ENISA and BKA have published several reports in recent weeks on the status of cybersecurity in Europe and Germany. In addition to current threats, these reports address the impact of the coronavirus pandemic on corporate cybersecurity, as well as new cybercrime business models. Companies should take these publications as an occasion to revise their own IT security processes in order to adapt to these new threats. It is also increasingly important for companies to consider legal aspects when defending against cyberattacks.
The Reports in Particular
ENISA Threat Landscape 2020
The ENISA Threat Landscape 2020 analyzes cyberthreats in the period from January 2019 to April 2020. The Threat Landscape consists of 22 individual reports in all, including detailed information about each of the top 15 threats identified by the agency. The report includes several infographics, containing information e.g. about how cybercriminals are operating during the coronavirus pandemic. Based on ENISA’s analysis, the following are the main cyberthreats facing companies today:
- Malware, in the form of encrypting Trojans (ransomware) or cryptominers
- Web-based attacks, e.g. through manipulated websites or brute force attacks
- Phishing, particularly by sending our e‑mails with malicious attachments or links to fraudulent websites
- Web application attacks, e.g. using SQL Injection or Cross-Site Scripting (XSS)
- Sending of SPAM, which has reached a new high during the coronavirus pandemic
- DDoS attacks, which interfere with the availability of systems and services
- Identity theft through the illegal use of personal data
- Data breaches through unauthorized access to data
- Inside threats, e.g. from insiders who abuse their authority
- Botnets, which allow cybercriminals to synchronize their attacks over a large number of devices
- Physical manipulation, damage, theft and loss
- Information leakage, which may occur e.g. due to poorly configured systems
- Ransomware, to which a separate report was devoted in addition to the No. 1 threat (malware)
- Cyberespionage and espionage by governments and other actors
- “Cryptojacking” attacks using malware designed to generate cryptocurrencies (“cryptomining”); also the subject of a separate report in addition to the No. 1 threat
BKA’s Cybercrime 2019 Status Report and Special Report on “Cybercrime during the Coronavirus Pandemic”
BKA’s Cybercrime 2019 Status Report is much more compact than the ENISA Threat Landscape 2020, but is no less informative. It reports that cybercrime is becoming increasingly professionalized, and that more and more criminal value chains are emerging. The greatest threat to private-sector companies, according to BKA’s findings, are ransomware attacks. In this, BKA’s assessment is largely in agreement with ENISA’s analysis, as well as with our own experience advising companies. At the same time, BKA reports a rapid increase in the number and intensity of DDoS attacks. In general, the perpetrators of these attacks have global connections and operate on an international scale with division of labor. The best defense against cyberattacks, in BKA’s view, are sensible internet users who are capable of identifying and defending against these attacks. In addition to its statements about attack scenarios and the numerous examples it provides, BKA’s findings with regard to criminal networks, the so-called “underground economy,” are especially interesting. Special mention is also devoted to the practice of industrial espionage by means of cyberattacks, which BKA regards as “a key method of information gathering for foreign intelligence services” as well. In addition to its Cybercrime 2019 Status Report, BKA also published a special report on “Cybercrime during the Coronavirus Pandemic.” According to BKA, the primary threats within the context of coronavirus are fake websites, phishing and malware spamming. But at the same time, BKA also stresses the risk of DDoS attacks for employees working from home.
Assessment and Options
The findings reported by ENISA and BKA are not surprising and provide a complete picture of the current threat status in general and the changes brought by the coronavirus pandemic in particular. As the economy becomes increasingly digitized, it is to be expected that the increase in cybercrime will continue. Accordingly, companies will have to continue to devote a great deal of attention to cybersecurity and responding to current threats. In particular, companies should be prepared to deal with ransomware and DDoS attacks.
Not only is this necessary from the viewpoint of IT security, but it may be a legal requirement as well, e.g. within the context of appropriate technical and organizational measures in accordance with Article 32(1) of the GDPR. One must also not overlook the fact that cyberattacks have legal implications. This may be the case in response to such attacks, such as e.g. duties to report the attack to the data protection authority or the Federal Office for Information Security, in the case of those operating critical infrastructure, or to notify data subjects. But companies should also devote more consideration to the legal aspects of cybersecurity before an attack occurs, e.g. by making contractual arrangements with service providers which are specifically devoted to the handling of cyberattacks (“incident response”). Such contractual arrangements, which may include e.g. documentation requirements, may prove helpful when it comes to defending against possible damage claims from data subjects or seeking recourse against service providers.back