COVID-19 has prompted organisations (including law firms) to fast track technology procurement to mobilise their workforces, bolster online presences and improve supply chain efficiency. Has this rapid uptake also created extra risk?
Technology 'as a service' is becoming increasingly common. However, legally binding digital contracts and instant-access systems and software mean the risk assessment undertaken by traditional procurement processes or legal advisers is often bypassed.
With cloud, there is no waiting and no transfer of title that comes with hardware and our traditional concepts of 'products' and 'goods'. If you have an internet connection, a range of cloud services are literally at your fingertips, at the click of a button or, more accurately, at the click of a click-through agreement. The safeguards of due diligence, comparing suppliers, negotiating terms and ensuring compatibility with other systems may be sacrificed leaving businesses exposed to risk that was previously managed within effective corporate governance structures.
Understanding the threats
Human error remains a common problem - such as sending an email to the wrong address, or attaching an unencrypted file containing personal, sensitive and/or confidential information. In electronic format, that information is easily copied and distributed, and deletion of the file is essentially based on an honour system.
Ransomware-as-a-service (RaaS) is the most concerning cyberthreat. Like other 'as-a-service' models, it is an enabler. It is subscription-based and allows even 'beginner' cybercriminals to launch attacks expediently. In essence, it involves cyber threat actors working together - one identifying the target and data, the other supplying the malware and an intermediary collecting the ransom and splitting the proceeds between them. It is often referred to as a malicious franchise. Another description is 'acting in concert' or 'joint criminal enterprise'.
How prepared are businesses in responding to these threats?
Many businesses are underprepared. Even when they have a data breach response plan, it's often stored on servers and may be rendered inaccessible during a cyber incident. The Federal Government's Cyber Strategy 2020 report flags express directors' duties in relation to cyber security, which could mean greater potential for shareholder class actions where a cyber incident leads to a drop in share price.
All businesses today need data to operate. Whether that data is personal, sensitive, confidential, privileged or simply essential to running the business, as soon as that data becomes inaccessible, business comes to a grinding halt.
Are there particular times of year that are attractive to cyber criminals?
Cyber criminals can attack at any time, but their impact will be greater if they catch businesses off-guard or when the stakes are high. Cyber criminals are not just dark web junkies – they are sophisticated and business savvy. They target times of year that provide the greatest leverage. For retail and online business, Christmas, Boxing Day and the early New Year are periods ripe for retail attack. No one wants to be brought to their knees during the biggest sales period of the year. It's the perfect time to strike and make demands.
What can businesses do to protect themselves against these threats?
- Review your IT systems and increase malware detection measures.
- Remind your staff to be on the alert for phishing emails and actively monitor compliance with your IT policies.
- Ensure data breach response plans are up to date and fit for purpose.
- Require two-factor authentication, including from third-party tech vendors.
- Encrypt the most sensitive and business-critical data, including customer data. This will require a data audit.
- Reinstate robust procurement processes for cloud services and ensure your contract will help, rather than hinder, you at a time of crisis.
- Obtain cyber insurance.
What should businesses do if they experience an attack?
- Activate your data breach response plan - your external lawyer is well placed to be a custodian of this plan and to play a key role in ensuring timely, effective and compliant steps are taken.
- Engage a cyber forensics team to understand what and who has been potentially affected as soon as possible. Waiting until exfiltration of data has been proven is not enough and dangerously narrow. Screenshots of data don't require data extraction or transfer from a server, so identifying potentially impacted data is part of this process.
- Obtain legal advice without delay to help with an effective response and to mitigate damage.
- Check the terms of your insurance policy and follow it.
Our team is actively monitoring and considering the implications of legal and regulatory developments in response to the COVID-19 pandemic. You can find our COVID-19 collection here.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.