say remote working has increased the risk to their IT infrastructure
Research carried out by Opinium in partnership with Bird & Bird found that, in London, three out of five companies (60%) say remote working has increased the risk to their IT infrastructure. Just under half (46%) say there’s been a rise in cyber attacks since March 2020. And more than half (55%) report a significant increase in the number of customers saying they’ve been targeted by online or remote scammers since the pandemic began.
According to Simon Shooter, a Partner at Bird & Bird in London, and head of its international Commercial Group, there’s been an upsurge in activity from all types of cyber attackers.
“At the bottom there’s the younger element, the script kiddies. They’re sitting at home bored, so they’re flexing their muscles. Up the food chain a bit, you have the hacktivists. Again, they’re at home with time on their hands, so there’s an inevitable rise in activity from them.
“Then there’s the cyber criminals. They’re seeing a more target-rich environment because of people working from home, using systems which may be significantly more vulnerable than those in their offices. So we’re seeing a significant bounce in man-in-the-middle attacks where an attacker intercepts messages between two people and modifies them to control the conversation.”
Ransomware is another rapidly growing area, Shooter says, and also one that’s becoming more sophisticated as criminals start to specialise in particular sectors.
“Then at the top end, you have nation-states and mercenary hackers. They might be looking for the details of COVID-19 vaccines or engaging in political activity. There’s a lot of espionage going on, and it’s the area that’s least known about, because if they’re any good, they’re in and out without a trace.”
It’s not just remote working that has made life easier for hackers. In May 2020, McKinsey reported that: “we have vaulted five years forward in consumer and business digital adoption in a matter of around eight weeks.” That acceleration has created new weaknesses, and made old ones more prominent.
Claudio Tataranni is director of Bird & Bird’s consultancy arm OXYGY. He points out that digital transformation of a business automatically makes it more vulnerable to cyber attacks, since it joins up all the company’s data and increases its reliance on digital systems.
“Companies increasingly work in networks, so supply chain security is becoming increasingly important,” he says. “A cyber attack might target a big corporate, but the hackers might find it easier to attack that corporate’s suppliers and then move through the network to the corporate.
“The internet of things is also closely connected to cyber security. There are lots of devices now that communicate inside companies, but also between companies. They could all be targets for a cyber attack.”
Any new technology will introduce new problems. Tataranni gives the example of artificial intelligence, perhaps the biggest new technology of all.
“AI can be used to protect us; we can use algorithms to stop an attack. But it can also be used by malicious people to make their attacks more sophisticated, because they can adapt to the responses of the company.”
The good news is that IT departments are getting better at making remote networks more secure. The bad news is that most hacks don’t start with technology. They start with the human element, and remote working has exposed just as many human vulnerabilities as it has network security issues.
“Everyone’s getting more invitations to video conferences in their inboxes, and there’s also been an explosion of e-signature platforms, so you’ve got the threat of employees inadvertently clicking on all manner of communications,” explains Dave King, CEO of Digitalis, a specialist digital risk and online reputation management company. “Hackers will exploit this, so we see an increasing volume of both generic phishing attacks with links to malware, and also of sophisticated bespoke attacks.”
So the advice is not to ask whether your company will be attacked, but when. The problem is that most companies still think of cyber security as an IT issue.
“When I talk to clients about cyber security, the only people I meet are the IT team,” Shooter says. “I rarely even meet old-style security. But companies need a holistic approach to security; you’re only as secure as your leakiest point.”
This point could be anywhere. It could be a phishing email that someone clicks on without thinking; it could be a USB stick left in a car in the company car park. As Shooter points out, remote working means that most of London’s offices are now running on a skeleton staff who may not be aware of current security procedures and may not know who’s supposed to be coming and going. All these things create points of vulnerability.
So the first thing a company’s board needs to ask is what changes have been made to security arrangements since the pandemic started.
“The board should ask for an analysis of whether the company is more at-risk, and what’s been done to address that; a programme for the connectivity of the remote workforce; and an educated analysis of the company’s cyber insurances…They should also ask about what’s been done to educate the company’s staff about the risks.”
Simon Shooter, partner at Bird & Bird
Ultimately though, change in terms of understanding and addressing the human vulnerabilities has got to be led by the CEO.
“What we say to the chief executive is, carry on investing in hardware and software, carry on backing your CTO and your CIO,” King says. “But if you don’t invest in mitigating the human vulnerabilities, you may as well cut off their budget completely, because there’s no point.”
Investment in this human side of cyber security needs to cover a number of areas. Staff need to be trained in security awareness, making sure they understand that security is everyone’s responsibility. As David White, founder of governance, risk and compliance framework Esorma points out, one sign that the message is getting through is that you’ll start getting more security alerts.
Another thing to do straight away, White says, is to think about who has access to what data.
“Most companies have access control systems in place, so this is a no-cost fix,” he explains. “It’s important to restrict access to sensitive data – weird things can happen when inappropriate people have access to data. Equally, it’s important not to over-restrict access, because that leads to people finding workarounds, which are basically well-intentioned cyber breaches, and can be exploited if staff become disenfranchised.”
Something else that should be done immediately, according to King, is to examine what’s called the company’s “attack surface”; the sum of potential entry points for an attacker.
