In 2021, there were 40,000 cyber attacks per day, 125% on the previous year, according to security solutions company, Datos101. But while it is true that the number of cyber attacks has been rising in recent years, there are certain factors, such as the pandemic and widespread teleworking that, according to experts, contributed to the exponential growth in 2021. Now, in the midst of the war between Russia and Ukraine, the threat has increased once more, prompting the Spanish Defense Minister, Margarita Robles, to announce, several weeks ago, that the cyber-attack alert level was being raised to 3, five being the highest.
Prevention is the best strategy against the threat of cyber attacks, and this is where lawyers have a fundamental role to play, specifically in the adjustment of organizations to the protective regulatory framework. More than 50 rules are contained in the Code of Cybersecurity Law, structured in eight major sections, including national security, critical infrastructure and data protection.
These regulations are directed primarily at the public administration and its suppliers, critical infrastructure and essential services, as Jesús Yáñez, cybersecurity partner at tech and communications company ECIJA, points out, as it is these entities which, in response to the sanctions imposed on Russia, have become the main targets.
Since the invasion of Ukraine began, critical infrastructure companies such as Iberdrola, public entities such as the National Police and the Tax Agency, and technology companies such as Microsoft and Apple, as well as the vast majority of Spanish banks (BBVA, Santander, Caixabank, Sabadell Liberbank), have been subjected to this type of attack.
However, they are not the only targets of cybercrime. Cyber attacks continue to occur on a significant scale in all types of companies, from SMEs to multinationals. “In Russia, there are organizations that take advantage of any conflict to step up cyber attacks,” explains Cristina Cajigos, account executive at Grupo Paradell Technologies, a consulting firm specializing in digital and corporate risk. As for the underlying motive for a cyber attack, Yáñez admits that it can be tremendously varied, “from an economic ransom to gaining access to secret information, to an act of revenge by a former employee who knows that the security measures of his former company are minimal.”
Now an increasing number of companies have a cybersecurity compliance program, through which risks and vulnerable areas are identified and the likelihood of a cyber attack assessed, as Natalia Martos, founder of Legal Army, explains. “Tests are carried out, controls are installed and their effectiveness verified,” she says. “A repository of evidence is created and measures to mitigate risk are generated.”
It is a control strategy that also involves evaluating the company’s technology suppliers in terms of security, and even demanding effective measures from them, as Yáñez points out. “It is necessary to negotiate with them,” he says. “Negotiations are not easy, but necessary. This will not only help to avoid possible breaches, but will also serve to demonstrate commitment and diligence in this area.”
Employees must also be made aware of risks and trained accordingly. “Ninety percent of cyber attacks in SMEs are due to human responses, which are strongly linked to a lack of awareness and the working environment,” says Cajigos. The most frequent involves the user being fooled into believing they are entering their access credentials on legitimate sites, according to Yáñez. These are cases that involve the assumption of corporate identity or the identity of its representatives, with the aim of defrauding third parties and obtaining an economic benefit. “One of the most common is the falsification of invoices, with the account number where payment should be made being changed,” says Jesús Iglesias, partner at Clyde & Co.
Companies whose identities are assumed, “suffer terrible consequences, as their clients are often the target of theft and extortion which, initially, might appear to be their responsibility,” says Martos, who recommends that the entity that has fallen victim to a cyber attack should record all the details of the attack and immediately contact the specialized units of the State Security Forces and Corps who will contain it and, ultimately, after a forensic investigation, try to find out who is behind it. “This is really complex due to the lack of traceability in the cyber world,” she acknowledges.
Meanwhile, Cajigos adds that to reduce the impact, victims should try to detect the origin of the attack and inform the Data Protection Agency in the event of losing critical data. That said, she insists that prevention is the best policy. “If you prime the infrastructure for intrusion detection, have decentralized backups of critical data, a disaster recovery plan and a business continuity plan, the impact will be greatly reduced,” she explains.
Taking out cyber-risk insurance, according to Iglesias, “helps companies to respond to and adequately manage a cyber attack, reducing the financial, legal and reputational damage it can cause.” Such insurance policies usually include incident response management services while providing access to an array of different providers, such as technicians, legal advisors, and public relations firms, who will intervene if the need arises. They also typically cover administrative fines that may be imposed by data protection authorities, reimbursement of ransom payments in the event of cyber extortion, and any potential civil liability arising from the attack.