Governments and businesses are being forced to treat ransomware as an urgent threat.
DarkSide, the cyber-criminal gang responsible for the recent Colonial Pipeline hack, is said to have made $90m from ransom payments since August 2020.
Despite publishing a statement that the goal is to make money, rather than create problems for society, cyberattacks are increasingly targeting larger supply chains to harness the public pressure to avoid service interruption.
It is perhaps because the attacks are starting to have such visible public impact that official awareness has increased.
The transition to remote working and the automation of critical infrastructure have put organisations more at risk. JBS, the world’s largest meat supplier, Garmin, and Fujifilm, have all made the headlines. The FBI recovered the ransom from the recent Colonial Pipelines attack, but not everyone has the FBI at their disposal. And if large, well-funded companies are struggling to cope with the threat, it is even harder for smaller businesses.
The UK’s National Cyber Security Centre (NCSC) and police advise businesses not to make ransomware payments. Many are lobbying governments to introduce legislation banning such payments. Well-designed prohibitions would require effective support for victims, or smaller companies could be stranded with insufficient technical assistance and no ability to pay without incriminating themselves. The NCSC identifies cybersecurity as a board-level responsibility. Systems must be made secure, and firms prepared for an attached. Even if all the necessary responses are swiftly carried out, the implications can be significant – not lease the risk of civil claims from third parties.
To give rise to litigation privilege, investigations into the cause of the attack, including identifying weaknesses in a business’s cybersecurity systems, should be conducted by an independent expert.
Similarly, a business should avoid the inadvertent waiver of legal privilege by keeping lawyers involved in potential liability discussions and limiting the circulation of advice to those authorised to seek it. That said, a business doing everything possible is generally the best defence to a substantial claim – and that involves clear communication.
A business’s initial response can significantly affect its insurance position. The UK’s Cyber Security Breaches Survey published in March this year, shows 43 percent of UK businesses have some form of cyber insurance, up from just 32 percent of businesses in 2020. But simply acquiring insurance does not imply protection. Initial actions will affect a business’s claim for any losses as a result of the breach – and the ease of obtaining cover for future attacks.
The prevalence and sophistication of cyberattacks is expected to increase, and businesses are limited in their ability to avoid them. It is crucial that businesses take steps to prepare, and avoid self-inflicted damage.
This article was originally published in Business Vision, see here.
Emily Heenan