Understanding the cyber-security risks to a business, and being part of the preparation and prevention activities, are an opportunity seen as a leading trusted adviser for your executive, says one award-winning in-house counsel.
Multinational consulting and professional services firm Accenture has released its 2021 Cyber Threat Intelligence Report, which highlights threat trends in the operational technology landscape.
Following analysis of the first half of this year, Accenture identified four trends that are impacting upon the information technology (IT) and operational technology (OT) environment: ransomware actors are testing new extortion methods, cobalt strikes are on the rise, commodity malware can invade OT from IT space, and dark web actors are challenging IT and OT networks.
Reflecting on the findings in conversation with Lawyers Weekly, Accenture Security cyber security global legal counsel Annie Haggar (pictured), who won the TMT Lawyer of the Year category at the 2021 Corporate Counsel Awards, said that general counsel and chief legal officers have to be alert to the risks of ransomware attacks on their businesses, noting that it is not a matter of if, but when, one will face a ransomware attack.
“Ransomware attacks don’t just happen to companies with bad security. All it takes is a single slip-up. Companies need to defend against tens of thousands of different attack scenarios, the attackers only need one weakness to achieve their objectives. The odds are stacked in their favour,” she warned.
“All businesses are vulnerable, but now businesses who run operational technology (OT) face risks not just against their IT systems, but against their OT systems and Internet of Things (IOT) devices as well.”
It isn’t, Ms Haggar continued, simply about losing data.
“Ransomware operators are looking to disrupt business. Taking a business offline, such as disrupting or shutting down their production, can place so much pressure on the businesses that they feel they have no option but to pay ransoms. Even if the attack doesn’t actually touch the OT systems, businesses may need to shut down production to protect the OT if they are under an IT based ransomware attack,” she outlined.
“One of the biggest things happening now however is the data exfiltration. Attackers are moving away from hybrid attacks (where they exfiltrate data and then encrypt machines) to just doing data exfiltration without bothering to encrypt. They know that the risk of having your data published is often threat enough to extort a ransomware payment.”
GCs need to be part of the organisation’s preparation and prevention steps the company has in place, Ms Haggar posited.
“They should be asking questions of the IT and security teams to ensure that the company is doing all it can to prepare and protect its systems and its business,” she said.
“GCs need to be part of ransomware scenario planning and tabletop exercises so that they know what to do when an attack comes.”
Further, they should be preparing for how best to brief and support the executive.
“What advice will you be giving them on whether or not to pay the ransom. What information would you need to have to provide that advice? What do you need to tell the regulators – even when you have nothing to tell them? Have communications plans to regulators as well as the public for different scenarios and milestones at the ready,” she noted.
Next, GCs and CLOs have to get their “team in place”, Ms Haggar advised.
“This includes ensuring you have a breach coach (specialised legal adviser) in place and ready to advise you. Get your Incident Response provider in place. You don’t want to be negotiating contracts when your systems are being ransomed and your business is shut down. Also think about burst capacity and having the right providers (or T&Cs with existing providers) so you can bring in specialist expertise to help you respond and recover,” she suggested.
Additionally, team leaders should be upskilling across the board, and “getting advice on the challenges facing your industry specifically. Understand what threat actors might identify as your business’s weak-points – and how they might exploit them and put pressure on your business to pay a ransom”.
“Also keeping an eye on trends, what are the threat actors doing now? Threat actors are constantly changing their tradecraft to maintain their edge so you need to too,” she added.
Elsewhere, GCs and CLOs have to be working with IT and security to understand the technical weak points and plan for business continuity, Ms Haggar said.
“Also, understand what backup solutions you have in place and how they are protected from an attack. Do the IT teams know how they will recover your systems from backup when the backups are compromised and you’re restoring into a network that is compromised and the threat actor still has control of,” she said.
Finally, legal team leaders have to work with HR and training to ensure your people are being trained on how to identify phishing attacks.
“They are one major way ransomware can get into your system, so they also need to be trained on how to be your primary method of defence. However, phishing is not the only (or main) mechanism for entry of ransomware. Network vulnerabilities are,” she posited.
“Make sure your business has constant IT scanning of the network perimeter daily and teams are patching any serious security vulnerabilities as a number one priority.”
When asked whether any opportunities are arising for GCs and CLOs in response to such trends, Ms Haggar said: “Understanding the cybersecurity risks to a business, and being part of the preparation and prevention activities, is an opportunity seen as a leading trusted adviser for your executive.
“It’s also an opportunity to be ready for when, not if, your business is targeted.”
Legal team leaders can grasp such opportunities, she said, by upskilling and leading from the front.
“Sign up for some of the cybersecurity awareness sessions being run. This will help you to ‘learn the lingo’ and identify what the key risks and vulnerabilities are likely to be for your industry and your business,” she said.
“Be the one to propose simulating a ransomware attack and what the organisation would do to respond and be ready with how the GC would help coordinate and advise the executive.”