Home » Cybercrime » Cyber-attacks: lessons from the High Street

Cyber-attacks: lessons from the High Street

Cyber incidents are rarely out of the news for long, but recently we have seen a string of headline hitting attacks on big name retailers. Marks & Spencer, Co-op, and more recently North Face and Cartier have reported data breaches following unauthorised access to systems by threat actors, who have stolen customer data.

What lessons can we learn from these attacks, which can have huge financial and reputational consequences?

Be prepared: readiness

While the facts and circumstances of each cyber event or data breach maybe slightly different, there are elements that can be mitigated with proper planning. Developing an effective incident response plan is key to this. Take some time to consider policies and procedures should the worst happen, and the organisation fall foul of cyber threat actors. An incident response plan should consider key issues such as:

  • Incident detection
  • Incident response team
  • Communication and escalation
  • Decision making
  • Impact assessment

Another extremely useful tool is a cyber simulation or tabletop exercise. A tabletop exercise will present the scenario of a cyber incident, to test and enhance the incident response process. Running a scenario before a breach occurs can be invaluable, it brings the core team together and gives everyone a chance to ask questions and develop their understanding of their role at the right time, rather than in the middle of a cyber event. It allows everyone to hit the ground running in the event of an attack, as they know what to do, and the policies and procedures in place should be the optimum for the organisation as they’ve been tested in an attack simulation environment.

Of course, having up to date cyber security systems, firewalls, effective patch management and the like are an essential part being cyber ready. This has not only been highlighted by the recent attacks on retailers but also by a significant regulatory penalty notice. The UK’s ICO recently confirmed a £3.07 million fine, issued to Advance Computing Software Group following a ransomware attack. The ICO’s investigation concluded that failures in vulnerability scanning, patch management and multi-factor authentication contributed to enabling the threat actor to gain unauthorised access to systems. Robust cyber security measures are also often a requirement of cyber insurance policies, so are something that should be at the top of every board agenda.

Additionally, it’s not just an organisation’s own systems that need to be on the radar. How does the cyber security of the supply chain shape up? Whilst investigations are still ongoing, M&S reported that access was gained to its data through a third party that had access to the M&S systems. Initial access through a supplier has therefore resulted in the current debilitating cyber-attack.

Legislation is starting to catch up with supply chain risk in cyber security, with both NIS2 and DORA in the EU bringing focus to supply chains and the forthcoming Cyber Security and Resilience Bill in the UK intending to strengthen supply chain security.  

Response and recover

The hours and days following a cyber attack will be a time of high pressure for any organisation. That effort that was put into an incident response plan will now really pay off.

As the victim of a cyber attack there are many priorities to consider, and whilst prioritisation is key, don’t let things that are towards the bottom of the to do list slide. Immediate actions to consider following a cyber-attack include:

Understand the nature and impact of the incident

This is important for many reasons but can help an organisation to understand the extent of the cyber event, and not only the current impact but the impact going forward. It seems that some retailers suffering recent attacks didn’t appreciate the full scale of damage until some time after the attack. Whilst this is always a danger, and some issues may inevitably present themselves later; engaging in a full risk assessment immediately following the attack can help to bottom out the potential risks throughout the business. We can see the fall out of failing to engage in a proper risk assessment in the recent fine issued by the ICO to DPP Law Ltd. Here, cyber attackers accessed DPP Law’s administrator account and exfiltrated personal data. DPP’s own investigations initially determined that no data had been exfiltrated, however 32.4Gb of data had in fact been published on the dark web. DPP was criticised by the ICO for not undertaking a risk assessment and instead putting a focus on bringing systems back online. 

Right people in the right place

Mobilising the necessary teams so that decisions can be made as quickly as possible is essential. Core personnel and decision makers should be briefed immediately and be ready to carry out their duties as set out in the incident response plan. Communication really is key at the early stages.

Mitigate the impact

Take steps to ensure business continuity and service delivery. This is key to mitigating the ongoing fall out from the cyber event. Enable as many people as possible to continue to perform their roles as normal. Whilst a number will have a role in managing the cyber event, it is important to consider what all other members of the organisation will be doing day to day and what needs to be done to get the business back up and running.

Notifications

Don’t forget that a cyber attack may trigger an obligation to notify regulators or other bodies, often with tight deadlines to do so. In the UK, a data breach must be reported to the ICO within 72 hours. The UK Government is currently consulting on a compulsory reporting regime following a ransomware attack. Also, consider whether any industry specific regulators require notification.

Engage the experts

Bringing the right people in at the beginning can make all the difference. Depending on the organisation and the breach in question, some may require additional technical support, as well as forensic, communications, cyber security and legal expertise. And don’t forget to engage with insurers – not only should insurers be kept informed, but they can also be a valuable resource as will have navigated similar situations before.

What about insurance?

The cyber insurance market is rapidly evolving, in order keep up with ever adapting technologies associated with cyber-attacks. Munich Re has recently reported that it expects the global cyber insurance market to reach US$16.3 billion in 2025, so it is something that insurers are investing a great deal of time and money into to get right.

It is important to notify insurers immediately following a cyber-attack. Many insurers now offer a 24-hour reporting line which will often connect automatically with cyber response services and legal expertise. We work very closely with insurers following a cyber attack suffered by a client or policy holder. Working together means that we can rely on our respective expertise to ensure that all matters are dealt with effectively and efficiently and the utmost is done to enable an organisation to recover from a cyber-attack and emerge stronger.

Helen Bourne is a Partner and Ambre Cross a Senior Associate at Clyde & Co, and both are members of the Forum of Insurance Lawyers (FOIL).

Photo by KeepCoding on Unsplash.

infolaw Limited 5 Coval Passage London SW14 7RE Registered in England number 2602204 VAT number GB 602861753