Cybercrime: Should we let it stop the use of technology?
Cybercrime is just like any other risk: it needs to be identified, managed, and mitigated to stop it from having a negative impact on the future of the firm, writes Brian Rogers
Cybercrime is a clear and present danger for all businesses, whether it is instigated by national governments, organised criminals, or hackers who just want to show their 'peers' how good they are at getting into systems owned by other technology users.
The map in Figure 1 is provided by Norse, and supplies a shot of hacking attacks that take place every second of every day. To see a second-by-second view, please visit https://map.norsecorp.com/#/.
It is only when you see vivid illustrations like the Norse map that you can fully appreciate how widespread cybercrime is, and that it can come from any location and hit any target, whether personal, governmental, or commercial.The UK government has increased spending on cybercrime prevention, but it is concerned about getting the message out that it cannot do everything on its own, and that businesses need to invest more in cybercrime prevention and raise the profile of the issue to all employees.
Cybercrime accounted for nearly $500bn of losses around the world in 2015, with £27bn being lost in the UK alone, yet this does not appear to have hit businesses sufficiently hard for the government to take the issue more seriously.
The government believes that cybercrime in the UK is grossly under-reported, so losses are likely to be much higher than the figures that have so far been published.
In 2015 over 50 law firms were targeted by cyber criminals, leading to losses ranging from £50,000 to £2m. As a consequence, the Solicitors Regulation Authority (SRA) now includes cybercrime in its Risk Outlook.
What is cybercrime?
Cybercrime is defined as 'illegal activities undertaken by criminals for financial gain', with such activities exploiting vulnerabilities in the use of the internet and other electronic systems to illicitly access or attack information and services used by firms and their clients.
Cybercrime can take many forms but the main kinds are:
Scareware: Cyber criminals mislead individuals into downloading software (such as fake anti-virus software) onto their computers by using fear tactics or other unethical marketing practices. The software downloaded is often ineffective or may appear to deal with certain types of virus before infecting the computer with its own viruses. Individuals may then have to pay the cyber criminals to remove the viruses and their effects;
Theft from businesses: Cyber criminals steal money online directly from businesses, which usually involves fraudulently obtaining access and looting accounts. In some instances, this activity is greatly assisted by an 'insider';
Extortion: Cyber criminals hold a business to ransom, often through deliberate denial
of service (for example, by using malware to flood a business server with erroneous internet traffic) or by manipulating business website links, which can lead to extensive brand damage (for example, by redirecting links for a firm's website to an online pornography website); and
Client data loss: Cyber criminals steal sensitive client data from a business (such as client financial, medical, or criminal record details) with the purpose of selling the data on to other criminal networks or using it for blackmail attempts.
Consequences of cybercrime
The consequences of cybercrime can be severe
Financial harm to firms or their clients;
Theft or loss of sensitive client data;
Potential breaches of the Data Protection
Potential regulatory breaches.
It could be said that given the threat and consequences of cybercrime, the easiest way to avoid it would be to go back to past means of communicating - by letter, hand delivery, fax, and so forth. However, not only would this be a defeatist approach, but it would not be in the best interests of a business or its clients.
Cyber insurance perspective
Insurers admit that they have been somewhat slow in coming to terms with the threat from cybercrime and how it affects those they cover, but they are now working hard to ensure that their policyholders are taking the appropriate steps to not only mitigate the cyber risk for themselves but also for their clients.
Firms will need to be very aware of cybercrime and how it can be prevented, as insurers will be asking some very in-depth questions at professional indemnity insurance renewal time about the steps firms are taking to protect themselves. Firms without a cyber plan or which make no mention of the threat of cyber attack in their business continuity plans are likely to face an uphill struggle in terms of convincing insurers they should take the risk of providing cover.
Many firms are likely to think they hold insurance cover for cyber attacks and therefore sit back and relax. However, it is highly likely that their policy does not provide the cover they think it does. Now would be the right time to review insurance policies to ensure they do in fact cover cyber risks and that cover is set at an appropriate level for the potential exposure that may be faced by a firm. As an example, would your current policy pay out if you lost your business as a consequence of a cyber attack and the reputational damage caused?
Effective use of technology
Effective use of technology can provide firms and their clients with significant benefits, so as long as firms employ appropriate security measures they should continue to use it.
Firms use technology in many different ways, including:
Risk and compliance management;
Accounts management; and
Research and training.
Cybercrime as a risk
Cybercrime is just like any other risk: it needs to be identified, managed, and mitigated to stop it from becoming a reality and having a negative impact on the future of the business.
The government recommends fairly straightforward steps to protect businesses from most of these threats in its latest Cyber Essentials guidance. They are as follows:
Boundary firewalls and gateways: Make sure you have systems to stop intrusion into your work network;
Access control: Make sure that only those who should be able to access systems can do so, and that they do so at the right level;
Malware protection: Keep your antivirus systems installed and up to date;
Patch management: Make sure that you are using an up-to-date and supported version of applications, including your operating system and browsers, and that you install patches from the vendor; and
Secure configuration: Make sure systems are properly set up in a way that meets your needs and protects security.
What to do next
Engage with insurers and ensure cybercrime is covered - check what specific cybercrime precautions they may expect to be in place;
Ensure information technology and security policies and procedures are fit for purpose;
Ensure all staff are given appropriate cyber training; and
Ensure business continuity plans take account of cybercrime and cyber attacks; this should include whether cyber ransoms should be paid.
The advent of technology has brought with it many benefits for UK business, as well as a threat from those who want to use it for criminal and immoral purposes.
We cannot go back to the days before technology, so we must embrace it and do what we can to deter those from the 'dark side' who want to use it for the wrong reasons. Taking cybercrime seriously and mitigating the risk of it is a good start. SJ
Brian Rogers is director of regulation and compliance services at Riliance