Emma Burnett, Partner and UK Head of Technology and Data Protection CMS
As a member of Generation X, I moved fairly seamlessly from analog to online, perhaps not noticing how quickly and completely day-to-day tasks were transformed. The next generations, as we all know, have emerged as digital natives and know almost nothing of the rotary phones, payphones, fax machines and dial-up connections that were so central to our lives.
Today, we hold our whole lives on our phones, where we easily complete once onerous tasks such as banking and bill payments, while participating in new areas such as multimedia, social media and cryptocurrency investment. But these phones, and the routes they offer into our lifestyles and our employers, are an attacker’s dream come true.
A new criminal opportunity
Looking back at the last 30 years, what’s most notable is the rapid development and proliferation of technologies available to individuals including employees of SMEs and large corporations. Against this backdrop, risks and threats – both intended and accidental – have moved to the digital realm. Common criminals and other malicious actors have adapted, following their targets – both small and large entities – online.
During my career as a data protection lawyer for 20 of those 30 years, I’ve witnessed dramatic changes across the compliance landscape. I’ve supported clients navigating their way through ever-increasing and complex legal threats in the cyber world. To do this, I’ve recruited more and more privacy experts into my team in order to meet client demand for data protection compliance advice. Data law was once obscure, but is now front, right and centre.
Increasingly sophisticated ransomware attacks
Ransomware has become one of the most frequent and disruptive types of cyber incident my clients face. Usually, this consists of a computer virus that disables computers and encrypts systems and files so that the affected entity cannot view or access those files. They then demand a ransom, in exchange for a decryption key to restore systems and restore impacted files. These criminals have become savvier, seeking to extract huge sums from businesses, in some cases using simple tools to exploit vulnerabilities. There is a highly active underground economy that looks very much like legitimate commerce. Some ransomware groups even have customer service and IT support.
Around the millennium, cyber criminals were less prolific, but around 2010, it became cheaper and seemingly easier, leading to blanket attacks on a higher volume of lower-value targets. Now, it is just another form of extortion, one method among many used by organised crime gangs.
Now, an attack on a service – or a denial of service – has evolved into double extortion: a target that does not pay ransom will lose their data, which may then be shared with clients, competitors or on the dark web. What’s more, the ransomware can propagate and spread, and once caught, require a large clean-up operation.
A triple extortion, which could involve healthcare, aircraft or national infrastructure, might comprise a convergence of cyberattacks, in which a first attack lays the grounds for future attacks.
Finally, quadruple extortion might see criminals encrypt a target’s data, steal and threaten to release it, and then deny service before beginning to harass customers and employees directly or on social media.
However, attacks can also often come in a very basic way, now that the barriers to entry have fallen. It is even possible to purchase ransomware-as-a-service on the internet. Typical vulnerabilities could include legacy systems, or just poor basic security. Any decision to make a ransom payment should only be taken after considering whether all other options have been exhausted; whether or not the payment itself is lawful, and whether it requires consent from, for example, the insurer or another third party. Fortunately, SMEs and corporations have also become savvier, and those that are both knowledgeable and prepared are now equipped to better prevent – or at least overcome – attacks.
Telecoms sector vulnerabilities
While digitisation has many advantages, it also creates more potential entry points for attacks, targeting those who use the technology as well as the providers of that technology. Our communications infrastructure has never before been in such high demand, or of such critical importance.
Smishing, or phishing using SMS, is one of the new simpler techniques I now see. SIM farms enable this type of activity to be facilitated on a mass scale. These attacks on individuals appear to originate from sources such as government tax and Covid authorities, large logistics companies, the largest tech and social media companies and online marketplaces, as well as major businesses such as insurers and mobile operators.
In 2019, the US had over 100,000 victims of phishing, smishing, vishing and pharming, causing more than $57 million in losses. Over the same period, there were 2,373 malware and virus attacks, leading to around $2 million in losses, according to IC3, the FBI’s cybercrime complaint division. Over a three-year period (June 2016 – July 2019), the Europe Payments Council reported over 166,000 phishing complaints worldwide, leading to $26bn in losses.
Critical digital infrastructure
The move to 5G, and concurrent network virtualisation, will further enable devices and machines to communicate with each other, and create platforms for entire companies and industries. While again this is exciting, the sector is particularly attractive to attackers due to the very nature of its critical infrastructure and access to millions of customers’ personal data.
In 2015, UK operator TalkTalk suffered a cyberattack that resulted in 157,000 customers’ personal details being accessed. Of these, 15,600 saw their bank account numbers and sort codes being stolen, while a further 28,000 credit and debit cards were “obscured,” meaning they could not be used. As a result, TalkTalk shares immediately fell by a third, and the company was fined £400,000 by the Information Commissioner’s Office (ICO). Four people, three of them teenagers, were arrested in connection with the attack. Many countries are also adopting industry-specific laws for communications network providers and communications network operators, requiring them to take appropriate steps to guarantee the integrity of their networks and to ensure the continuous availability of the services provided via those networks. This is often also coupled with telecoms-specific data protection regulation and reporting obligations which can, in some countries, mean breach notification deadlines of mere hours.
In December 2021, T-Mobile Polska faced a distributed denial of service (DDoS) attack, in which attackers tried to paralyze a network by flooding it with high volumes of data traffic. The company described this as the largest of its kind across both T-Mobile’s regional businesses and on any Polish mobile business. Though its critical systems were not impacted, the company is now analyzing the damage and preparing a report to the relevant agencies.
Building a multi-disciplinary cybersecurity team and strategy
Regardless of industry sector, I always advise my clients to create a team of trusted experts before an incident happens – not after – so that they can collectively respond more quickly, more intelligently, and more seamlessly in a time of panic. Resilience must be built into working practices.
