition to encrypting it. Triple extortion goes a step further and involves criminals approaching a victim’s customers or suppliers and demanding a ransom by issuing data leak threats.”
According to US-based technology news service techradar.pro, there were an estimated 623.3 million cyberattacks worldwide in 2021, costing businesses billions of euro. “No sector is immune as we know all too well from the devastating HSE cyberattack carried out on 14 May, 2021,” says Crowley.
“Cybercrime is experiencing a golden era and it’s not just remote working that is to blame. Cybercriminals can inflict large-scale damage on companies without ever setting foot in them. Cybercrime is a business, and the safe-haven problem is a key challenge. We are seeing successes such as when the FBI managed to retrieve $2.3 million of a reported $4.4 million ransom payment in the Colonial Pipelines breach in June 2021. To stay a step ahead of criminals, organisations need to constantly review their cybersecurity and cyber compliance postures.”
Initial response to cyber breaches tends to be challenging. “In the heat of the first hours of a cyberattack, all eyes are on business continuity and shutting down cybercriminals’ access to compromised systems,” she notes. “This task is extremely challenging when businesses are locked out of their own systems. Pair this reality with time-sensitive notifications to affected individuals and legal authorities and you have the perfect storm.”
The human factor is a key weakness for any business that trusts people to manage its data. “The majority of cyberattacks we advise on are triggered by an employee clicking on a malicious email,” Crowley explains. “Thanks to remote working and digital transformation, attack surface areas have increased and are a honeypot just waiting to be ravaged by cyber criminals.”
Problems are also arising in relation to insurance. “Geopolitical factors such as Russia’s invasion of Ukraine have driven some players in the cyber insurance market to the view that they are excluding state-backed cyberattacks from cover on the basis that they are an act of war. Late last year, pharma group Merck succeeded in a US court claim that a war exclusion should not be applied to its losses in the 2017 NotPetya malware attack. Russia and its government were blamed for the NotPetya attack that scrambled data from the computer systems of companies in more than 60 countries. So, the lesson here is to read the small print in cyber insurance policies carefully and ask yourself if you can live with the exclusions based on your organisation’s cyber risk profile.”
Organisations can prepare for attacks by launching their own unannounced simulated cyberattack, she advises. “There is nothing like a simulated cyberattack to help business leaders experience the impact of what it means to lose control of an organisation’s most precious asset — its data.”
Other measures which organisations can take to prepare include identifying the stakeholders which need to be notified and whether any time limits apply. “The Data Protection Commission, the gardaí, sector-specific regulators such as the Central Bank and commercial partners are likely to be on the list,” says Crowley. “Know what data your business holds, where it is stored, who has access to it and what security controls are in place to protect it. Identify swim lanes in advance and ensure that the response team knows their role, duties and responsibilities ahead of time. Talk to all external advisers in advance and involve them in your unannounced simulated cyberattack.”
Trust is at a premium. “We find that clear and timely communication with stakeholders is key to restoring trust and confidence in the victim organisation in the wake of a cyberattack,” Crowley concludes. “Stakeholders including the Data Protection Commission and the gardaí understand that organisations are the victim of a serious crime — what really matters is how an organisation responds to a cyberattack.”