Cybersecurity: the changing threat and risk landscape

Cyber risk evolves constantly, driven by technological advancement, plus geopolitical issues and changes to how cybercrime groups operate. 

“It’s a complex web of factors that interact and develop at a rapid pace,” says Ffion Flockhart, our London-based global head of cybersecurity. “We’re at the heart of all of that: our mission is to help clients best manage the cyber risks and threats they face, however challenging the circumstances.” 

Indeed, adds Catharina Glugla in Düsseldorf, “the assumption there will be disruption” caused by adverse cyber incidents is the foundation of good risk management and underpins operational resilience.

What kinds of cyber incident are causing the biggest issues? 

Readers will be familiar with the concept of ransomware attacks—a scourge across many industries for years. Steven Hadwin in London notes the advent of sophisticated cyber-extortion groups operating a ransomware-as-a-service model. 

“This involves threat actor groups licensing the tools and tradecraft needed to carry out cyber-extortion attacks to a number of affiliates, which has led to a proliferation of bad actors,” he says. “The attacks we see generally involve widespread unauthorized encryption of systems, alongside large-scale data theft. A ransom is then demanded in return for a decryption key and the return of the stolen data.” 

Extortion groups have also exploited vulnerabilities in widely used software to carry out mass data theft-led extortion, as was seen in the high-profile compromise of the file-sharing tool MoveIt. 

Unfortunately, this is big business for the threat actors, as the perpetrators of these attacks are known. Organizations may choose to engage with them, sometimes to buy time to get their house in order, sometimes to pay a ransom. 

A ransomware negotiator will be able to advise if the threat actor is who they say they are. As Marcus Harewood in London explains, this is critical if the company is considering meeting their demands. 

“The organized, financially motivated threat actor groups rely heavily on their name and reputation to extort their victims,” he says. Are they good for their promises if a ransom is paid? “There is some honor among thieves. If they were to renege on their word, no cybersecurity expert or threat intelligence expert would advise carrying on with payment.”

Lawyers can’t make recommendations around paying a ransom, but they can advise on the legality of doing so—for example, whether the threat actor is subject to sanctions or is part of a terrorist organization. They will also liaise with law enforcement. 

“Clients want to know that if they pay the ransom, they’re not going to fall foul of sanctions,” says Marcus. That’s alongside considerations around whether paying a ransom will mean a company can get back up and running faster, or at all—particularly sensitive considerations in sectors such as healthcare.

Away from extortion, espionage and IP theft following the compromise of an IT environment remain key issues. Such attacks are sometimes carried out by nation-state actors and can involve access to highly sensitive information.

Ffion says: “The threat actors in this area tend to go ‘low-and-slow’. They try to obtain persistence within an environment, so they can gather as much information as possible while remaining undetected.” 

In a worst-case scenario, threat actors may also look to carry out attacks to damage physical infrastructure. Mercifully, to date, there have been few examples of this—but in a climate of heightened geopolitical and military sensitivity, it’s a risk deserving close attention at all levels.

What about the major outages we hear about?

Significant cyber incidents can also happen which don’t involve malicious intent. A notable example was the global IT outage in July 2024 relating to CrowdStrike’s cybersecurity software which thousands of companies around the world rely on. 

“CrowdStrike was a ‘black-swan’ event,” says Ross Phillipson in Perth. “It’s woken up a lot of people in terms of thinking about operational resilience risk.” 

Catharina adds: “Clients are realizing how easily it can happen. They don’t necessarily need to be the target of a malicious actor; it could just happen because of the concentration of risk.”  

How can the risk best be managed, strategically and operationally?

The financial cost of cyber incidents and outages, alongside new laws and regulations such as the EU Digital Operational Resilience Act (DORA), the recast EU NIS2 Directive, and Australia’s CPS 230 Operational Risk Management standard, is driving investment into cybersecurity and operational resilience across many sectors. Cybersecurity-related obligations in data protection and privacy laws are another factor, with many of the penalties imposed under legislation such as the General Data Protection Regulation (GDPR) being related to cybersecurity failings.

Boards are realizing that they too have obligations. Anna Rudawski in New York says cyber risk management historically was a reactive practice, determined by regulatory investigations and enforcement actions. “We’re seeing the balance shift to proactive work,” she says. “Boards need to set the tone, so everyone understands the risk to business.”

A company needs expertise and knowledge to make the right investment choices. “A lot of cyber strategy can and should be done with the legal team,” says Anna, “including where to get the best value in terms of promoting legal and regulatory compliance.

