The landscape for cyberattacks is constantly evolving. Attacks are becoming more global and sophisticated, and 2019 is poised to continue this trend toward increasing complexity.
This Legal Update highlights: (i) the main aspects of the threat landscape identified by the European Union Agency for Network and Information Security ("ENISA") in its 2018 Threat Landscape Report (the "Report") published on January 28, 2019, and (ii) the recommendations from ENISA for businesses to increase resilience and foster improved cybersecurity in 2019. Set up in 2004, ENISA is contributing to a high level of network and information security ("NIS") within the European Union and working to develop a culture of NIS, and raise awareness, in society. Its yearly edition of the Report contributes to the identification of the cyber threat landscape and supports the development and implementation of the European Union's policy on matters relating to NIS.
For a more global perspective on cybersecurity and privacy outlook, please read the 2019 Cybersecurity and Data Privacy Outlook.
Cyber Threat Landscape in 2018: More of the Same and One New Joiner
The Report identifies the top 15 cybersecurity threats in Europe. The top four threats remain unchanged compared to the previous year: (1) malware, (2) web-based attacks, (3) web-application attacks and (4) targeted forms of phishing (in that order). Meanwhile, denial of service ("DoS") botnets and data breaches increased in 2018. The Report also found a new threat: "cryptojacking." We discuss some of the Report's findings below.
- DoS attacks, and especially distributed DoS ("DDoS") attacks, are an impactful threat in the cyber landscape and have been used to target businesses across economic sectors. Defending against this type of threat (notably by hiring dedicated vendors) has become a central challenge for the private sector with financial services, e-commerce companies, cloud providers and governments devoting significant resources to the issue.1 Research suggests that the number of DDoS activities is on the rise (a 16-percent increase in summer 2018 when compared to the same period in 2017).2 Although law enforcement activities have challenged this breed of malicious cyber activity, the Report noted that the increase in the number of connected services globally and their dependency on the Internet of things (IoT) increase the threat of DoS and other types of attacks. As connectivity grows, such attacks have the potential to cause systemic failure for businesses and critical systems (e.g., in connected hospitals and related services).
- The Report noted that, during 2018, botnets were active and used to advance various malicious activities. For example, the Report revealed that 88 percent of spam was found to have originated from botnets and new botnets have been developed around IoT, social media and online advertisements. The Mirai malware technique (and source code) inspired criminals to build even more sophisticated IoT botnets (Tori-bot, a prominent type of botnet identified in the Report, has six persistency techniques targeting multiple architectures.)
- The Report noted that data breaches (incidents leading to the alteration, compromise or loss of data) have affected significantly more records in 2018,3 with the average cost of breach increasing by 6.4 percent. The introduction of a more comprehensive data breach framework in the European Union (since the entry into force of GDPR) could explain some of that increase. Social media platforms account for a majority (56 percent) of reported breaches, and some industry sectors (e.g., healthcare, 27 percent) have been particularly vulnerable. The Report found that 48 percent of breaches were caused by external attackers first, while human error and negligence, along with technical error, accounted for 27 percent and 25 percent, respectively.
- According to the Report, 2018 was the year of cryptojacking, a phenomenon appearing among the top 15 threats for the first time. Cryptojackers use the victim's computer power to "mine" cryptocurrencies, such as Bitcoin or Monero, without the victim's consent. Higher profits have driven cybercriminals to focus on cryptojacking. The implementation of content filtering that screens out suspected cryptojacking software in emails and employs regular security audits should, according to the Report, help to detect anomalies in the usage of computer power linked to cryptojacking.
In 2019, Organizations Should Pursue a Cybersecurity Strategy
Throughout the Report, ENISA identified specific measures that could be adopted in the business context to minimize risks to cybersecurity. According to the Report, recommended steps in the development of a cybersecurity strategy include the following:
- Estimate risks from cyber threats, or "know your enemy" (and yourself). Businesses should assess the potential impacts of a successful cyberattack on their assets and customer base and adopt the required security measures. Risk assessment should take into account the evolution of cyber threats, particularly the growing focus on automated attacks and attacks on mobile devices and IoT.
- Define cyber threat intelligence ("CTI") processes. Collection and analysis of CTI contributes to a better understanding of the motives and techniques used to conduct a cyberattack (and the ability to anticipate potential damage).
- Share CTI with other stakeholders. Sharing CTI can help facilitate the identification of common threats, as well as best practices and effective security measures (eventually at a sector-specific level). Existing CTI networks should be enlarged, and the volume of CTI shared should be increased.
- Consider supply chain threats. In complex product development processes, threats affecting different levels of the supply chain can have a cascading effect that ultimately impacts the end user. Coordinated action at a sector-specific level should ensure a common approach to these systemic threats. In addition, relying on certification at every stage of the supply chain may help to facilitate end-to-end security.
In all of these aspects, the role of ENISA is set to increase in 2019 following the adoption of the EU Cybersecurity Act. The Cybersecurity Act4 paves the way for EU cybersecurity certification schemes for ICT products (i.e., hardware and software elements of network and information systems); services (i.e., services involved in transmitting, storing, retrieving or processing information via network and information systems); and processes (i.e., sets of activities performed to design, develop, deliver and maintain ICT products and services). Since 2019 is the first full year since the adoption of the NIS framework by EU member states, cybersecurity awareness will be a key consideration for businesses operating in the European Union.
Indeed, cybersecurity is likely to stand among the most significant challenges that multinational businesses must address in 2019. Businesses will benefit from continuing to refine their cyber risk management and data privacy compliance programs to address the evolving EU cyber regulatory landscape in the coming year.
1 See the Arbor network report (https://pages.arbornetworks.com/rs/082-kna-087/images/12th_worldwide_infrastructure_security_report.pdf).
4 For previous coverage on the Cybersecurity Act, see here.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2019. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.