As digitization advances in all aspects of life, so does cybercrime, too. Many legal departments are in the process of digitally transforming their business, making them particularly vulnerable to digital threats. Cybercrime causes annual damage of around € 223 billion in Germany alone. This amount has more than doubled since 2019. Despite the pressing threat of data theft and espionage, many companies are yet to implement an IT and cybersecurity strategy to prevent data loss, especially where sensitive data is usually found: in legal departments.
Cybercrime is a widespread global phenomenon; it targets computer systems and networks using the most advanced information technologies. The two most common types of cybercrime are cyber espionage and cyberterrorism. In cybercrime, unauthorized users attempt to access sensitive or confidential data or intellectual property for economic gain, competitive advantage, or political reasons. Cyberterrorism occurs when a criminal attack is used to aid in or execute terrorist attacks.
Legal departments face a higher risk than ever
While digitizing legal data is necessary for a wide range of reasons, new challenges emerge given the new locations where this information is being stored. Legal departments face a higher risk than ever to be targeted by the growing variety of cybercriminal motivations in an evolving cybercrime industry. This concerns the legal departments of the private and of public sector, as well as non-governmental organizations to the same extent. Rather than only physically protecting paper files from being stolen or destroyed through fire protection measures or controlled file access and documentation, safeguards must now be adapted and upgraded to the digital working environment. Neglecting to appropriately protect legal data—also data in outsourced databases or legal services—can put a whole company at risk, as legal data belongs to the most sensitive data a company has.
Reasons and motivations for cybercrime and data theft
The reasons and motivations for cybercrime and data theft are manifold. For example, a hacktivist with ideological intentions might try to harm a company due to its overall purpose or specific actions, such as perceived environmental, societal, or political violations. Others may aim at simply obtaining large sums through bribery or profiting from dropping stock prices due to scandals or insider information. A competitor may aim at specific information as a means of espionage about new and disruptive technology or strategic innovations.
One might think that only large corporations are the target of cybercrime. However, SMEs are equally under attack nowadays. Studies suggest that larger corporations usually are better protected due to larger budgets and higher risk-awareness, whereas SMEs less often have preventive measures or a predefined plan of action in place for the event of an attack. Overall, whether large or small, there is urgent reason for any company to set up or improve their cybersecurity strategies to adapt to the increasingly sophisticated cybercrime industry.
To define which measures should be taken to protect your data and processes, one should first take a glance at the common ways of accessing data illegally. Data could, for example, be encrypted by special malware, making it inaccessible to the owner. This leads to an inability to continue working with the data, which can have a significant impact on legal processes, such as missing court deadlines or loss of legal documents. Another common type of cybercrime is “spoofing”, where the attacker pretends to be someone within the department, who sends emails requesting passwords or data. It is also common to experience a mix of methods when becoming a victim of an attack. Many attacks include bribing the company for a ransom by threatening to publish or further restrict access to stolen information.
Legal departments are at particular risk, as oftentimes re-accessing the stolen data is not enough to repair the damage. Even if a ransom is paid and data access is fully restored, which also is not always possible, there is no guarantee that the sensitive legal data cannot be used against the company in the future as copies can easily be made. Be it patents, customer data, financial data, market and competitor analyses, contract data, non-disclosure agreements or information about company acquisitions: losing them creates irreversible damage to the business and its stakeholders.
Paying a ransom?
This also leads to the question, whether paying a ransom in such a situation is advisable. Many experts are convinced that it is not safe to expect that cooperating with attackers will lead to a problem-free restoration of data access. Instead, the entire IT-infrastructure often needs to be checked and rebuilt to avoid keeping infested software parts. Also, the possibility of a criminal insider within the company cannot always be ruled out. On top of that, it is not completely certain, whether paying a ransom puts companies in a grey area, legally speaking. Studies show that of all the companies in a sample that were attacked before (72% of all respondents), only half were able to restore their data and get their systems running again. Three quarters of the attacked companies in the study did pay the demanded ransom, and 25% of companies experienced both irreversible data loss and financial damage.
