The ascendancy of the digital age over the past twenty years has changed the way in which businesses operate entirely, but with the recent rise in the number of people working from home, the risk of cyber-attacks are greater than ever before. After more than a year of disruption, boards continue to battle the competing priorities that this period of change has brought. As businesses large and small face more cyberthreats than ever before, we are encouraging board members to consider one such risk to your company.
Ransomware refers to that seemingly innocuous email you may have happily opened, only to discover that it is actually malicious software designed to block access to your computer system, until you come up with a ransom. These attacks have always been and will remain a hazard for any business – and it is no longer about if you get attacked, but when – the key vulnerability being us humans, especially when we’re working at home.
With the high volume of information stored on computers around the world, these cyberattacks are becoming more prevalent and do not discriminate. The European Network and Information Security Agency (ENISA) has warned that cyberattacks are becoming more sophisticated, targeted, widespread and undetected. There is no doubt that there has been a steady increase of attacks across all industries since the beginning of the COVID-19 pandemic due to the more ‘relaxed’ attitude and less robust systems that prevail in the home office. In fact, a recent survey published by Databasix indicated that phishing emails had increased by nearly 600% in surveyed companies since the start of February 2020.
Furthermore, a current study published by Ernst & Young (EY) stated that six in 10 organisations surveyed had suffered a material or significant incident in the previous 12 months. The shift to remote-working has demonstrated the holes in cybersecurity systems that have allowed hackers to exploit so many companies. Having a remote workforce places strain on organisational infrastructure, thus increasing the chances of the appropriate security measures being side-stepped. However, it should be noted that even companies with strong prevention strategies can be susceptible to cybersecurity breaches.
“The economic and operational disruption unleashed by the COVID-19 pandemic has notably increased both motivation and opportunity for cyber attackers…’”– EY Board Agenda 2021
Why is this important though?
Many would suspect that there is the appropriate software in place to combat such hazards, and assume this software is readily installed on computer systems. However, the same survey published by Databasix stated that 68% of surveyed organisations did not deploy antivirus software on work-issued devices. Such lackadaisical approaches allow hackers to easily access software and essentially hold data files hostage.
It is important for any board to recognise what actions to take if such a cyber-attack occurs, and as hard as it may be, the first step is to refuse to pay a ransom. Agreeing to do so could result in personal details being leaked to the dark web, meaning future potential hackers will know which individuals are willing to pay up and, in all likelihood, any stolen data is already being hawked to the highest bidder. Oversight of cybersecurity should be a function for the whole board of a business, even if it is delegated to an audit committee or another committee for closer monitoring. The correct protocol is to report the issue directly to the designated cybersecurity team, who will then contact the National Crime Agency (NCA). The NCA will analyse the attack to note if it has any links to terrorism, it is critical at this juncture to also point out, that it is actually illegal to pay a ransom if it is linked to terrorist funding.
“Almost 73% of respondents to the EY EMEIA Board Barometer 2021 said that general crisis prevention measures and business continuity will be extremely relevant to their organisation in 2021…”– EY Board Agenda 2021
Certainly, in an environment that dictates when and not if you are attacked – insurance is seemingly your first line of defence. The broadest insurance cover a board can implement as protection from these said attacks is what is known as a ‘high-compliance plus policy’. There may be an element of cyber-protection through a general insurance policy, but if an insurance provider can find a way to not pay a ransom, they will. A cyber-insurance policy is an affirmative policy – meaning it is specific and pays out in these events.
But there are many unanticipated costs associated with a cyber-attack. These include data-breach costs, which consist of the breach itself and everything that goes with it. One such hidden cost being the recovery of data and operations. As soon as ransomware succeeds in infiltrating software, it replicates and spreads, resulting in more damage as time goes on. The further it spreads, the longer it takes to mitigate. For every device impacted, means there are additional labour costs needed to rectify the issue. A recent study published by Carbonate and Webroot stated that more than 40% of businesses that suffer ransomware attacks spend over eight labour-hours on remediation efforts.
Surely such an attack will not impact the relationship between a business and its customers, right? Well, this is not the case. Often times the reputational harm and diminished brand image can actually exceed the ransomware payment, and the operational costs associated with the attack. This is compounded by the apparent decrease in customer loyalty. According to a recent survey conducted by Accenture, 61% of surveyed customers switched some or all of their business from one brand to another in 2020, with a further 77% indicating that they now retract their loyalty more quickly than in the past.
Further hidden costs involved in ransomware attacks include:
- The cost of dealing with the Information Commissioner’s Office (ICO).
- The cost of legal fees.
- The forensic fees.
- Third-party costs (customers, suppliers etc.)
Throughout the last decade, there have been numerous high-profile examples highlighting the impact of ransomware attacks, some of which devastate multiple countries at one time. The global WannaCry outbreak of 2017 being an example of how critical a malware attack can be. The attack impacted over 200,000 computers in over 150 countries, one of the high-profile victims being the NHS. The attack brought hundreds of NHS facilities to a standstill, resulting in the cancellation of thousands of operations and appointments.
It is imperative to understand that ransomware attacks are a serious issue in the workplace today. If there are any doubts about the safety and validity of the technology being used by any business, make sure the firewall software is up to date, report any suspicious calls or notify the IT department of any suspicious emails received, always err on the side of caution.
For further reading:
Clifford Chance have produced a Ransomware Playbook which is guide for prevention and response which we thought you might find useful.