The volume and scale of cyberattacks and cyberfrauds is rising. The pace at which these ever more sophisticated attacks can infiltrate systems around the globe suggests that the likelihood of an imminent attack on companies, small or large, should never be discounted.
According to the Ponemon Institute's recent Cost of Cybercrime report, the average cost of cybersecurity for companies last year was US$11.7 million; the net increase in average annual number of security breaches in the past year was 27.4 percent. In compiling its report, the Institute evaluated responses from 254 companies in seven countries (Australia, France, Germany, Italy, Japan, the UK and the US).
Last week, the Hong Kong Police Force reported that since its new anti-deception coordination center began its work in July 2017, it had received complaints involving 229 commercial email fraud cases. Overall, in less than five months, victims have submitted to it hundreds of requests to halt payments, totaling approximately US$113 million lost in various online and phone rackets. This is a significant figure for a city with a population of little over 7 million. Many of these cases have links to China.
The reported cases of cyber-related frauds in China in 2017 are significantly higher. From Q1 through Q3 2017, a national online cyberfraud complaint platform established by the Beijing Public Security Bureau received 19,236 cyberfraud reports, with reported amounts involved totaling just over US$400 million. The principal types of cases reported are financial and social engineering frauds, with most complaints received from victims in the cities of Beijing, Guangzhou and Shenzhen.
For corporations, it is no longer a question of whether an attack will happen. Instead, the issue is when it is likely to happen, and whether they able to contain the cost and consequence of an attack and to make some recovery before it is too late.
Be prepared for an attack during holiday seasons when company resources are stretched
Moreover, and worryingly, attacks are more likely to happen during the holiday seasons (such as Christmas and New Year, Chinese New Year and summer vacation time). This is when a company's key decision makers are on leave or may not be readily available, employees are more likely to trust remote phishing email requests purporting to come from those leaders, and limited internal resources are already stretched. Similarly, external service providers, such as legal advisers and IT forensic support teams, may have already left for their vacations and are spread across different time zones. Cyberattacks are often planned to take advantage of potential weaknesses during these periods.
Preparedness means Plans B and C too
Many companies have already taken steps around reviewing their cyber-response preparedness and developing an Incident Response Plan. However, even with such planning, companies should also prepare for the possibility that unforeseen factors might potentially put paid to the best laid out plans during the holiday season.
To ensure that an Incident Response Plan can be implemented properly and effectively during the critical early hours of an attack, it is worth reinforcing some of the key preparatory steps in the lead-up to the holiday season:
- You already have response teams, in areas like IT, legal and business, and each team has a designated internal incident response lead. During the holidays, check whether these response team leaders or their designated alternate contacts are in fact available. At minimum, the overall response team leader must be available 24/7 by text. And if not, another team leader should be designated in advance to be contacted during the period when the first choice team leader is not available.
- Contact outside experts (such as outside counsel and IT forensic specialists) to ensure their dedicated response teams are in place during the holiday season (as DLA Piper's team will be – just use the email address firstname.lastname@example.org). It is always worth checking to make sure there are no last-minute holidays plans that these outside firms themselves might not have accounted for.
- Check the most up-to-date list of dedicated contacts at the banks, IT service providers and other key service providers that serve the company's business, and ensure that those contacts can be reached outside of reduced working hours.
- Conduct a simulated run-through of the company's Incident Response Plan or send a reminder of the same to all designated internal incident response leads before the start of the holiday season.
For any cyberfraud, being able to quickly gather the evidence of the fraud and to present it to law enforcement agencies, courts and banks in order to follow the money trail or identify where and how the data breach has occurred will give companies the best chance to recover lost funds and contain the impact of the breach.
To do so, you need to remain alert to the real possibility of a cyberattack, even during the most distracting times of year, when everyone else is heading out on vacation or rushing to leave for vacation, so that their attention to good cybersecurity might have already switched off.