“You need to make those decisions in a room with the right people, and you want lawyers to be involved because, at the end of the day, you’re managing legal exposure.”

Ross adds: “This is a legal and regulatory issue now; you don’t always need to achieve the gold standard, but you do need to look at where you are in terms of your cybersecurity maturity, and whether that satisfies your obligations under applicable law and regulation—and that’s what we’re very good at.”

Marcus warns that many organizations still aren’t getting the basics right. For example, password policies are commonly weak and that, together with a lack of multifactor authentication, makes companies vulnerable to credential stuffing, in which cyber-criminals buy usernames and passwords obtained in historic data breaches and use them to try to access companies’ IT systems.

The risk will look different depending on the sector—for example, in the energy sector, the focus will be on the infrastructure, and in healthcare, it will be on patient safety and data. The focus is different, says Catharina, but the steps they need to take are basically the same. “It’s a risk-based approach. You need to identify the biggest risks and tackle them.” 

What won’t be tolerated, particularly by a regulator, is doing nothing. “They want to see that you’ve done something,” she says. “It might not prevent the incident—because it’s inevitable that something will happen—but you’ve tried to prepare and you’re now in a position to respond.” 

Ross agrees. “Nobody is expecting perfect, but they are expecting you to have thought about it. Hard choices will have to be made,” he says.

“What’s really important from our perspective—and we spend a lot of time helping clients with this—is to make sure you have a narrative, that you’ve thought about the risks and that you have a path. ‘It’s too hard and too expensive’ isn’t going to wash.”

Companies are also using emerging technologies to good effect. For example, for some years now machine learning has been integrated into endpoint detection and response (EDR) software and other defensive solutions. 

As Marcus explains: “At any one time, companies will be facing a number of different attacks and there will be a number of different alerts flagging. Some will be false positive, some credible. It’s very difficult to decipher through that noise what needs to be prioritized and actioned first, so companies are using AI-based technologies to search through that data—and it’s doing it a lot quicker than a human would.”

How can companies prepare for incidents?

Cybersecurity is about protecting what you have, but also preparing for the worst. Steve says key decisions in a cyber-attack include “whether to engage with the threat actor, if and when to take systems offline and restore them, and when and who to inform.” A mature incident readiness program will identify a clear process and lay out responsibilities so that everyone knows who is accountable. 

Anna observes a tendency for companies under attack to scramble. “They don’t know who the key decision-makers are, and there are all these decisions, which are difficult to answer in a crisis.” Thorough and constant preparation can mitigate these issues. 

Cyber simulations are helping companies refine their response. As Marcus says: “Leaders are thinking about it now in times of peace, rather than when they’re in the line of fire. You game what they will do. 

“If you prepare for it, train, and train again, your response capability will increase.” 

Those who fail to plan can make a bad situation worse: “If the comms goes wrong, that’s what you will be remembered for,” he adds. “It’s almost as damaging as what you’re facing because it’s what everybody sees.

“This isn’t an everyday problem, so you need a level of expertise.” As well as your legal team, that expertise includes ransomware negotiation, cyber-crisis communication and forensic investigation. 

“We’re often written into organizations’ incident response plans and procedures,” Marcus says. “We’ll ensure that the whole investigation is conducted under legal privilege. We’ll take a company though the lifecycle of the incident and all the different workstreams, including its legal and contractual obligations. We’re forensic and technically minded—and we know what regulators look out for.”

Our cyber team also works with clients to develop operational resilience. This covers everything from a robust business continuity plan with a cyber focus and testing what their attack surface looks like, to mitigating damage following an attack and preparing for the next one. 

Catharina says: “You prepare to be able to continue your services and offer your products in the best way possible while still dealing with the disruption.”

Good planning starts with knowing what you have in terms of inventory, servers, systems and processes. Ross says: “Assume it’s going to happen and identify those systems or operations that are so critical to your business that you would struggle to operate without them.”

AI - the next frontier?

There’s a lot of talk about how AI will change the cyber threat landscape, lowering the barrier to entry for threat actors and generating new defensive challenges. There are also concerns that AI models and systems themselves could be targeted by attackers.

Charlie Weston-Simons in London says the focus for now is on leveraging AI to make conventional threat actor behaviors more effective: “For example, AI can help someone write a very convincing phishing email as well as automating and accelerating processes that threat actors use to identify and exploit vulnerabilities.”

Read more about our cyber team capabilities