Amid an exceptionally fast-evolving cyber threat landscape, fuelled by new technologies like generative AI, a fragmentation of threat actors and changes in the tactics deployed, recent research from FGS Global’s UK crisis practice reveals that business leaders are increasingly concerned about cybersecurity risks to their businesses, forcing them to take stock of their cyber readiness and prepare, recognise and respond accordingly.
Taylor Wessing, an international law firm, and FGS Global, convened business leaders and experts from across the cybersecurity ecosystem to explore the shifting landscape and the most pressing cybersecurity considerations for businesses.
Our top ten takeaways from the engaging discussions are below.
1. The cyber threat landscape is evolving at lightning speed, with the scale of attacks increasing and the emergence of new threat actors making it harder to predict future behaviour. The use of generative AI by threat actors to produce very sophisticated, realistic audio visual deepfake content poses a new and real threat and has already caught out several major businesses.
2. The legal and regulatory process is trying to keep up – but differences across jurisdictions make this an increasingly complex environment for companies to navigate – there is no one size fits all response, and so having a robust cyber response plan relevant to all jurisdictions in which businesses operate is crucial. While injunctions can be obtained to limit the further spread of exfiltrated data by third-parties and is another tool in the arsenal for companies to show they are doing what they can to manage an incident, injunctions are unlikely to deter threat actors from engaging in future criminal activity.
3. Cyber insurance is becoming a critical part of businesses’ risk management strategies and the cyber market is maturing, enabling companies to achieve more reasonable premiums for better cover.
4. Mainstream media are increasingly as interested in cyber incidents as specialist trade media – and while the latter may be more focused on certain technical aspects of an incident, both mainstream and trade media will look at how a company responds.
5. The way a company communicates in a cyber crisis is absolutely critical to maintaining trust with stakeholders. While emerging threats like deepfakes are more newsworthy, the mechanism by which a breach occurs should not impact a company’s response. Communications need to be intentional, consistent, disciplined and done in alignment with the legal strategy and the forensic investigation.
6. While AI-enabled cyber attacks are of increasing concern to businesses, companies should ensure they harness the benefits of AI-enabled threat detection and response, including how AI tools can be used to measure public sentiment to an attack and use the insights to inform its communications response.
7. Prevention is better than cure and preparation is absolutely critical to effective cyber response. Bespoke, realistic simulations for a company’s executive and crisis response teams must be a regular fixture of any company’s risk management and business continuity planning. Companies should also ensure their cyber crisis communications protocols and materials stay abreast of advances in the threat landscape, both in terms of emerging threats but also in the way threat actors are evolving their own approach to communications and brand reputation.
8. Educating employees must remain a top a priority, and organisations must ensure their training is regularly updated to keep pace with changes in the threat landscape. Human error is still a significant enabler of even the most sophisticated AI-enabled attacks.
9. A company’s decision whether to pay a ransom demand from a threat actor is unique to each business and will need to weigh up moral, reputational, legal, operational and financial considerations.
10. There are basic practical hygiene solutions that we can all take to protect ourselves online which include enforcing up-to-date best practice in relation to password hygiene[1], the use of MFA (multi-factor authentication) on our devices, Endpoint Detection and Response (EDR) tools to detect and respond to threats to a network or system, ensure there are no unsecure VPNs on the wider business network and no legacy data held by the company. By eliminating these technical vulnerabilities, we reduce the likelihood for immediate cyber incident support and ensure the threat is ultimately greatly reduced.
With thanks to our hosts and moderators at Taylor Wessing (Michael Yates, Jo Joyce and Ed Spencer) and panelists, Ted Cowell (Head of Cyber Security, UK at S-RM), April Bellchambers (Fintech and Venture Lead at Capsule Insurance), Thomas Kahl (Partner at Taylor Wessing), Beth Maundrill (Editor at Infosecurity Magazine), Adam Speker (Barrister at 5RB), Jenny Davey (Head of UK Crisis & Issues Management Practice at FGS Global), Ryan Rubin (Head of Cyber for EMEA at Ankura), Oz Watson (Senior Associate at Taylor Wessing UK) and Oliver Sherwood (Managing Director, Crisis & Issues Management at FGS Global)
[1] There is a recent NIST update which may be relevant here.