Cybercrime is organized crime that often operates just like a business. In order to become more resilient to cyberattacks, you need to match this by setting up a multi-disciplinary team responsible for managing cybersecurity. Representatives from across departments, as well as external advisors, will need to be involved.
Any cybersecurity strategy must be rooted in an understanding of your company’s legal obligations. These fall into four broad categories: contractual and intellectual property obligations, privacy laws, cybersecurity laws and industry regulations.
First and foremost, compliance policies and processes must be widely understood and embedded into all operations.
Keep data secure: Your organization will likely be subject to obligations to keep data secure, whether under privacy laws, cybersecurity laws, sector regulation conditions or contractual commitments to third parties. The obligations will depend on the nature of your business and the jurisdictions in which you operate.
Manage third parties: Data laws, as well as contractual commitments, typically require organizations to take responsibility for the people with whom they share data. For example, if you work with a technology vendor and share data with it, you must manage that vendor and ensure they keep data secure. The vendors themselves must demonstrate how their security measures meet the necessary standards. Any cybersecurity strategy is only as strong as the weakest link in the chain. If the partners with whom you share data or content do not have strong security measures, you are exposed.
Communicate and train the team: A strategy is only effective if it is applied. Developing a plan is only the first step, so there must be a culture of security across the business, with top- down support and frequent training for all relevant personnel. This reduces risk, and potentially reduces your exposure if a breach does occur, as regulators will often look at training when assessing whether appropriate measures had been in place. For large organizations, in-person training can be a logistical burden, so advisers such as CMS are increasingly offering eLearning solutions that can be immediately rolled out.
Test it: Just as regular drills are necessary to prepare for a fire, organisations should regularly test their cybersecurity plans to ensure that they are fit for purpose, and that each relevant team member knows their role. As a starting point, I recommend carrying out a cybersecurity incident workshop, based on a rolling breach scenario, with representatives from senior leadership, legal and compliance, HR, PR and communications, IT and operations.
Keep it under review: Each data incident poses new challenges for response teams, and as data regulation evolves, your business’ approach to data security and data breach response must also evolve.
Notify if a breach occurs: Data laws increasingly require notification if a breach occurs. For example, the EU’s GDPR will require organisations to report certain types of data breaches to regulators, and in some cases to affected individuals, within 72 hours of becoming aware of the breach. At a contractual level, you may also be required to notify affected partners. In the UK, 25,965 incidents were reported to the Information Commissioner’s Office (ICO) between 1 July and 30 September 2021, of which 6,452 were cyber. Of the total, 5,000 incidents impacted the health sector, with education & childcare the next most affected.
Penalties and business impacts
Although the financial penalties are potentially large and must be taken seriously (e.g., GDPR carries a maximum fine of 4% of worldwide turnover, or €20 million), the greater concern for many companies will often be:
- an inability to operate the business whilst IT systems have been compromised without suitable back-up;
- loss of valuable intellectual property rights;
- contractual and civil exposure – a cybersecurity incident could place you in breach of contractual obligations to third parties or exposure to claims from data subjects (including the potential for substantial class actions); and
- reputational fall-out – breaches often make the news but even when they don’t, regulators commonly “name and shame” organisations that fall foul of the rules. The reputational impact of a cybersecurity incident can be difficult to quantify and can range from loss of subscribers to longer-term brand damage.
Consider cybersecurity insurance
Several large insurers offer cyber coverage, which should be considered as part of your overall insurance strategy.
In 2019, Sophos noted that 48% of UK organisations had faced ransomware attacks between 2019 and 2020. Of these, 13% had reportedly paid the ransom – an average of $840,000. Surprisingly, given these figures, some 32% of UK companies have a cybersecurity insurance policy that does not cover ransomware. Policies used to be quite generous, because insurers hadn’t anticipated the enormous increase in ransom attacks, but the cyber insurance market is experiencing a sharp increase in premiums, tighter underwriting and cover for ransomware-related claims is limited.
Looking ahead
Cyber and ransomware attacks are not going to go away anytime soon, and in my view, it is not a question of whether an organisation will be involved in a cyber incident – but when.
Lindy Cameron, CEO of the UK’s National Cyber Security Centre, said during a 2021 speech: “Because cyber security is a team sport, and everyone has their role to play – it can’t just be a problem for anyone to ignore and assume somebody else is solving.” The public and private sectors must work together to educate citizens about how they can protect their own data. Regulators and information security officers must also collaborate to share information about threats, report them as soon as they occur, and learn from attacks. More specifically, reflecting on the increasing risk of a ransomware attack, with its potentially high operational impact, establishing emergency plans and protocols is a critical investment. The more time an organisation saves by setting up incident response teams, the more effectively internal and external lawyers like myself can help support the myriad of legal challenges resulting from any attack.
Emma Burnett is a partner and UK Head of Technology and Data Protection at CMS. Her practice focuses on data protection, cybersecurity and technology. She regularly advises high profile international clients on her core specialism of data protection and has significant experience in information technology, having previously undertaken secondment to various clients. Emma is known for her proactive, solutions oriented approach and acts for clients across a wide range of industry sectors, including the telecommunications, technology & media, life sciences and financial services sector. Emma regularly advises on large cross-jurisdictional privacy projects and co-ordinates advice within CMS and beyond. Emma sits on the editorial board of Lexis PSL where she advises on data protection, IT and telecoms. Emma has extensive experience in advising organizations on compliance with data protection laws and has advised multiple clients on data breaches and cybersecurity.