What is Ransomware?
Ransomware is a type of malware which can lock companies or state bodies out of their data systems, steal sensitive data, and then ransom it back for an extortionate price.
The bodies and organisations at the greatest risk of ransomware attacks are Government organisations, law firms, and companies operating in the health sector. This is due to the nature of their work, and the sensitive information they deal with. However, there are certain pre-emptive measures an organisation can take to protect against an attack.
What are the Most Effective Measures for Protection Against Ransomware Attacks?
The National Cyber Security Centre UK (NCSC) was set up in 2016 to secure government networks and provide guidance for organizations and individuals to protect their own data systems. The NCSC recommends a ‘defence-in-depth’ strategy to prevent ransomware attacks. Following a pre-emptive approach, the strategy recommends several measures to prevent an attack from locking an organisation out of its data systems. Some of the precautionary measures include:
- Making regular back-ups to all data files and ensuring they are stored securely offline.
- Conducting regular security updates and maintenance of security systems.
- Introducing cyber hygiene (digital handwashing) practises in daily routines.
- Cyber security training and awareness of ransomware technology for employees to help prevent an attack and speed up reaction times if an attack occurs.
However, given the rapid development of ransomware software and the innovative techniques used to infiltrate an organization, sometimes these protections are either not up-to-date, or simply not developed enough to protect against an attack.
Keeping security systems up to date to deal with these developing threats is costly, time consuming, and not always possible. The ever-growing cryptocurrency market also makes this process a lot easier and financially viable for the attackers. But what are the actual consequences of an attack, and what can an organization do if they are the victim?
What Are the Consequences of a Ransomware Attack?
Once a data breach occurs, it can affect the share prices of a company. The FBI issued a private industry notification report in November 2021, which stated that one of the ways which attackers pick their victims is based on upcoming events which can affect stock value. This is particularly important for law firms who can be involved in public mergers, litigation, and acquisitions.
An attack can have a severe impact on profit margins. For example, KP Snacks were recently the victims of a ransomware attack (not the snacks!). This caused significant disruption to the company’s supply chain and day-to-day operations. Ransomware can also be particularly damaging for SMEs and smaller law firms as they might not be able to recover as quickly as larger organizations. Companies owe their customers a legal duty of care, meaning that they may be subject to fines for breach of data protection rights and publication of confidential information. These fines can add to the (already) enormous cost of upgrading security systems.
One of the greatest consequences of a ransomware attack which is not as commonly discussed is the public humiliation and assassination of a company’s reputation. Understandably, data breaches can affect client confidence – a particularly damaging consequence for law firms where trust plays a crucial role between clients and lawyers.
So, what can a company do once a ransomware attack takes place?
What Should A Company Do When An Attack Takes Place?
Prevention is certainly better than cure, but given the rapid development of technology, often the cure is the only realistic recourse available once a breach has taken place. Realistically, an organization needs to have a solid reactive plan in place to mitigate any damages that may occur and reassure employees and clients.
A swift and effective public relations team and strategy could be critical in saving the reputation and finances of a company. It also can reassure clients that every effort is made to protect their sensitive information and that such an attack will not happen again.
One of the main questions in relation to a breach is: should the ransom be paid? The UK’s National Cyber Security Centre warns that paying a ransom does not guarantee access to one’a computer or files. Ransomware attacks are often motivated by financial gain, and therefore, paying the ransom can often motivate attackers to target similar companies. Refusing to pay a ransom can devalue the criminal business model for ransomware attacks, making them less attractive for cyber criminals.
International Response to Ransomware:
Ransomware is an international threat. As such, the increasing development of the internet of things (Alexa, backup all files!) also creates more outlets for infiltration. Preventative and reactive measures are particularly important for organizations which deal with personal data or other sensitive information such as trade secrets, as once this information is made available to the international market, it loses all value.
The UK Government has been taking the initiative for ransomware protection since the WannaCry virus attack on the National Health Service (NHS) in 2017. In fact, the government published a national policy paper on the 7th of February 2022 pledging £2.6 billion in the National Cyber Strategy 2022. This aims to implement a secure infrastructure that is practicable and flexible to protect against and mitigate damages from ransomware attacks.
In 2022 the UK, US, and Australia created a Joint Advisory composed of cyber security authorities from each jurisdiction to monitor trends with ransomware attacks and offer recommendations to mitigate damages. This could be incredibly helpful to law firms and other companies to identify rising trends in ransomware and install protective measures to prevent attacks from specific groups.
These investments are all very promising, however, the reality is that most organizations are still not adequately protected against ransomware attacks. In November 2021, the Department for Digital, Culture, Media and Sport in the UK conducted a policy survey which showed that only 12% of organisations review cyber security risks from immediate suppliers and only 5% review risks in their wider chain of supply.
What Does the Future Hold?
The threat and danger of ransomware is evident, especially for lawyers who owe a fiduciary duty to their clients. However, research and review alone without effective implementation and compliance of security strategies is simply not enough to tackle this threat. The emphasis on pre-emptive measures is important but, legislators and governments can take an incredibly long time to finalise legislation and put in place an effective legal infrastructure which is both flexible and practicable.
From providing regular security training to creating a robust security infrastructure that is user friendly and flexible, there is a myriad of ways to protect and respond to a cyber attack. Perhaps the most effective way to tackle this threat would be to focus on specific victim protection for organizations that are more likely to be targeted such as law firms and government bodies, rather than criminal prosecution. If the victim is adequately protected an attack cannot take place and the crime is no longer lucrative to the criminal. Removing the opportunity could remove the threat entirely.
This article was written by Christina Hynes. Christina is an LLB and LLM graduate of NUI Galway. She is particularly interested in Intellectual Property, Data Protection, and Tort Law. She has also taught Tort Law and the Development of Legal History at NUI Galway.