Do's And Don'ts In Practice

• Published date: 09 June 2022
• Subject Matter: Corporate/Commercial Law, Media, Telecoms, IT, Entertainment, Privacy, Technology, Corporate and Company Law, IT and Internet, Data Protection, Security
• Law Firm: Dorda Rechtsanw'lte GmbH
• Author: Mr Axel Anderl and Nino Tlapak, LL.M.

Over the last years and especially during the high peak of the COVID-19 pandemic, the risk of being subject to harmful and systematic cyberattacks has massively increased. Although the aim of cybercriminals - to extort money - is still unchanged, their methods and targets have been developed in line with the overall increase of digitalization. In contrast to industries with a focus on sensitive data and trade secrets, such as pharmaceuticals, banks, or insurance companies, industrial companies have not focused on preventive measures against potential cyberattacks in the past. Nowadays, however, production machines are linked to each other via a network and are therefore threatened to the same extent.

Worst-Case Scenario: Standstill Overnight

As regards methods, the risk exposure has changed due to the increase of ransomware attacks. In such a scenario, the attacker successfully penetrates the system and encrypts and/or deletes all data. In return for a ransom, which is usually paid in Bitcoin, the attacker offers to decrypt and release the data. During the refurbishment by IT professionals, it often turns out that the attackers were already in the system for a long period of time without being discovered. Triggers are often minor negligence, such as missing updates or patches that would cover already known vulnerabilities and thus allow access, or even an employee clicking on a compromised link.

Upon that, attackers continuously work their way through the system in search of information and admin access rights. The shutdown then regularly occurs at night or the beginning of the weekend to further increase the pressure on the target. This regularly involves shutting down all production and communication systems, encrypting and deleting all data in the company, and then demanding a ransom. Whether, up to what amount, and under which legal conditions this can and should be paid then needs to be decided on a case by case basis. Sometimes data can be restored via a backup or significant parts of production can be restarted autonomously. This mainly depends on which crisis and recovery method takes effect in the event of an incident.

How To Prepare for Such a Crisis Situation?

In the event of an incident, very tight deadlines apply due to the pressure of the attackers and legal obligations. In order to be able to react promptly, adequate preventive measures have to be in place...