'Tis the season for cybersecurity — or at least it soon will be.  The period between Thanksgiving and Christmas offers plenty of festive cheer for hackers as businesses and their staff turn their attention to turkey and television.  Indeed, by some counts ransomware attacks increase by 30% during the holiday season.   

The Financial Times now regularly covers cybercrime, including a special report this week whose eight stories are well worth a read.  The report is available here.  What stood out to me?

  • Ransoms — to pay or not to pay?  Much as I’m loath to be the clichéd lawyer, the answer really is: it depends.  I’ve previously written about the UK ICO’s urging solicitors in England and Wales to advise their clients not to pay ransoms, which in my view is easy to say in theory but doesn’t recognise the contextual and commercial considerations that businesses face when dealing with a cyber-event.

  • Policies and procedures are only the beginning.  A pristine set of documents aren’t worth the paper they’re printed on if they haven’t been operationalised.  It’s no great shock that organisations which run targeted and regular training exercises, simulated audits and breach table tops — for employees from the post room to the boardroom — respond better when an incident arises.  Having those processes in place may also help with mitigation in the event of regulatory investigation or enforcement, as shown by a recent ICO fine.   

  • Technology has an increasing part to play — but don’t forget the humans.  The use of AI and similar technology to detect threats is still nascent but unlikely to remain that way for long, and we’re seeing clients increasingly look to trial solutions whose models reflect that organisation’s particular risk points.  More interesting still is how these technologies are being combined with behavioural science to assess and address internal (i.e., people-based) security threats.