Following the pandemic, businesses depend on technology more than ever. Whether it’s internal communications, client operations, or supply chain, we rely on software and online tools to do our jobs.
This dependency also means that cybercriminals aren’t short of targets to go after. Cybercriminals continue to search for lucrative opportunities where digital activity is most prevalent, and they strive to stay one step ahead of individuals and organisations.
When a cyberattack occurs, organisations suffer in more ways than one. Loss of productivity, theft of intellectual property or data, reputational harm and loss of time in restoration efforts – these are just some of the negative implications to mention.
But recently, the tightening of laws and regulations around cyber security has presented organisations with an added layer of potential penalties. With the global cost of cybercrime estimated at $8.4 trillion in 2022, governments are feeling rising pressure to take action.
This has led to the signing of new cyber security-related laws and regulations, and subsequently, organisations are faced with a new set of consequences in the event of a breach.
In this blog, we’ll explore the rise of cybercrime and ransomware attacks, the latest laws and regulations around cyber security, and what it all means for organisations.
The growing threat of cybercrime
Each year businesses are becoming increasingly threatened by cybercrime. In 2022 alone, 4 in 10 organisations in the UK reported having experienced a cyber-attack with the assumption that less mature businesses may be underreporting.
The economy can be said to play a part in cybercrime. While inflation itself cannot be deemed as a cause for threats, it impacts budgeting decisions which can then have a knock-on effect on buying power for security leads.
More often than not, it’s humans who are the weakest link when it comes to cybersecurity. Yet when companies do put a cyber strategy into place, the focus tends to be on new technology rather than investing in improving user behaviour through training.
Ransomware: the big bad wolf of cybercrime
The size and types of attacks organisations face ranges from phishing and supply chain threats all the way to nation sponsored attacks. Out of all the strategies employed by cybercriminals, ransomware attacks are some of the biggest and costliest cyberthreats that businesses are left to navigate.
In fact, damages from global ransomware attacks are expected to exceed a whopping $30bn by 2023. Ransomware attacks affect virtually every industry, and they are growing in intensity due to the decreased barriers to entry making this a low-risk, high-reward strategy for criminals.
What is a ransomware attack?
In the most common ransomware attacks the attacker looks to extract a ransom from the victim by either encrypting key files within their system making them inaccessible or by extracting sensitive files and threatening to publish them unless a ransom is paid.
The case of WannaCry
Some of us will remember the “WannaCry” ransomware epidemic that shook the cybersecurity world in May of 2017. Targeting machines operated by Microsoft Windows, this crypto-ransomware encrypted organisations’ data and demanded Bitcoin for their return. Affecting around 230,000 computers over just one weekend, the cost of the attack was estimated in the billions.
So, how did this happen? Interestingly, Microsoft had released an update to address a vulnerability in their system a few months before the attack, but those who hadn’t updated their machine were left exposed to the weakness.
The consequence? Affected victims were given three days to pay a bitcoin equivalent ransom of $300, which was later doubled. NHS, FedEx, Nissan and Bank of China were just some of the high-profile organisations affected across nearly 150 countries. While many of the targeted organisations were quick to take action, the WannaCry ransomware is still out there, “infecting” victims and encrypting data.
Learn more about the WannaCry attack here.
How are governments responding?
In efforts to combat cybercrime, legislators around the world are working hard to keep up with the increased threats. While it’s crucial that cybercrime is addressed on a governmental level, it also means that businesses have to be mindful of the new laws and regulations.
These days, on top of dealing with the direct costs of an attack, organisations may also face fines for not complying with the latest regulations, making the negative implications of an attack bigger than ever before.
Some of the latest laws and regulations around cyber security
The PSTI Bill in the UK
In the UK, the Product Security and Telecommunication Infrastructure (PSTI) bill received Royal Assent in December 2022 and is now a law. In a nutshell, the bill is designed to enforce stricter security requirements for manufacturers, importers and distributors of IoT devices. (GOV.UK)
- If organisations breach the rules, they may face fines of up to £10 million and 4% of their global turnover
Strengthening American Cybersecurity Act (SACA) in the US
The bill, signed into law by President Biden in March 2022 requires critical infrastructure organisations to report breaches to the Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and report ransomware payments within 24 hours (Lexology).
- The short timeframe may pose a challenge as it’s been found that it takes businesses 49 days on average to detect a ransomware attack (IBM)
GDPR in the EU and UK
By now, we’ve all felt and seen the effects of the GDPR rules that came into place in 2018. Spanning across the EU, GDPR tightened the rules on how freely businesses can send marketing material to people.
- In extreme cases in the UK, failure to abide by GDPR can result in up to £17.5 million in fines or 4% of annual turnover – whichever is greater (IT Governance).
What does all this mean for businesses?
In today’s world, cybercrime represents one of the biggest risks that businesses face. Out of all the threats, ransomware is among the biggest and most detrimental, with the costs reaching way beyond financial implications.
As governments are tightening laws and regulations around cybersecurity, organisations have to stay compliant to avoid additional penalties on top of the obvious negatives caused by an attack. It’s safe to assume that laws and regulations concerning cybersecurity will only grow from here.
But how can you prevent ransomware attacks in the first place? Our next blog explores practical strategies that organisations can implement to reduce the risk of falling victim to a ransomware attack.
Thanks to Principal Security Consultant David Cooper for their contributions to this post.
Concerned about cybersecurity in your business? Our cybersecurity specialists are highly experienced in assessing risks and helping businesses navigate the cyber threat landscape. Get in touch to talk to our team of experts.
