Cybersecurity: the changing threat and risk landscape

Cyber risk evolves constantly, driven by technological advancement, plus geopolitical issues and changes to how cybercrime groups operate. 

“It’s a complex web of factors that interact and develop at a rapid pace,” says Ffion Flockhart, our London-based global head of cybersecurity. “We’re at the heart of all of that: our mission is to help clients best manage the cyber risks and threats they face, however challenging the circumstances.” 

Indeed, adds Catharina Glugla in Düsseldorf, “the assumption there will be disruption” caused by adverse cyber incidents is the foundation of good risk management and underpins operational resilience.

What kinds of cyber incident are causing the biggest issues? 

Readers will be familiar with the concept of ransomware attacks—a scourge across many industries for years. Steven Hadwin in London notes the advent of sophisticated cyber-extortion groups operating a ransomware-as-a-service model. 

“This involves threat actor groups licensing the tools and tradecraft needed to carry out cyber-extortion attacks to a number of affiliates, which has led to a proliferation of bad actors,” he says. “The attacks we see generally involve widespread unauthorized encryption of systems, alongside large-scale data theft. A ransom is then demanded in return for a decryption key and the return of the stolen data.” 

Extortion groups have also exploited vulnerabilities in widely used software to carry out mass data theft-led extortion, as was seen in the high-profile compromise of the file-sharing tool MoveIt. 

Unfortunately, this is big business for the threat actors, as the perpetrators of these attacks are known. Organizations may choose to engage with them, sometimes to buy time to get their house in order, sometimes to pay a ransom. 

A ransomware negotiator will be able to advise if the threat actor is who they say they are. As Marcus Harewood in London explains, this is critical if the company is considering meeting their demands. 

“The organized, financially motivated threat actor groups rely heavily on their name and reputation to extort their victims,” he says. Are they good for their promises if a ransom is paid? “There is some honor among thieves. If they were to renege on their word, no cybersecurity expert or threat intelligence expert would advise carrying on with payment.”

Lawyers can’t make recommendations around paying a ransom, but they can advise on the legality of doing so—for example, whether the threat actor is subject to sanctions or is part of a terrorist organization. They will also liaise with law enforcement. 

“Clients want to know that if they pay the ransom, they’re not going to fall foul of sanctions,” says Marcus. That’s alongside considerations around whether paying a ransom will mean a company can get back up and running faster, or at all—particularly sensitive considerations in sectors such as healthcare.

Away from extortion, espionage and IP theft following the compromise of an IT environment remain key issues. Such attacks are sometimes carried out by nation-state actors and can involve access to highly sensitive information.

Ffion says: “The threat actors in this area tend to go ‘low-and-slow’. They try to obtain persistence within an environment, so they can gather as much information as possible while remaining undetected.” 

In a worst-case scenario, threat actors may also look to carry out attacks to damage physical infrastructure. Mercifully, to date, there have been few examples of this—but in a climate of heightened geopolitical and military sensitivity, it’s a risk deserving close attention at all levels.