Cybercrime and the disruption by the COVID-19 outbreak

Cybercriminals are increasingly trying to exploit the disruption caused by the coronavirus outbreak. Recently, cybercriminals saw their opportunity by targeting the forced homeworking employees of companies and government organizations where cybersecurity was not (yet) geared to working from home. Criminals are targeting large organizations, of which GPS and smartwatch manufacturer Garmin is next in line. On 23 July 2020, the company became victim of a cyber attack, as a result of which large amounts of files/data were encrypted. In a statement, Garmin states that it is currently slowly recovering from the cyber attack; many of its online services were interrupted, including website functions, customer support, customer facing applications, and company communications.

According to cybersecurity experts, Garmin was hit by highly aggressive ransomware, called WastedLocker. Protection against this kind of ransomware and comparable ransomware families such as REvil and NetWalker is possible, but requires sophisticated and robust cybersecurity solutions.

There is no doubt that cybercrime will continue to develop. Criminals are anticipating new technological developments and committing digital crimes will become easier. Because of these developments and the increasing complexity of the ICT landscape in the digital society, the resilience of companies will be under increasing pressure. Companies do need to keep up with technological developments in the ICT field and must act on identified vulnerabilities in their systems in an early stage.

The question is whether companies are sufficiently aware of this duty of care and the possible risks they carry. In theory, the prosecution of companies that have been negligent in their cybersecurity is already possible under Dutch law, and it remains to be seen whether this enforcement possibility will be actually executed.
For more insights, please read the article (in Dutch) by my colleague Willemijn Warnaars and myself.

Apart from the specifics of the Garmin case which is still under investigation by the company, complying to cybersecurity standards in general is a must and companies should put cybersecurity and cyber resilience at the top of their agenda. After all, it is not a matter if you will be hacked, but only when – and then, you’d better be well prepared.