James McGachie: Cyber resilience must go from static to dynamic
Several recent well-documented cases of ransomware – malicious software used by criminals to encrypt information until a ransom is paid – highlight a growing danger to both private and public sector organisations, writes James McGachie.
Research by the National Cyber Security Centre shows there were three times as many ransomware attacks in the first quarter of 2021 than all of 2019. The threat is becoming increasingly acute, with cyber resilience now a key priority in boardrooms.
These risks were highlighted in the Auditor General for Scotland’s report on the cyberattack suffered by Scotland’s environmental agency, SEPA, on Christmas Eve 2020. Employees and customers were unable to access SEPA’s systems and data because malicious software had been installed after an adversary gained access. The ransom was not paid, and the majority of SEPA’s data remained encrypted, stolen or lost. Accounting records had to be recreated from bank statements and HMRC records, leaving auditors unable to fully examine SEPA’s finances, including £42 million of contract income.
Whilst independent analysis found SEPA had a high level of cyber maturity, the Auditor General noted that business continuity plans and incident response playbooks couldn’t be accessed after the attack. A limited number of personnel could access hard copies due to Covid restrictions and had staff not been familiar with its continuity plans and processes, SEPA’s response may have been hindered.
Such incidents demonstrate the need to ensure cyber resilience is regularly rehearsed, reviewed and ‘health checked’, with internal response plans tested and audited by way of routine and regular fire drills. Having retained and trusted advisors in any incident management plan – including forensic, legal, and public relations expertise – assists in preparing an early response to any incident. Such action also assists in ensuring any cyber insurance policy in place can be relied upon.
Many ransomware criminals undertake “double extortion”, whereby data may not only be encrypted but also stolen and published on the internet if a ransom demand is not met. Associated commercial risks of such actions, together with the potential risks where personal data is implicated (in terms of regulatory intervention by the ICO and claims from impacted data subjects) means being able to demonstrate robust resilience as a means of mitigation is critical.
Whilst the origin of the SEPA attack remains unknown, human error in responding to a “phishing” email (where an attacker, masquerading as a trusted contact, convinces a victim to open a message containing malicious content or hand over login credentials) is considered the likely source. Regular refresher training and implementation of multi-factor authentication (where a digital token is required along with a user password to successfully login) provides a safety net against such attempts.
Recently, the Scottish Association for Mental Health was subjected to a “sophisticated and criminal cybersecurity attack” for which a known ransomware group claimed responsibility. The targeting of a charity demonstrates that organisations in all sectors must demonstrate vigilance and resilience.
The Scottish government’s announcement of the creation of the Scottish Cyber Coordination Centre (SC3), which will pool expertise from organisations such as the UK National Cyber Security Centre and Police Scotland, is a welcome first step in assisting, at first, the public sector to build cyber security capabilities and identifying how incidents can be best identified, managed and investigated.
The experience of SEPA and SAMH highlight the difficulties in defending against the threat of sophisticated cyberattacks – but being able to demonstrate preparedness where such incidents do arise is essential in the current climate to present the most robust possible response.
James McGachie is a legal director at DLA Piper. This article first appeared in The Scotsman.