Scope of cyber risk highlighted in ENISA report

Out-Law News | 02 Nov 2021 | 2:46 pm | 2 min. read

The scope of cyber risks businesses in Europe are facing is increasing, according to a recent report.

According to the EU Agency for Cybersecurity (ENISA), ransomware has been the “prime” cyber threat to businesses in 2020 and 2021. However, the body also highlighted how many cyber criminals are targeting critical infrastructure and business supply chains as well as a rise in cryptoasset-related cybercrime.

The report, which considered the threat landscape between April 2020 and July 2021, also highlighted how criminals are using distributed denial of service (DDoS) attacks to disrupt the operation of the so-called ‘internet of things’ (IoT) – devices that are connected to mobile broadband networks through technologies such as ‘5G’.

Wouter Seinen of Pinsent Masons in Amsterdam said:More and more companies are being exposed. Industrial and technology businesses in particular should be aware that IoT and industry control systems (ICS) are on the radar of threat actors.”

“The ENISA report cited a three-fold increase in the number of threat groups targeting ICS networks in recent times. The objectives of these groups vary from information collection and long-term persistence to disruption of ICS operations and potential physical destruction of assets. The report predicts the interest in targeting ICS networks will grow in the near future. This should be a wake-up call to all companies to step up cybersecurity efforts, particularly where they are reliant on connected technology, regardless their size and location,” he said.

“More generally, the report confirms a trend that smaller and less renowned companies are being targeted, as sophisticated cybercrime technology becomes more broadly available through ‘Ransomware-as-a-Service’ models,” Seinen said.

Andre Walter, also of Pinsent Masons in Amsterdam, said the report further highlighted how cyber risk is being impacted by the increasing complexity of the ways businesses are operating.

Walter said: “Business operations are getting increasingly complex, often involving multiple data processing parties and cloud environments. Therefore, cybersecurity resilience in the supply chain gets increasingly important.”

“At the same time, we see threat actors showing exceptional technical expertise and having clear strategic objectives in selecting their targets. Besides taking a strategic approach, threat actors can also be quite opportunistic as the diversified and complex world of supply chains also increase the number of potential targets, not all of them equally well protected. The shift to teleworking during the Covid-19 pandemic has also led many businesses to rely and depend on third-party suppliers for their operational needs,” he said.

Walter said that it is not enough for businesses to implement contractual measures to ensure the cyber resilience of their supply chains.

“Cybersecurity should go further than just putting contractual controls in place – a data processing agreement is not sufficient to be prepared for cyber attacks,” Walter said. “All supply chain parties must implement strong technical and diligent organisational measures for ensuring the security of their piece of the supply chain. This should include regularly testing, assessment and evaluation of the effectiveness of the measures.”

ENISA also reported an increase in the number of cyber criminals using artificial intelligence (AI) tools to spread disinformation “to reduce the overall perception of trust” and thereby undermine cybersecurity efforts.

Sari van Grondelle of Pinsent Masons in Amsterdam said: “New to the list of security threats identified by ENISA is misinformation and disinformation. It is considered a threat because it can be used to influence human behaviour, for example as part of social engineering tactics. This highlights the importance of training employees to identify threats to increase their resilience against such threats.”