Out-Law Analysis | 01 Oct 2020 | 8:17 am | 4 min. read
Improvements to the way businesses detect, manage and respond to cybersecurity incidents are possible, as the cyber team at Pinsent Masons, the law firm behind Out-Law, has identified in its latest report based on analysis of cyber matters worked on during the year up to May 2020. This is despite the relentless efforts of cyber criminals to gain access to and exploit IT systems.
The prime motivation for cyber criminals remains financial gain, and attacks are most often focused on seeking to compromise business email and perpetuating fraud by diverting payments.
Attackers made a ransom demand in 16% of incidents we advised on. Making a ransom payment raises complex legal issues around the potential for becoming involved in funding terrorism, anti-money laundering or proceeds of crime and must be thought through carefully. Ensuring robust back-ups and data recovery tools are in place is a critical defence against cyber extortionists.
We predict that there are likely to be a relatively high number of breaches that have already happened that have not yet been detected
Weaknesses in cyber defences continue to be found at points of human involvement. A third of all data security incidents affecting our clients stemmed from phishing emails, with increasingly sophisticated scams that can appear genuine. People can serve as an effective last line of defence, but without effective training, staff will not know how to spot and stop a scam.
Often phishing emails or other intrusion methods are used only to allow the attacker to gain a foothold in the IT infrastructure. Recent intrusions against a number of our clients by a well known attack group exfiltrated a significant amount of data whilst at the same time also encrypting systems and demanding a ransom, highlighting the risk of two-pronged attacks that seek to extort from organisations.
The cybersecurity challenges arising out of the coronavirus pandemic are evolving quickly, but we have seen how criminals are seeking to capitalise on the crisis.
There has been an explosion in the number of Covid-19-related lures being used by cyber criminals to seek to inject malware and gain access to infrastructure.
In the UAE, for example, we have seen scammers' tactics include emails promising urgent coronavirus updates which attempt to con internet users into downloading malicious software. We have also seen fake appeals for donations to help those affected by the pandemic, and websites selling cures, vaccines or protective equipment that do not exist.
In Singapore, we have seen a rise in phishing exercises targeting both businesses and individuals for sensitive financial and personal data in the context of Covid-19. A large number of these attacks were premised on the recipient being awarded monies from a "Covid-19 fund".
Many businesses have become more reliant upon potentially unsecure networks and personal devices, and some security controls, such as virtual private networks, multi-factor authentication, and end point security programmes, often had to be disabled if they interfered with ordinary business, became overloaded or failed to work as intended.
We have seen a number of data breaches stemming from human error, often due to resourcing issues arising from Covid-19. Examples include breaches caused by infiltration of employees' VPNs whilst working from home and due to skeleton mail-room staff being tasked with compiling and issuing correspondence that is normally managed by specialist administrative teams.
In the UK, some clients reported suspicions raised by the National Cybersecurity Centre and the Information Commissioner's Office that they may have been specifically targeted, potentially by nation state actors, because of their involvement in Covid-19 critical national infrastructure, such as healthcare, clinical research institutes and food distribution networks.
Covid-19 has also impacted upon the ability of our clients to respond to incidents when they do materialise.
IT teams have been overloaded by dealing with the changes to business operations, such that cyber incidents have had to compete for priority.
Businesses have had to deal with important members of their IT team being unavailable and therefore unable to identify and triage issues, causing a delay in the identification of an incident.
A lack of access to contractors, consultants and core suppliers has increased exposure to old and new cyber threats, and in some cases a lack of access to physical premises has prevented the identification of an incident of lost personal data stored in physical format.
Changed or intermittent working patterns of staff have also resulted in some sluggishness in incident response too.
Our analysis found that 75% of incidents we advised on were detected within 20 days of the date of intrusion. This compares to 66% last year. While this suggests that organisations are identifying matters quicker, most of this data relates to the pre-Covid-19 period, and we predict that there are likely to be a relatively high number of breaches that have already happened that have not yet been detected: next year's numbers may look quite different.
However, we also found that 72% of all incidents were detected by an organisation's own internal processes or other anomalies. This compares to only 43% last year, where the majority of incidents were detected due to being reported by third parties. Although there are a variety of reasons to explain this, it should be welcomed that organisations are seemingly better equipped to detect problems, even if this does take a little longer.
Our findings highlight the importance of not only having in place robust cybersecurity measures, but also investing time, resources and money into being best prepared for how to act in the event of an incident. Our experience is that organisations are increasingly aware of the importance of having up-to-date and well rehearsed incident response plans.
Over the next 12 months businesses will need to continue dealing with an uncertain Covid-19 working environment. This will require an assessment of what the "new normal" will look like, and what the role of cybersecurity is in that.
As organisations rapidly increase their use of cloud providers, the long term impact of Covid-19 may ultimately lead to widespread improvements to cybersecurity, since cloud providers tend to have significantly higher cybersecurity standards than their customer organisations. That said, it is highly important that businesses review and enable as much logging as possible in relation to their cloud service usage.
This is an important point at which to review incident response plans and procedures and test whether or not current ways of doing things still work in changed working practices, in the context of the threats that are likely to be most prevalent in the future.
11 Jun 2019