Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.
Oil & Gas

Your data held hostage: worrying increase in ransomware attacks is a stark reminder for the industry

By Ross McKenzie, partner, Addleshaw Goddard LLP
18/05/2021, 3:33 pm Updated: 24/10/2022, 4:25 pm
© Shutterstock / SharkshockAn empty pump at a gas station is covered with a yellow plastic bag following a cyber attack on the Colonial Pipeline.
An empty pump at a gas station is covered with a yellow plastic bag following a cyber attack on the Colonial Pipeline.

Ransomware is big business, and the threat is growing.

Just days ago the Irish health service was crippled by what was described as possibly the most significant cybercrime attack on the Irish state in history. Patient appointments were cancelled, delays ensued and computer systems were shut down as IT experts rushed to assess the damage.

Make no mistake, ransomware’s impact goes far beyond the financial. When public organisations or large corporates are hit, citizens or customers also become victims.

The energy sector is also a target including a ransomware attack on the Colonial Pipeline, the US’s largest fuel pipeline. This caused days of shutdown that spiked petrol prices and caused widespread panic in the market. Closer to home, the Scottish Environment Protection Agency (SEPA) was hit with an attack on Christmas Eve last year that led to some 4,000 sensitive files including contracts, databases and strategy documents being published on the dark web.

Ransomware attacks infect a computer system with malicious software that encrypts or blocks access to files, rendering them inaccessible. The attackers then typically contact the victim asking them to pay a ransom in exchange for a digital key to unlock their files – something the unprepared are often forced to resort to. While this may sound like the type of thing you would see in a spy thriller on TV, worryingly they are no longer uncommon.

Cybersecurity firm Sophos estimates that some 37 per cent of organisations have been targeted in 2021, with the average cost of recovering from a ransomware attack more than doubling in the last year – hitting almost US$2 million. More concerning still, only 8 per cent of organisations that gave in to the hackers’ demands and paid the ransom managed to get back all of their data.

So what can be done in the face of such threats? As is often the case with cybersecurity, preparation is key, and there are obligations that businesses must adhere to.

Practicising good “digital hygiene” within your business is a key element of preventing such attacks – this involves ensuring all staff have been appropriately trained to use IT systems in a safe way, recognise potential phishing attempts, and understand the risks.

Another key weapon in the fight against ransomware is the regular creation of backups of all corporate data. While the task may sound tedious, a ransomware attack is only as effective as its impact on your data – if you have backed up recently, then it is much easier to get back online – it doesn’t of course resolve the fact data is out there.

Many of these steps are recognised as best practice, and do in fact, in many cases, form part of your legal obligations from a data protection perspective including compliance with the GDPR.

The Network and Information Systems Regulations 2018 (NIS Regulations) are also worth bearing in mind. These aim to achieve a high common level of digital security within the EU – and the UK government is maintaining the obligations despite Brexit.

The NIS Regulations impose duties on organisations that are identified as “operators of essential services” to manage the risks posed to the security of network and information systems on which their essential service relies; and to prevent and minimise the impact of security incidents.

There is a duty to report any incidents within 72 hours and penalties of up to £17 million for breach of the NIS Regulations.

Many oil and gas businesses, both upstream and downstream, are caught by the “essential services” definition, and must take action accordingly. But in the energy sector, any business in the supply chain needs to think about their role in supporting their client. In our experience, suppliers are a weak link in the chain that can lead to exposure and, also contractual liability. We know that breaches usually end up in fights over responsibility splits.

Never assume that you are too big, too small, or too insignificant to fall prey to a ransomware attack, and you will prove a far harder target than your would-be attackers are expecting.

Ross McKenzie is a partner with international law firm, Addleshaw Goddard based in Aberdeen. He advises clients in the energy sector on compliance with data protection laws and technology contracting. Kyle Sinclair, a trainee in AG’s Aberdeen office supporting clients in corporate and commercial work in the energy sector, contributed to the article.

Contact Ross to find out more: Ross.McKenzie@addleshawgoddard.com

Tags