Cyber crime is heralded as the biggest threat facing modern businesses today. You only have to look at the news in recent years to see that data breaches and cyber crimes rarely stray from the headlines.
The publication of these incidents has served to improve awareness and it is no surprise that members of the public are growing wise to the risks of cyber attacks, whether they be at work or in their personal lives.
Living in a digital world means we put a lot of trust into our networks and devices. Whether it be connecting with colleagues via mobile devices, hosting data and applications in the cloud or simply making payments online. Due to the rise of remote working practices, businesses rely on this connectivity to function in day-to-day business.
So what is the major trade-off for these collaborative privileges? The risk of a serious data breach. Cyber attacks are becoming more frequent and more sophisticated and businesses need to be more proactive when it comes to safeguarding their intellectual property, business data, financial information and most importantly their company’s reputation.
Who is vulnerable?
Any company, irrespective of size or sector will at some point be at risk.
Cyber crime forms a large part of IT Group’s target market and we are frequently asked to assist in the recovery after a Cyber attack as well as offering advice on prevention and protection. In our experience professional cyber criminals tend to target those who have highly sought after information and where they will have access to substantial financial gain. The obvious example is the banking/financial sector but, increasingly, companies are being targeted which have valuable intellectual property (e.g. defence contractors, pharmaceuticals and media organisations). Over the last 3 years IT Group has seen a particular increase in the number of instructions relating to theft from previously trusted sources (e.g. disgruntled employees).
Alternatively, the industrial-scale cloning of credit card numbers and associated identity theft by international organised gangs means that a relatively small number of individuals can be responsible for losses which can be measured in hundreds of millions of pounds each year.
Another example is what is known as dial-through-fraud/telephone hacking (where company telephone systems are hacked and then used for “free” or cheap calls to third-world countries). While there have been some successful civil cases brought against suppliers and third-party maintenance providers for not making the systems sufficiently secure, there have never been any criminal prosecutions because the perpetrators are too difficult to identify and the services have been used and are therefore unrecoverable.
Mitigating the risks
Chip and pin in the banking/financial sectors and better firewalls, strong passwords and two-factor authentication have obviously been hugely successful in mitigating the risks of cyber attacks, and as these technologies continue to roll out to company systems, cyber crime in general will become more difficult and therefore should, in theory, decrease.
Unfortunately however, there is no “one size fits all” solution; technology, whilst critical, can only go so far. Often the largest risk comes from individuals within the business because security measures (such as firewalls, strong passwords and two-factor authentication) cannot protect against someone who has warranted access to the data, with which they can take unwarranted actions in relation to it.
Can legislation ever keep up?
In our experience legislation is typically able to deal with new threats after they arise. For example, we have seen successful prosecutions in the UK under the Computer Misuse Act and the Serious Crime Act.
The EU is investing heavily in new legislation that is likely to require Digital Service Platforms to meet new cyber security obligations under the EU's planned new Network and Information Security (NIS) Directive. Under the plans, Digital Service Platforms would face "less onerous" cyber-security obligations than other organisations that will be subject to the Directive, such as operators of critical banking, energy, health and transport infrastructure.
It is not yet clear what those obligations would entail and 'Digital Service Platform' has not yet been defined. However, according to earlier NIS Directive proposals, operators of infrastructure that is "essential" for the maintenance of major "economic and societal activities" would be required to have appropriate and proportionate cyber security measures in place to protect their network and information systems from being compromised. Operators of that infrastructure would be required to report cyber security incidents that have a significant impact on the security of their network or systems to regulators.