Cybercrime and Information Security Breaches

News - 27/11/2015

What is cybercrime and how could it affect you?

  • What is cyber crime?
    Cybercrime is any criminal offence that is committed via the internet and technology. The evidence is overwhelming – every day there are cyber attacks on UK companies.  The attackers attempt to steal information and money, or disrupt businesses. Statistics show that no business is too small.
  • What is the law?
    Principle 7 of the Data Protection Act 1998 – under principle 7, businesses processing (which includes even holding) personal data must take:

“Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

So it is important to have policies and procedures as well as implementing technical security measures appropriate to the type of information and the risks faced.

  • Facts and figures
    The 2015 Information Security Breaches Survey found that 90% of large organisations and 74% of small businesses had suffered a security breach in 2015, against 81% and 60% respectively for 2014. These breaches have a direct effect on profits and, for small businesses, the breach costs start at £75,000 up from £65,000 in 2014.  This is a significant sum for small businesses and the costs to a large organisation start at £1.46 million (up from £600,000 in 2014).

Steps to avoid cybercrime

Acknowledging the extent of the problem, last year the UK Government introduced the Cyber Essentials Scheme to help organisations protect themselves against cyber attacks.  The scheme’s 10 essential steps to cyber security are summarised as follows:

  1. Defining and communicating the board of director’s Information Risk Management Regime is central to your overall cyber security strategy.  It is fundamental to assess the risks that cybercrime can cause to the organisation’s information assets.
  2. Secure configuration – Make sure you install and maintain a secure configuration and manage your IT systems in an appropriate way, such as disabling unnecessary functionality and keeping them patched against known vulnerabilities.
  3. Network security – Protect your networks against external and external attack.  Manage the external interfaces to the network.  Filter out unauthorised access and malicious content.  Monitor and test security controls.
  4. Manage user privileges – Establish account management processes and limit the number of privileged accounts.  Limit user privileges and monitor user activity.  Control access to activity and audit logs.
  5. User education and awareness – Produce user security policies covering acceptable and secure use of your organisation’s IT systems. Establish a staff training programme.  Maintain user awareness of the cyber risks.
  6. Incident management – Establish an incident response and disaster recovery capability. Produce and test incident management plans.  Provide specialist training to the incident response team. Report online crimes to the relevant law enforcement agency.
  7. Malware protection – Produce relevant policy and establish anti-malware defences that are relevant to all business areas.  Scan for malware across the organisation.
  8. Monitoring – Establish a monitoring strategy and produce supporting policies.  Continuously monitor all IT systems and networks.  Analyse logs for unusual activity that could indicate an attack.
  9. Removable Media controls – Produce a policy to control all access to removable media.  Limit media types and use.  Scan all media for malware before importing onto your organisation’s system.
  10. Home and mobile working – Develop a mobile working policy and train staff to adhere to it.  Apply the secure baseline build to all devices. Protect data at rest and in transit.

Real ICO case – £175,000 monetary penalty imposed

In a case decided by the Information Commissioner’s Office (ICO), a well known specialist online insurer failed to protect its customers’ information and received a £175,000 monetary penalty.

  • What happened?
    The company’s website was subject to an attack by someone exploiting its website server.  The attackers had access to over 100,000 live credit card details as well as medical records.  Over 5,000 of those payment card details were used in fraudulent transactions.
  • The decision
    The Commissioner determined that the company failed to take appropriate technical measures against the unauthorised access by failing to have adequate policies and systems in place for checking, reviewing and applying software security updates and by storing payment card CVV numbers in plain text and unencrypted on its database in breach of the Payment Card Industry Data Security Standard.
  • Lessons learnt
    • Ensure you have adequate policies and systems in place for checking, reviewing and applying available software security updates; and
    • Do not store payment card details in breach of the Payment Card Industry Data Security Standard and delete historical payment card data stored in your systems.
    • Act fast to put things right and decide what action to take to reduce the impact.

What to do in the event of a breach

In the case study above, the penalty could have been higher were it not for the company taking swift action to correct its failings, alert affected customers and report to the ICO.

Although there is no legal obligation on data controllers to report breaches of security involving personal data, the ICO recommends that there should be a presumption to report a breach when:

  1. there is a potential detriment to individuals, which could be emotional distress as well as both physical and financial damage;
  2. there is a large volume of personal data and a risk of individuals suffering harm; and
  3. the release of the personal data involved could cause a significant risk to individuals.

Where to get more information and guidance

Our Corporate and Commercial team can advise businesses on their obligations under the Data Protection Act and other regulations and can help you to review and improve your practices and procedures.  Please contact them on 01737 854 500 or find out more here

Disclaimer:

Although correct at the time of publication, the contents of this newsletter/blog are intended for general information purposes only and shall not be deemed to be, or constitute, legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.