In our alert on 02 March 2022, we looked at some predictions for the effects of the war in Ukraine on cyber-security and GDPR. You can read that blog here https://www.corderycompliance.com/war-effects-on-cybersecurity/. So who is winning? And what has happened so far?
Attacks on the Ukraine
As we said in our earlier alert, at the start of the war a number of groups including the loose Anonymous collective said that they would take steps to try and support Ukraine in light of Russian aggression. Reported attacks so far have included:
- Attacks on the Russian media regulator, Roskomnadzor, including exposing some of the agency’s FSB filings
- An attack on Russian broadcaster VGTRK, exposing 20 years of emails
- Exposing details of Russian army command systems
- Interfering with Russian TV broadcasts
It is reported that individual Russian citizens have had their details exposed too. The volume of Russian leaked email addresses, according to one report, doubled in March, which was five times more than in January.
Attacks in the Ukraine
According to Microsoft, there have been almost 40 attacks reported against Ukrainian assets as at the end of April. The attacks have included phishing, misinformation, data theft and the destruction of critical systems. A number of sectors seem to have suffered attacks including nuclear, energy, media, logistics and agriculture.
As well as the attacks on Ukraine itself, we have seen across our desk attacks which are likely to be connected to the war. It seems that phishing groups with Russian connections are still active despite the issues suffered by the REvil and Conti gangs.
We have a new short film looking at the likely impact of the war on cyber-security with Professor Eric Sinrod. You can find out more about the film and watch it on YouTube here https://bit.ly/ukruwar.
What Can You Do to Reduce The Risk?
The risk of organisations being involved in the war are still significant, especially as the chances of Russia taking action against Russian ransomware gangs is slight. Amongst the steps organisations could consider are:
- Training and awareness. As we have said before, make sure that you are raising awareness of the heightened current risk with your employees and sub-contractors.
- Make sure that your cyber-security stance recognises the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done.
- Look at the technical and organisational measures you adopt – that is likely to include multi-factor authentication (MFA) securing any internet facing systems, running detection systems to look out for attacks both at the perimeter and within your systems, ensuring that you have a good back up strategy and ensuring the availability of audit functionality so that you can revisit your systems if there is a suspicion of an attack.
- Rehearse – breaches are inevitable so preparation is a wise investment. This might include having good lawyers on standby since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach for example with a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/).
- Looking in detail at contracts with vendors and other third parties. You will need to look carefully at emphasising your processors’ obligations to let you know immediately if they suspect a possible breach. In our view audit rights are also important – too often organisations are vague about cause and effect and it can take the exercise of audit rights to get proper information.
- You may also want to consider your position on ransomware payments and agree a strategy in advance. We have a more detailed note looking at the ‘To Pay or Not to Pay’ considerations for ransomware here https://bit.ly/ransompay.
- Remember that you’re unlikely to be able to insure this risk away – insurers are tightening up on coverage where ransomware is involved.
- You might also want to consider cyber-security accreditation to look holistically at your employees, systems and procedures. As we said before in our alert about the Tuckers ransomware attack however (here https://www.corderycompliance.com/law-firm-gdpr-breach-fine/) if you do go down this road, be prepared for any recommendations that are made. It is increasingly more difficult to bury bad news.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|