Legal Briefing

Managing the cyber crime curse

The In-House Lawyer Logo

White-Collar Crime | 12 December 2017

Today, it is a question of when and not if a cyber security breach will occur in your business. Every organisation needs to be aware of the risks and how to react when a breach occurs.

In this article we explain why cyber security matters and the steps that can be taken to reduce the risk of a breach. We also provide guidance on how to respond in the event of an incident.

What is cyber crime?

The Oxford English Dictionary defines cyber crime as ‘criminal activities carried out by means of computers or the internet’. Given the prevalence of IT in today’s world, that is a very broad definition.

Cyber crime can perhaps be better described by way of two examples.

Example one

First, we have frauds committed through the use of technology. Fraudsters set up a fake email account purporting to be from a supplier and instruct payment to a specific bank account which is not the supplier’s true bank account. This is called ‘phishing’.

A similar situation is where a fraudster calls a business claiming to be from their bank, uses software to make it appear as if the call is coming from an official bank telephone number and extracts financial information from the unwitting staff member who takes the call and believes the request is genuine.

That is a classic criminal fraud – we have a fraudster achieving a practical result by means of a false pretence. It is otherwise known as a ‘vishing fraud’ and happened to Highland Hospice earlier this year. They lost £500,000.

Example two

Second, we have software that, once opened, blocks or locks access to computer files or data until an amount of money is paid. That is commonly known as ‘ransomware’. Once infected, access to files is restricted and a message appears on your screen with details on how you can pay for their recovery. That is precisely what happened to the NHS earlier this year. In Scotland 12 Scottish health boards were targeted. It cancelled medical operations, diverted ambulances and made documents such as patient records unavailable.

Two different circumstances with one, crucial, thing in common. Both require an individual within the business to make a mistake – either unwittingly sharing information with a fraudster or opening software they should not.

Human touch

As much as cyber crime is about technology, it is also about human error. The specialist department within Police Scotland that investigates this type of criminal conduct – known as Police Scotland’s cyber crime hub – has urged ‘people to be on their guard against unsolicited calls from someone claiming to be from their bank’. Following the Highland Hospice incident, the Police Scotland guidance was to ‘consider visiting your local branch instead of speaking to someone over the phone’.

It sounds simple. The issue is that one inadvertent mistake can have drastic consequences. That is why it is so important to have a programme in place to educate those within the business with a view to reducing the risk of mistakes.

The impact of cyber security breaches
  1. Cyber crime hits businesses in the pocket. Police Scotland recently estimated that millions of pounds have been lost by businesses in Scotland. Added to that is the impact on ongoing operations – a loss of data, even temporarily, can have catastrophic consequences.
  2. The time and costs associated with dealing with a regulatory investigation. In Scotland, Police Scotland’s cyber crime hub has shown an appetite to investigate cyber security breaches. The National Crime Agency and the National Cyber Security Centre adopt a similar approach at a UK level. They will investigate how the breach occurred with a view to tracing the perpetrators and recovering lost data and stolen funds. That process will involve the authorities speaking with individuals within the business and reviewing material. All of that, while important, takes staff away from their day jobs.
  3. Data protection consequences. The Data Protection Act 1998 places obligations on all organisations that control and process personal data. The information held on computer systems, removable media, company servers and in the ‘cloud’ is often personal data. Data controllers are obliged to take appropriate technical and organisational measures to protect against: (a) unauthorised or unlawful processing of data; and (b) accidental loss or destruction of, or damage to, personal data. Failures can lead to significant fines by the Information Commissioner’s Officer of up to £500,000. As has been widely reported, changes to data protection laws are looming. From 25 May 2018 the General Data Protection Regulation will come into force across the UK and Europe, raising the security obligations on each and every organisation that handles personal data. In the event of a security breach, organisations will face financial penalties of up to €20m or 4% of annual global turnover, whichever is higher. All organisations will be required to report a personal data breach without undue delay.
  4. Professional fines – for regulated professionals there can be additional penalties if an organisation’s data security is breached. Financial services regulators have fined members up to £3m for failing to protect personal data where inadequate systems have caused the failure.
  5. An organisation bidding for work through a tender may be asked whether they have had any data security breaches. Answering that question with a ‘yes’ may well impact on the prospects of a successful bid.
  6. There is inevitable damage to reputation and loss of public/customer confidence. That can have a knock-on effect on business revenue going forward – customers might be reluctant to engage with organisations if there is a concern their information and assets might not be safe.
  7. Cyber security breaches can happen to any organisation, of any size, and the impact can be drastic. So how do you manage the risk?
Steps to take to reduce risk of attack

The need to manage the cyber security threat has never been greater but the law does not prescribe what to do to. Where a breach has occurred, the current technical security standards, internal policies and procedures, and the type and nature of data processed by an organisation are all factors to be considered when assessing whether appropriate security measures were in place.

