In 2021 there were 40,000 cyberattacks per day, up 125% from the previous year, according to security solutions company Datos101. But while it is true that the number of cyberattacks has been rising in recent years, there are certain factors, such as the pandemic and widespread teleworking, that experts say contributed to the exponential growth in 2021. Now, in the midst of the war between Russia and Ukraine, the threat has increased once more.
Prevention is the best strategy against the threat of cyberattacks, and this is where lawyers have a fundamental role to play, specifically in the adjustment of organizations to the protective regulatory framework.
Since the invasion of Ukraine began, critical infrastructure suppliers such as energy companies, public agencies and technology firms such as Microsoft and Apple, as well as many banks have been subjected to this type of attack.
However, they are not the only targets of cybercrime. Cyberattacks continue to occur on a significant scale in all types of companies, from SMEs to multinationals. “In Russia, there are organizations that take advantage of any conflict to step up cyberattacks,” explains Cristina Cajigos, account executive at Grupo Paradell Technologies, a consulting firm specializing in digital and corporate risk. As for the underlying motive for a cyberattack, Jesús Yáñez, a cybersecurity partner at the law firm ECIJA, admits that it can be tremendously varied, “from economic ransom to gaining access to secret information, to an act of revenge by a former employee who knows that the security measures of his former company are minimal.”
Now an increasing number of companies have a cybersecurity compliance program, through which risks and vulnerable areas are identified and the likelihood of a cyberattack assessed, as Natalia Martos, founder of the law firm Legal Army, explains. “Tests are carried out, controls are installed and their effectiveness verified,” she says. “A repository of evidence is created and measures to mitigate risk are generated.”
It is a control strategy that also involves evaluating the company’s technology suppliers in terms of security, and even demanding effective measures from them, as Yáñez points out. “It is necessary to negotiate with them,” he says. “These negotiations are not easy, but they are necessary. This will not only help to avoid possible breaches, but will also serve to demonstrate commitment and diligence in this area.”
Employees must also be made aware of risks and trained accordingly. “Ninety percent of cyberattacks in SMEs are due to human responses, which are strongly linked to a lack of awareness and the working environment,” says Cajigos. The most frequent involves the user being fooled into believing they are entering their access credentials on legitimate sites, according to Yáñez. These are cases that involve the assumption of corporate identity or the identity of its representatives, with the aim of defrauding third parties and obtaining an economic benefit. “One of the most common is the falsification of invoices, with the account number where payment should be made being changed,” says Jesús Iglesias, a partner at Clyde & Co.
Companies whose identities are assumed “suffer terrible consequences, as their clients are often the target of theft and extortion which, initially, might appear to be their responsibility,” says Martos, who says that the company that has fallen prey to a cyberattack should record all the details of the attack and immediately contact the specialized units of law enforcement to contain it and, ultimately, try to find out who is behind it. “This is really complex due to the lack of traceability in the cyberworld,” she acknowledges.
Meanwhile, Cajigos adds that to reduce the impact, victims should try to detect the origin of the attack and inform the Data Protection Agency in the event of losing critical data. That said, she insists that prevention is the best policy. “If you prime the infrastructure for intrusion detection, have decentralized backups of critical data, a disaster recovery plan and a business continuity plan, the impact will be greatly reduced,” she explains.
Taking out cyber-risk insurance, according to Iglesias, “helps companies to respond to and adequately manage a cyberattack, reducing the financial, legal and reputational damage it can cause.” Such insurance policies usually include incident response management services while providing access to an array of different providers, such as technicians, legal advisors, and public relations firms, who will intervene if the need arises. They also typically cover administrative fines that may be imposed by data protection authorities, reimbursement of ransom payments in the event of cyber extortion, and any potential civil liability arising from the attack.