By: Andy Serwin ‖ Ross McKean ‖ Carolyn Bigg

In response to the heightened geo-political tensions resulting from Russia’s invasion of Ukraine and the package of economic sanctions imposed by the West, the risk of cyber-attacks by Russia and her proxies is high.  We may see an increase in economic extortion to generate revenue to compensate for economic impacts.  We may also see retaliatory attacks that are not necessarily revenue generating, but instead are focused on inflicting widespread or targeted economic harm and other disruption.  Organisations based in countries that have imposed sanctions and are supporting the defence of Ukraine are at heightened risk.

Companies should carry out a risk assessment to determine the likelihood of a cyber-attack, whether for economic, espionage or other retaliatory reasons.  Examples of relevant considerations include:

• the significance of the company’s industry to Russian interests;
• the company’s ties to government actors;
• the company’s criticality to a nation’s economy – i.e. does the company form part of critical national infrastructure, and
• the awareness and recognition of the company’s brand – would an attack make a big splash of publicity?

Companies that are in the supply chain of, or reliant on, heightened risk companies should consider their risk as a launching pad for an attack or the risk to the company of an attack on its supply chain.

The following considerations should help to harden your organisation’s posture and reduce the impact of a cyber event:

1. Review and share your Incident Response Plan, Crisis Management Plan and Business Continuity and DR plans with key team members and make sure they address all current threats. Share a copy of the plans with key team members to remind them of their responsibilities.  Ensure team member contact details are up to date (including back-up contact details in the event your main systems are unavailable).  Ensure the team members each have a copy of the plans available off the corporate system (again in case it is unavailable).  Ensure staff have activated back-up email and IT resources if these are offered to them.  An attack may come at any time of the day or night – so ensure that it is clear in the plan who has authority to make emergency out of hours decisions, for example as necessary to protect the wider global network.
2. Ensure you have third party support available if you need it. Make sure you have an incident response firm and breach counsel law-firm lined up to help if you need them.

3. Check your cyber insurance policy. Check notification requirements.  Make sure that your preferred third party advisors (incident responders, law firm etc) are covered by your policy.

4. Ensure you have access to appropriate threat intelligence. Various public resources are available with information on vulnerabilities and cyber-attacks.  Also ensure you have contacts with cyber security intelligence services.  See the list of useful links and resources below.

5. Ensure that all software and firmware across your network (including BYOD) are patched with the latest information security patches to close down known vulnerabilities that could otherwise be exploited. For known unpatched software and firmware, consider other risk mitigations including ring-fencing these systems so that any infection cannot spread and/or decommissioning or temporarily decommissioning these systems while the cyber threat remains high.

6. Ensure effective and secure backups are in place and are operating correctly so that in the event of an attack you can recover your data quickly. Beware that threat actors will often seek out and encrypt back-ups – so ideally back-ups should be securely ring-fenced.  Make sure that your back-up strategy and policies also includes key access data such as decryption keys and access tokens – as well as the underlying data – so you can recover your data quickly.

7. Ensure you can ringfence and decommission infected parts of your network. This may not be easy to do if your network has been designed as a “flat” network with open access once an authorised user is in the network.  Ideally you should have the ability to ring-fence parts of your network to protect wider infection and contain malware and threat actors.

8. Ensure you have full visibility of any third parties with access to your network. You may have good security – your counterparties may not.  Threat actors often attack counterparties to “pivot” their attack into customers / counterparties of the initial victim organisation.  Given the current heightened threat, it may be timely to revisit third party access and either suspend or restrict certain third party access until the cyber threat is lower.

9. Ensure good password hygiene. Ensure passwords are regularly changed and meet minimum length and complexity requirements (e.g. by forced password reset after a set period).  Remind staff that they should never use the same passwords for access to business and personal resources.  Encourage staff to use phrases rather than individual passwords.

10. Ensure good access credential management. Ensure that access credentials have been revoked for all leavers and for dormant accounts that have not recently been accessed. For accounts with wider authorisations such as admin and privileged accounts, consider tighter security such as requiring multi-factor authentication.

11. Ensure good antivirus and end point security hygiene. Ensure antivirus software is up-to-date with the very latest vulnerabilities and malware signatures. Ensure it is deployed and active across all infrastructure, applications and devices on your network.  Ensure that all devices connected with your corporate network are securely configured.

12. Ensure logging of system and information access are being recorded and available in the event of an intrusion to facilitate investigations and to help identify the extent of an attack.

13. Ensure good security hygiene for all internet facing resources. Ensure multi-factor authentication for any public facing applications and resources (or equivalent protection). Perform regular vulnerability scans of your organisation’s internet footprint and ensure patching is up-to-date.

14. Remind staff to be vigilant – particularly of phishing attacks. Phishing remains one of the most popular forms of attack even for sophisticated nation state actors. Remind staff how to spot and report phishing emails and who to contact if they click on links in or respond to suspected phishing emails.  Encourage staff to report any other unusual behaviour such as unusual system error messages.

Useful links and resources:

• Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• European Union Agency for Cyber Security
• UK National Cybersecurity Centre
• US Cybersecurity & Infrastructure Security Agency
• New Zealand National Cyber Security Centre

This alert highlights only some of the key issues raised by the increased geo-political tension and heightened threat of cyber-attacks. It is not intended to be comprehensive, and it does not constitute legal advice.

Please contact any member of the DLA Piper Cybersecurity Team, or your DLA Piper relationship contact if you would like more specific advice, whether on cybersecurity matters or any wider business issues.