The key message is that cyber security planning needs to form part of the ongoing governance of the business.

In that context, the authorities have produced a range of helpful guidance on the technical steps that can be taken. They include updating Windows, running antivirus software and backing up important data.

Those technical measures should certainly be implemented but how does an organisation limit the scope for the human error we mentioned earlier? Every organisation should have policies and procedures to manage the risk of cyber crime. That should include:

  • Conducting a risk assessment of the organisation’s vulnerabilities.
  • Implementing safeguards and controls to address vulnerabilities – that might include the technical steps mentioned above.
  • Appointing designated individuals with responsibility for the application
    of the safeguards.
  • Reviewing regularly the application and effectiveness of the safeguards.
  • Communicating to employees the importance of adhering to the safeguards – an organisation might have a policy it requires all staff to sign up to.
  • Providing training to employees – one of the most common issues is employees clicking into links or downloading attachments in unexpected emails. A training session on what to look out for and ‘what not to do’ can be the difference between an employee clicking into the link, and not.

Having in place a clear programme of safeguards and controls cannot prevent all breaches but it will make them less likely. Given the potential impact of an incident, it is certainly worth investing in limiting the risk.

What if an attack happens?

While a cyber security breach may be inevitable, the consequences do not have to be. If your organisation is the victim of such a breach, it is vital to act quickly and as a minimum:

  • do not pay out;
  • contact the authorities;
  • inform IT support with a view to securing data; and
  • engage legal support.

Having an agreed plan with clear steps to be taken in the event of an attack can save time, resources and money. Appropriate individuals within the business should be identified to take responsibility for designing and stress testing the plan to ensure that it works effectively.

The third example

Earlier, we mentioned two examples where a member of staff inadvertently facilitated the criminal conduct. What happens when the perpetrator is part of the business?

In the 2016 Cyber Security Intelligence Index, IBM revealed that 60% of cyber security incidents were perpetrated by individuals within the organisation, and not by external hackers.

Earlier this year an IT officer from Dundee City Council was imprisoned for fraudulently sending council funds to his own bank account, while giving the impression the funds were being directed to genuine suppliers. He admitted defrauding the council of over £1m over a six-year period. Steps can be taken to recover the funds under proceeds of crime legislation but there is no guarantee it will be returned.

That is a clear example of individuals within an organisation being the root cause of significant financial loss to an organisation.

What can be done about it? It is unrealistic to expect that a system can guarantee an employee will not engage in criminal conduct. However, putting in place a number of practical steps will reduce the risk and can increase the likelihood of identifying the criminal conduct at an early stage.

Top-level communication explaining the organisation’s zero-tolerance approach to cyber security breaches can have a deterrent effect, particularly when it is reinforced by clauses in contracts of employment explaining that any breach may result in dismissal.

Earlier, we mentioned staff training on ‘what not to do’. There is another benefit in educating staff – they are more likely to be in a position to identify misconduct by others in the business.

Ensuring that the activities (including IT activities) of all staff are regularly monitored will also help to identify and address inappropriate conduct.

Be prepared

The rise of cyber crime is clear for all to see. The drastic impact it can have on organisations should be just as clear.

Basic good governance will include investing in a programme of safeguards and controls, and contingency planning which will engage in the event of a breach. However, individuals within your organisation are the front line when it comes to combating cyber crime. One mistake can have drastic consequences throughout an organisation. It is therefore vital to educate staff at all levels on the importance of compliance with internal policies and procedures, and the steps that should be taken to achieve that.

We have also considered the scope for individuals within an organisation to commit the breach. That is a real risk – there are high-profile cases where it has happened. If that risk is not managed properly, your organisation is exposed to hackers and fraudsters inside, as well as outside, the organisation.