Mornings for some consist of checking Twitter, Facebook, WhatsApp, Instagram, work and personal email accounts before leaving the house. Throughout the day a large number of us will go on to check our bank balance, book a restaurant, do our food shopping, deal with clients, book our next holiday or train home, all online. But, do we really know how secure our data is and who has access to it?
This question has taken centre stage following the recent news that intimate pictures of celebrities which had been stored on the iCloud have been published online. Although it has been suggested that hackers correctly answered celebs’ security questions rather than directly infiltrating Apple’s servers via more sophisticated means.
Who can forget, however, the revelation late last year that Target, one of the largest discount retailers in the US, had been the victim of a cyber-attack which resulted in the theft of millions of customer payment card details and other personal data? Or the revelations by Edward Snowden about the quantity and quality of information that governments are collecting and analysing about their own citizens?
Much food for thought about the balance of national security versus personal freedom and anonymity, but that is a topic for another day. My concern in this blog is cyber security.
The threat of cybercrime is a threat to both individuals and businesses across the world. A cyber-attack is an attempt by a third party to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. For the purposes of this blog I have used this specific definition as opposed to the wider definition of cybercrime as ‘any crime that is committed over the Internet’.
Cybercrime can be committed against an individual or business, such as an attack on a business’s systems or website, or, against a third party holding information about a business or individual. An example of the latter is the way hackers allegedly infiltrated Target’s IT systems by targeting a contractor who itself had access to Target’s systems or the targeting of a bank, which holds many businesses’ and individuals’ details.
The main types of cybercrime are phishing and hacking. An example of the first would be an email sent to an individual purporting to be from a reputable source in an attempt to acquire sensitive information, such as the password or username to an online banking account. Hacking is gaining unauthorised access to a computer, computer system or electronic communications network to access sensitive information and/or to take control of them. Botnets are one of hackers’ tools and originate when a number of personal PCs are taken over by a hacker who uses them as ‘slaves’, normally to send out spam emails. This is achieved by sending users an email with a link which, if the user clicks on, will cause a virus to infect the computer of the user making it manipulable by the hacker.
The Global Economic Crime Survey 2014, carried out by PWC, found that one quarter of their respondents had experienced cybercrime with over 11% of those suffering financial losses as a result of more than USD1 million. And that is just the cybercrime that is reported. The survey makes the point that much of the damage caused by cybercrime is not disclosed, either because it is not known, difficult to quantify or because it is not shared.
The growing threat of cybercrime was also recognised by NATO at their summit earlier this month with cyber defence being declared part of NATO’s core task of collective defence.
So what can businesses do?
From a practical perspective, businesses should protect themselves from cyber-attacks by installing adequate anti-virus solutions and keeping them up to date, ensuring suitable firewalls are in place to protect their network, maintaining an inventory of all IT equipment and software, restricting the use of removable media, managing user privileges by asking what information each employee needs in order to carry out their role and giving their staff sufficient training. Businesses processing personal data are, of course, under a legal obligation to take “appropriate technical and organisational measures” to protect such data against data security breaches in accordance with the Data Protection Act 1998 (DPA). Given that the Information Commissioner has the ability to levy fines of up to £500,000 for serious breaches of the DPA, putting in place these practical security measures should be high on a business’s agenda.
From a legal perspective, businesses should protect themselves by addressing any potential data security breaches as a result of cybercrime in their contractual documentation with their clients or contractors. They should ensure on the one hand that they have limited their liability as far as possible in relation to a data breach by themselves affecting their clients. On the other hand, contracts with contractors should contain preventative measures addressing cyber-attacks and clauses dealing with the fall-out should the worst happen. For example:
- Is there an obligation for the contractor to have in place adequate security measures to prevent data security breaches and does the business have the right to audit compliance with these obligations?
- Has the contractor provided an appropriate indemnity to the business to cover the losses of the business arising from a cyber-attack suffered by the contractor?
Ultimately, if a business suffers loss as a result of a cyber-attack against one of its contractors, it would be prudent to have in place contractual remedies which may be utilised should such a contractor have been negligent in its prevention of cybercrime.
Most important however, is that the risks of cybercrime are understood by those at the top of an organisation and that businesses are pro-active in protecting themselves from the threat of cyber-attacks, not reactive. A cyber-attack can result in huge reputational damage, sanctions from regulators and large financial losses. Prevention is key but consider also resilience management – how quickly can your business react to and recover from a cyber-attack? The same applies, to an extent, to individual households.
The threat of cybercrime is only going to increase as cyber-criminals become ever more sophisticated and with the connection of more and more devices (televisions, fridges, heating systems, cars) to the web. It’s time to take cyber security a little more seriously and certainly a good time to be in the cyber security industry.