In 2021, there were 40,000 cyberattacks per day, up 125% from the previous year, according to security solutions firm Datos101. But while it is true that the number of cyberattacks has increased in recent years, certain factors, such as the pandemic and widespread telecommuting, have, according to experts, contributed to the exponential growth of 2021. the war between Russia and the Ukraine, the threat has increased further, prompting Spanish Defense Minister Margarita Robles to announce several weeks ago that the alert level for cyberattacks had risen to 3, with five being the highest. raised.
Prevention is the best strategy against the threat of cyberattacks, and this is where lawyers have a fundamental role to play, especially in adapting organizations to the protective regulatory framework. More than 50 rules are contained in the Code of Cybersecurity Law, structured into eight major sections, including national security, critical infrastructure and data protection.
These regulations mainly target the public administration and its suppliers, critical infrastructures and essential services, as highlighted by Jesús Yáñez, cybersecurity partner of the technology and communication company ECIJA, since it is these entities that, in response to the sanctions imposed on Russia, became the main targets.
Since the start of the invasion of Ukraine, critical infrastructure companies such as Iberdrola, public entities such as the National Police and the Tax Authority, technology companies such as Microsoft and Apple, as well as the large majority of Spanish banks (BBVA, Santander, Caixabank, Sabadell Liberbank), have been the subject of this type of attack.
However, they are not the only targets of cybercrime. Cyberattacks continue to occur on a large scale in all types of businesses, from SMEs to multinationals. “In Russia, there are organizations that take advantage of any conflict to escalate cyberattacks,” says Cristina Cajigos, account manager at Grupo Paradell Technologies, a consulting firm specializing in digital and enterprise risk. As for the underlying motive for a cyberattack, Yáñez admits that it can be extremely varied, “from an economic ransom to access to secret information, to an act of revenge by a former employee who knows that the his former company’s security measures are minimal.
Today, a growing number of companies have a cybersecurity compliance program, through which risks and vulnerable areas are identified and the likelihood of a cyberattack assessed, as explained by Natalia Martos, founder of Legal Army. “Tests are carried out, controls are installed and their effectiveness verified,” she says. “A repository of evidence is created and measures to mitigate risk are generated.”
This is a control strategy that also involves evaluating the company’s technology suppliers in terms of security, even requiring effective measures from them, as Yáñez points out. “You have to negotiate with them,” he said. “Negotiations are not easy, but necessary. This will not only help to avoid possible violations, but will also serve to demonstrate commitment and diligence in this area.
Employees must also be made aware of the risks and trained accordingly. “90% of cyberattacks in SMBs are due to human responses, which are strongly linked to a lack of awareness and the work environment,” explains Cajigos. According to Yáñez, the most common is to make the user believe that he enters his access credentials on legitimate sites. These are cases involving the usurpation of the legal personality or the identity of its representatives, with the aim of defrauding third parties and obtaining an economic advantage. “One of the most common is the falsification of invoices, with modification of the account number on which the payment must be made,” explains Jesús Iglesias, partner at Clyde & Co.
Impersonated businesses “suffer dire consequences, as their customers are often targets of theft and extortion that, at first, might appear to be their responsibility,” says Martos, who recommends that the victimized entity of a cyberattack should record all the details of the attack and immediately contact the specialized units of the State Security Forces and Corps who will bring it under control and, finally, after a forensic investigation, try to find out who is behind it. “It’s really complex because of the lack of traceability in the cyber world,” she acknowledges.
Meanwhile, Cajigos adds that to reduce the impact, victims should try to detect the origin of the attack and notify the Data Protection Agency in the event of critical data loss. That said, she insists that prevention is the best policy. “If you prepare the infrastructure for intrusion detection, have decentralized backups of critical data, a disaster recovery plan and a business continuity plan, the impact will be significantly reduced,” he explains. -she.
Purchasing cyber risk insurance, according to Iglesias, “helps businesses respond to and adequately manage a cyberattack, reducing the financial, legal and reputational damage it can cause.” These insurance policies typically include incident response management services while providing access to a range of different providers, such as technicians, legal advisers and public relations firms, who will step in when needed. They also typically cover administrative fines that may be imposed by data protection authorities, reimbursement of ransom payments in the event of cyber extortion, and any potential civil liability arising from the attack.