“An attacker will look at a CEO, at his secretary, his wife and his kids, to see what’s out there, buried away in the deep web, that they can piece together and use in an attack,” King explains.
“If you know all that, you can talk to people about mitigating it. You can make those social platforms private, you can remove things that give away too much information. It should be standard operating procedure for a board now to run an attack audit to understand what’s out there.”
“That also has secondary benefits. It flags what’s out there that could cause reputational damage. And it can help with physical security, because these same techniques are used increasingly by criminals in the physical world to engineer burglaries or, in other territories, kidnappings.”
White recommends another way of bridging the gap between the technological and human aspects of cyber security that can be put in place quickly– a business continuity and disaster recovery plan.
“People work in silos,” he says. “an IT team tends not to communicate outside their own department. But if you start creating a business continuity plan, you’re not talking about IT anymore. You’re automatically talking to the rest of the business and bringing security into their silo.
“In the process of business continuity, you identify the absolute key assets of the business which must be looked after come what may, and you work out how to protect them. But businesses are always changing because customers’ needs change. So does what needed protecting still need protecting? Or do you need to protect it in different ways today? You need to have six-monthly rehearsals of things going wrong to see if your plan still works.”
Dave King, CEO at Digitalis
All this may sound obvious, but 2019 research by tech services provider Probrand found that a quarter of UK SMEs don’t have a business continuity plan, and half of the ones that do don’t test it regularly.
Shooter gives the example of recent work with a small investment bank on its cyber resilience programme. This included reviewing and revising response plans; preparing guides addressing matters such as financial regulatory compliance, HR and data privacy in the context of an incident; establishing a 24/7 manned emergency response line; and conducting training and engaging in simulation exercises.
“All of this leads to the client being able to demonstrate compliance with its regulator’s requirements,” he says. “Just as importantly, it means the client is not only better protected from an attack, but also match-fit to deal with an incident should one occur.”
The other thing that company management should be aware of is how legislation and regulation around cyber security are changing. Even though Brexit is now “done”, EU laws and directives still apply to companies from non-EU countries (now including the UK) that make their services available in the EU. Bird & Bird’s Shooter warns that the Network and Information Services Directive (NIS) directive is due a major shake up under the EU Cyber security strategy for the Digital Decade. The proposal for a directive on measures for a high common level of cyber security across the EU – known as NIS 2 – was presented in December 2020, with the feedback period due to close on 18 March this year.
“We’ve got to be aware that EU and UK rules on data transfer need to marry up, or we’re making life very hard for ourselves,” Shooter says. “The UK is currently fully in-sync with Europe, so it’ll be interesting to see if we keep in step and amend the NIS Regulations.”
In addition, the EU Cyber Security Act came into force on 27 June 2020, strengthening the EU’s cyber security agency Enisa and setting up a Europe-wide cyber security certification framework for ICT products, processes and services. The UK is considering its own legislation or code of practice for smart devices and, Shooter says, we can expect this to replicate what exists in the EU. He warns that manufacturers and vendors of relevant devices should keep themselves appraised of EUCA developments as these may affect the saleability of their products.
“Compliance teams should keep an eye on all this, and aim to bring compliance in early. It’s always harder and more expensive to do so when you’ve got a gun to your head,” he says.
“Greater, more focused regulation brings compliance obligations and that’s the domain of the lawyer. Devising, implementing, monitoring and adjusting compliance programmes is the stock-in-trade for lawyers like us. You should engage external legal expertise as soon as the regulatory compliance requirement clock begins to tick.”
Companies can do a lot to avoid and mitigate cyber attacks, but sooner or later they’re going to get hit. If it’s a ransomware attack, many companies find it’s cheaper and easier to pay up than try to restart the business, Shooter says.
“It’s only illegal to pay a ransom if the money is going to a proscribed organisation, such as a terrorist group, but it’s rare that you’ll know if that’s the case” he says. “It’s also often covered by insurance, but companies should check their policy. It won’t be covered if the payment is illegal.”
Shooter explains that once they’ve paid up, companies usually get their data back, or the key they need to unlock it. After that you tend not to get hit by the same attacker again, he says. But he warns that, somewhere on the dark web, you’ll be identified to other criminals as having paid. That usually means hiring a forensic cyber security expert to review your security and close any loopholes.
Addressing the consequences of an attack is another area where companies should seek specialist legal help, Shooter says.
“This is increasingly a legal matter. There’s the possibility of regulatory investigation; group actions on behalf of data-owners affected by an attack; and consequence-based litigation, for example if someone’s trusted you with confidential data and that’s been stolen in an attack, they could sue. Dealing with all this is technical and can be complex and it often demands expertise that isn’t available in house.”
Businesses response to the COVID-19 pandemic has given cyber attackers of all kinds of new vulnerabilities to exploit, and lots more time to exploit them. With lockdowns likely to continue in various forms for several months, and with people likely to choose to work from home for much longer after that, companies need to change the way they think about cyber security.
“An IT manager or even a board director might see security as a project that has a beginning and an end, but in fact security is a program,” White warns.
Shooter agrees.
“It’s an endless arms race between hacker and defender,” he says. “As defenders you’re usually slightly behind, but if you can keep things in check it can be made tolerable.”
