On 10 May 2017, Addleshaw Goddard's UK Reputation & Information Protection and Dubai Commercial Litigation teams hosted a Crisis Simulation event in Dubai in conjunction with ASDA'A Burson Marsteller's Corporate & Crisis Practice.
The session could not have been more timely as the 'crisis' in question related to a cyber attack leading to data theft and ransom demands and took place several days before the global outbreak of ransomware which has hit more than 200,000 victims in 150 countries.
The half-day event was aimed at tackling the challenges faced by crisis response teams by encouraging legal and communications teams to work together to react to the crisis as part of an as-real 'Pressure Test' crisis simulation.
In terms of preventing an attack, your IT department is key to ensuring that all IT systems are regularly updated by the deployment of security patches and ensuring antivirus software is installed on all your computers. It is also our recommendation to have a crisis management team in place to deal with any urgent issues and to have comprehensive incident response plans in place to deal with security breaches or attacks.
If you would like further information on how best to respond during a crisis or to arrange for a private in-house crisis simulation event, please contact Paul Hughes.
In the meantime, we set out below some practical steps to consider during those first few crucial hours following a cyber attack.
What to do immediately following a cyber-attack
As part of your initial response plan, you should:
- Mobilise your crisis management team with support from communications and legal advisers, as appropriate
- Alert and activate everyone on the response team, including external resources, to begin executing your incident response plan
- Secure the IT systems affected by the cyber-attack to help preserve evidence and bring in your forensics team to begin an in-depth investigation
- Stop additional data loss, take affected equipment offline but do not turn them off or start probing into the computer until your forensics team arrives
- Protect your reputation with an internal and external communications strategy, supported as necessary by crisis communications specialists and/or reputation lawyers
- Involve the police, if/when appropriate and particularly if a ransom has been demanded
- Notify regulators, after consulting with legal counsel and upper management
- Notify insurance broker(s) to ensure compliance with policy terms
Avoid the temptation to pay the ransom
If your company or organisation is unfortunate enough to be hit by this recent or any other cyber-attack you may be tempted to pay the ransom.
We often see that ransom demands are deliberately set at a relatively low level (in the recent attack it was said to be around $300) to make it less expensive to pay the ransom than it would be to pay for outside IT security consultants to come in to fix the problem.
There are several reasons why you should think twice before paying any ransom:
- Quite often these types of cyber-attacks are a form of advertisement for the hacker to show off their abilities and be hired or procured to undertake more damaging attacks in the future;
- Hackers often communicate with each other in chat rooms and the so called 'dark web' and share information about vulnerabilities they have discovered. If you pay a ransom for one type of cyber-attack, you may leave your organisation open to further attacks by other hackers as well; and
- If your company is in a regulated industry such as financial services you may have to report any security breach to your regulator. Paying a ransom may instigate further regulatory scrutiny.
Damage to reputation and retrieving your data
The recent WannaCry attack appears to be focussed on encrypting the data where it is located and then unlocking it once the ransom is paid, rather than any loss of data. Other types of cyber-attacks we have seen have involved data being damaged or extracted and then held to ransom.
Addleshaw Goddard have specialist lawyers with experience in reputation protection, retrieval of stolen data and financial crime who can provide urgent advice and make recommendations.
While it may not be possible to prevent an attack, how you respond once it hits will be key to ensuring your business - and its reputation – recover as quickly as possible.
Cyber Crime in the UAE
You should also be aware of particular issues relevant to cyber crime in the UAE:
- Cyber Crime is take extremely seriously in the UAE and there are a range of offences that any individual found guilty of hacking might face, with custodial sentences and hefty fines able to be levied
- Ensure that you are aware of your reporting obligations. Whilst there is no formal reporting obligation for companies registered onshore in Dubai, there are strict duties to report for companies registered in the DIFC and ADGM
- Bear in mind that there are cyber crime laws in the UAE which apply not only to those guilty of the type of offences linked to hacking, but to a broad range of internet-based offences, make sure you consider what you are posting/circulating on-line and that you are not breaking any laws before you do so