In the event of a cyber crisis, organisations need to follow a T.L.C approach. Addleshaw Goddard sets out effective measures to mitigate the after effects of a cyber attack.
On Friday, May 12, 2017, the phrase "switching-off for the weekend" took on a cruel irony for multiple organisations worldwide.
The WannaCry ransomware attack paralysed over 200,000 computers in over 150 countries, plunging various private and public sector enterprises into chaos. The financial fallout of the attack is estimated to run to the millions of dollars and the operations of many organisations remain disrupted.
WannaCry's impact is (arguably) less a testament to the hackers' skill and more an indication of the failure of organisations adequately to prepare. To survive and thrive in this digital age, it is vital for organisations to – both literally and figuratively - stay "switched-on" in the face of cybercrime.
So far, the UAE remains relatively unscathed by WannaCry. This may in part be due to the region's punitive cybercrime regime and rigorous cybersecurity habits, but it may also be down to sheer luck (given Friday is a non-working day in the region).
Last year, Symantec reported that the region was the second most targeted for cybercrime after the United States. Some form of cyber-incident is therefore inevitable. But, if organisations prepare and react effectively, it need not be catastrophic.
Cyber-crises just need some T.L.C.
How organisations prepare for and react to cyber-incidents will significantly impact the level of damage sustained. The most successful response strategies coordinate Technical, Legal and Communications expertise.
In a cyber-context these three disciplines are intrinsically linked and it is vital that organisations engage experts in each field to both prepare and then implement their response plans.
The nature of an attack (T) will determine the set of stakeholders to which an organisation may be liable (L) and that liability will inform how and to whom organisations communicate the fact of an attack (C).
Set out below are various preventative and reactive measures organisations can usefully take to mitigate the after effect of a cyber-event, each of which follow the T.L.C. approach.
1. System security
The WannaCry malware exploited a vulnerability in outdated Windows operating systems. It is an important reminder that while hackers may be technologically sophisticated, their attack techniques often are not.
Organisations that frequently update and test the vulnerabilities of their systems will be less technically susceptible to compromise.
Secure systems also limit legal exposure. For example, DIFC and ADGM registered entities are required by data protection laws to take "appropriate measures" to secure data from loss, unauthorised access and/or disclosure and/or manipulation. The better an organisation can demonstrate it has taken such measures, the lower the likelihood of regulators issuing high value fines or compensations awards to affected consumers.
Legal claims by employees and/or customers are also far less likely succeed if it cannot be established that the organisation fell below the expected duty of care.
Finally, if you are confident your systems are up to industry spec., that provides a straightforward and reassuring message to communicate in the immediate aftermath of an attack.
2. Encrypt critical data
Cybercriminals are less likely to target data they cannot use.
If encrypted data is stolen or leaked, the legal implications are also less significant as confidential and private information remains protected.
Again, encrypting your data arms you with a quick-fire positive message. Nobody wants to find themselves in the same position as former CEO of UK telecom company TalkTalk, who, when asked whether stolen customer data was encrypted, responded "the awful truth is, I don't know"
3. Train employees using ethical hacking
Viruses like WannaCry often infiltrate systems through "phishing" or "spoof" emails. Hackers are finding ways to make phishing emails appear increasingly realistic and even the most vigilant employee may get fooled.
Organisations can employ ethical hackers to craft and send such emails to (unaware) employees as a training exercise – think of it as the cyber equivalent of a fire drill.
4. Back-up systems and operations
Ransomware attacks like WannaCry cripple organisations because they deny access to systems critical to daily operations.
If those systems are backed up separately and securely, organisations can get back online quicker. This will limit potential collateral damage to customers or suppliers (for which the organisation could be liable) and reputational fallout. Organisations that are quick to recover, may even enhance their reputation in the eyes of stakeholders.
Reaction after the Event
The above measures will provide organisations a solid foundation from which to deploy the following reactive and curative measures.
1 Take affected systems offline to contain the damage and stop additional data loss. Do not just pull the plug or just press ctrl+alt+delete.
2 Call in external forensics to assess the nature and extent of the attack.
3 If you are registered in the DIFC or ADGM, notify data protection regulators "as soon as reasonably practicable". Be prompt, but do not rush to notify in the absence of sufficient information.
4 Involve the police, if/when appropriate and particularly if a ransom has been demanded. Cyber-crime is taken extremely seriously in the UAE and the offences carry custodial sentences and hefty fines.
5 Notify insurance broker(s) and ensure your response complies with policy terms.
6 Do not pay the ransom. Cyber-ransoms deliberately undervalue the data they hold hostage in a bid to entice individuals and organisations to pay up. Doing so can exacerbate the effects of an attack as:
- there is no guarantee the data will be released;
- you may be marked as an easy-target and exposed to future attacks; and
- if you are required by regulation to report a security breach, paying a ransom may instigate further regulatory scrutiny.
7 Consider how you can maximise your legal leverage with the media. In the UAE defamation, false accusations and infringement of privacy all carry criminal sanctions. If faced with a media enquiry or damaging article, engage specialist lawyers with experience in reputation protection who can provide urgent advice and make recommendations.
While nothing will make an organisation entirely invulnerable to attack, the above steps when deployed together may be the difference between staying switched-on or being forced to go dark when the crisis hits.