A simple truth: most cybersecurity problems will ultimately end up on a lawyer’s desk.
Given this reality – and to make these problems ultimately more manageable – counsel does well to encourage and assist their clients with proper incident response planning. While this often feels overwhelming, it is a critical tool and providing this advice isn’t as daunting as it might appear.
Setting the Foundation
As a First Step, it helps to understand the evolving nature of the threat we all face; also known as the Threat Landscape. Understanding the threat landscape involves understanding both where your clients are likely to be attacked, also called the attack vectors, and how those attacks occur.
Hint: It isn’t what you think
Traditionally, many people think of “personal data” theft when considering attack vectors. Yes, personal data theft is an ongoing reality and often garners headlines, but, it’s not the most likely attack vector. When your client suffers an attack, it will likely be one – or a combination of- Business Email Compromise (BEC), Ransomware, or Access Attacks. While data theft may occur as an ancillary attack, it is increasingly a dessert, not the main course.
This reality, unfortunately, dramatically broadens the target population. Every business has email and likely uses email to facilitate funds transfers (e.g., Accounts Payable, Accounts Receivable). Every company utilizes automated processes to perform daily functions. Be it accounting, sales, or running equipment on the factory floor, Ransomware freezes all of these processes. A ransomware attack has the capability to freeze all of these processes. And virtually every business is part of a supply chain, and thus a target for access attacks; in an attacker’s eyes, to whom your client is connected may be way more valuable than any other asset your client possesses. The Cybersecurity & Infrastructure Security Agency (CISA) has published several “Shields Up” notices related to supply chain risks that enable threat actors to capitalize on the access that vendors have.
But wait, there’s more.
Moreover, most current attack scenarios, or “kill chains,” do not commence with intentionally targeting a particular business. Instead, attackers spread the seeds of an attack, perhaps through Phishing, corrupted websites, or credential stuffing attacks, waiting to see what seeds sprout. It’s helpful to think about modern attacks like the common cold: the virus didn’t wake up on Monday and decide to attack you. You were just in the wrong place at the wrong time. And now you are sick.
The fallout from attack vectors can be far-reaching and, ultimately, lead to potential legal problems. For example, who is legally responsible when a $50,000 invoice payment ends up in the attacker’s hands? Are missed delivery dates due to a ransomware attack a force majeure event? Did your client’s security comport with the contractual promises made to its customer? Is your client liable when their systems were compromised and then used as a conduit for mass attacks up or down the supply chain? And, which of the ever-growing array of statutory cybersecurity obligations did your client potentially fail? No matter the vector, the result of an attack will ultimately lead to potential legal problems.
Hopefully, these thoughts help you better understand the scope of the problem. In a future segment, we will outline the key elements of the planning process, which if done correctly, can greatly facilitate your client’s resilience when the dark day comes.