Cybersecurity from compliance to crisis - With the ever-increasing threat of ransomware and other cybercrime, we offer a bird’s eye view of cybersecurity strategy focused on addressing risks, keeping up with regulatory and compliance issues, and managing a cyber crisis.
In our Deciphering Data Webinar Series, we provide a global perspective of what’s keeping executives awake at night with the world’s threat actors becoming seemingly more sophisticated every day, and give practical guidance on how to address these risks and concerns and prepare companies for challenges ahead.
We share key takeaways from the Not 'If' But 'When': Global Cybersecurity Update that we believe you will find useful. Note that the webinar was held in two time zones but the content and discussions in both sessions are aligned. Click here to view the recordings.
- Cyber threat landscape: There has been a shift from theft and fraud to ransomware attacks recently. While many people think of these issues as information security issues, many of the most common attack vectors—such as compromised credentials, phishing and cloud misconfigurations—come down to mistakes made by individuals within the organization. A great deal of blurriness and uncertainty has arisen regarding the threat actors, and it has become increasingly difficult to differentiate financially motivated attackers from hacktivist or nation state actors.
- Increasing risk due to more sophisticated attackers, COVID-19 and digital transformation: The amounts defrauded have increased substantially with the growing sophistication of threat actors. Higher risks are also compounded by COVID-19 as increased remote working raises vulnerability for attacks. Digital transformation further raises the risk for cyberattacks as the increase in the leveraging of data increases the "attack surface area" for attackers.
- Cybersecurity affects all elements of an organization, not just the IT department: The increase in cybersecurity incidents globally highlights a continuing problem of inadequate internal controls, not only from a technical standpoint but also a people standpoint. Lack of data loss prevention tools or unstructured datasets as well as a lack of effective training across departments can greatly increase a company's cybersecurity risk. Effective, regular and up-to-date training (for both users and IT team) is essential not only for prevention but also for the response to a cyberattack. Companies should develop cross-functional incident response plans and conduct regular tabletop exercises to plan and prepare for such attacks, as well as mitigate financial risks by taking out cyber insurance policies.
- Preparation is key: Companies should have appropriate security measures and a cross-functional data security incident response plan in place, and take steps to ensure an attack is minimally disruptive and to mitigate risks of future attacks. These steps include segregation of back-up systems and creation of a business continuity plan as well as the engagement of response providers to create a "break-glass" solution. Companies should also consider the key decision points during pre-attack preparation, such as PR considerations and its overall position on paying ransoms, regulatory considerations, operational considerations, such as insurance requirements and who and how to engage with attackers, as well as the law enforcement notification strategy.
- Be aware of regulatory requirements when responding to cybersecurity incidents: Companies should keep in mind the legal and regulatory requirements when adopting security measures, developing their cybersecurity policy and responding to cyberattacks. When conducting investigations, regulators will most likely consider these matters. For instance, when determining whether to pay a ransom, companies must carry out due diligence to ensure that the threat actor is not a sanctioned party. Companies should also work with legal counsel to correspond with law enforcement and regulatory bodies such as data protection authorities and cybersecurity agencies, and be aware of their information sharing and the cybersecurity statutes which may result in these communications being utilized in subsequent litigation and/or potential information leakage. Companies may need to meet obligations to notify regulators, enforcement authorities, customers and individuals and there are often timing requirements associated with these, which vary by jurisdiction and type of company affected. Acting in a coordinated way is critical in these circumstances.