2015 has once again been a year in which cyber-crime has hit the headlines. A government report estimates that cyber-crime cost the UK economy £27bn in 2015. A recent survey also reports that UK firms on average lost £4.12m this year from cyber-attacks – up from £3.86m in 2014. Despite the best endeavours of law enforcement bodies, cyber-crime is only likely to get worse. 2016 is expected to see the birth of ‘zettabyte’, equal to almost 1.1 trillion gigabytes. The continuing expansion of e-commerce and cyber-related activities will present more opportunities for criminals. Some of the highlights of the past year have been as follows:
National Security Strategy and Strategic Defence and Security Review
The November National Security Strategy and Strategic Defence and Security Review restated the risks posed by cyber-crime to the security of the UK. The National Security Council had previously identified cyber-attacks as a "tier one" risk to national security, alongside international terrorism and major international conflict. The latest Strategic Defence Review said that the government would “treat a cyber-attack on the UK as seriously” as a “conventional attack”. The Review promised that an extra £1.9bn would be spent on cyber-security by 2020.
EU-wide rules against cyber-attacks come into force
On 4 September the deadline passed for EU Member States to implement the Directive on Attacks against Information Systems (Directive 2013/40/EU). The Directive requires Member States to implement national rules so that illegal access, system interference or cyber-interception will constitute criminal offences across the EU. As of the 4 September however, a number of Member States, including Belgium, Italy, France and Sweden, had yet to implement in full the provisions of the Directive. The Directive forms part of the EU’s “Cyber-security Strategy”.
Information security breaches
In July PWC published its annual Information Security Breaches Survey, which confirmed that information security breaches for companies are becoming a near certainty. The survey, commissioned annually by the Government, found that nearly 9 out of 10 large organisations surveyed now suffer some form of security breach. According to the survey, the average cost of the most severe online security breaches for large businesses started at £1.46m – up from £600,000 in 2014. For SMEs, the most severe breaches cost as much as £310,800, up from £115,000 in 2014. Despite these costs, most organisations did not plan on spending more on information security over the next year.
Repeated large scale cyber-crime attacks
2015 saw a number of large companies suffering cyber-attacks. For example, in December JD Wetherspoon had 656,723 of its customers’ details stolen by hackers. This attack came shortly after the hacking of TalkTalk. In this attack, approximately 15,000 customers’ bank account numbers and sort-codes were stolen by hackers. In August, we discussed the stealing of customers’ details from the Carphone Warehouse. That same month, we also blogged about the hacking of customers’ personal details from the Ashley Madison dating website. All of these companies suffered greatly, both in terms of lost trust and business, following these attacks. These incidents reiterate the importance of firms taking preventative action.
FCA business plan
In April the Financial Conduct Authority (FCA) published its 2015/16 business plan in which it identified technological challenges, including cyber-crime, as one of the key risk drivers in customers’ dealings with financial institutions. In its plan, the FCA noted the risks posed by cyber-crime to the workings of financial markets. The FCA restated its commitment to working with the Prudential Regulation Authority (PRA) and the Bank of England on the visibility of IT resilience and risks at board level, and with Treasury and regulatory partners on addressing cyber-crime related risks.
National Crime Agency
In April the National Crime Agency (NCA) launched a concerted and highly publicised attack against alleged cyber-criminals. As we discussed here, the initiative was in part about countering the widely-held impression that UK law enforcement agencies have neither the resources nor the expertise to tackle cyber-crime offending. Although the NCA’s budget was protected in cash terms in the November 2015 Spending Review, many still question whether the NCA does in fact have the capacity to tackle the growing cyber-crime problem.
As this year in review highlights, cyber-crime comes in a variety of formats and frequently involves strategies or technology not previously encountered. Preparing for such attacks is becoming increasingly difficult, leaving companies vulnerable to data protection breaches. Companies must obtain advice at the earliest opportunity on implementing best practice and procedure to ensure effective compliance.