Due to the digital nature of cyberattacks, it is difficult to trace attacks back to the origin and, therefore, back to the person or organization that executed the attack. Often, cybercriminals are organized (semi-)professionals, making exposing the source and closing leaks even harder. The worst, however, is that many attacks stay unnoticed at first, creating a time advantage for the attacker(s). As such, the chances of successfully tracing an attack and pursuing it at legal level are currently only at around 30%. In addition, most companies struggle to regain their reputation after an attack, leading to a potential loss of future revenues, and at the same time requiring large amounts to pay for third-party damage claims, if not well insured. In the future, companies with negligent IT-security may even be partly held responsible for data loss due to cyberattacks. Consequently, it will not be sufficient to only react in the event of an attack. Instead, it will be essential to proactively invest time and resources to implement a profound cybersecurity risk management strategy to protect your business from experiencing serious and lasting damage.
Several options to protect against cybercrime
Companies have several options to protect themselves against cybercrime or lower the overall damage in case of an attack. Contrary to the common belief that cybersecurity is something that only affects the IT department, the largest risks to the security of a company are their employees. By training all employees to successfully be able to detect emails containing malware reduces the risk of letting malware into a system to a significant extent. Therefore, the first step towards more security is raising awareness for it across the company. Other measures that may help prevent attacks can be:
- Establishing password policies, mandating the use of complex passwords and two-factor-authentication
- Implementing antivirus and anti-spam software
- Storing backups on physically separated devices and testing system restoration only with them
- Securing networks by using firewalls, blocking illegal attempts at network connections, and network analyzers, detecting any unusual network traffic, which may be an indication of a cyberattack
- Implementing intrusion detection and prevention systems, security information and event management solutions, as well as vulnerability scanners to continuously scan networks and systems for indicators of an upcoming attack. Logs may show:
> Unknown scanners have been secretly used to check the systems’ vulnerabilities without the IT department’s knowledge
> Antivirus software may have been turned off or new accounts have been created without the IT department’s knowledge
> Weak elements in the systems that correspond to newly identified ones by IT-experts or the government
Generally, it is important to have an incident response plan and implement it in case of an attack, outlining what measures need to be taken right away to reduce damage to a minimum and keep the most important business areas running. Companies with incident response plans will be more successful in mitigating consequential damage in the event of a cyberattack.
As especially SME’s may not have the time or expertise to set up a cybersecurity risk management strategy as described, seeking support from external experts in advance and in the event of an attack may be a reasonable option. On top of that, making sure that someone with good knowledge of the company’s IT-system is available and part of the incident response team can also reduce the response time and, potentially, the damage. When detecting an actual cyberattack in your system, the following steps may help:
- Inform general management and activate the incident response team
- Immediately inform local police authorities and report the case to the federal authorities, as required
- Disconnect the affected devices from the rest of the networks, if possible
- Make backups of the devices that are affected to collect evidence, if this does not disturb the containing of the spreading virus
- Manually save any data that affects critical processes and establish communication for those
- Get help from an experienced IT and cybersecurity services provider
- Actively but carefully communicate the situation to affected vendors, customers and partners
The likelihood of falling victim to a cyberattack tomorrow has risen sharply over the last years. In fact, cyberattacks are globally perceived as the number one business risk by 44% of risk managers (study sample size n=2650), identifying cybercrime as one of the major risks for companies, with business interruptions and natural catastrophes coming second and third. Depending on the type of business and market environment, cyberattacks in uncertain times like these can jeopardized the existence of a company. When digitally transforming a legal department to become a business enabler within the company, general counsels should collaborate closely with IT and data protection departments to make protecting the digital legal data and the company’s data in general their top priority. The legal department should be the driving force in building the cybersecurity risk management strategy and in creating an incident response team and plan.