Journal

It’s time to take the power away from cyber criminals

By on
2

Most cyber crime victims don’t even know they’re cyber crime victims, says Marina Perry in her shortlisted entry to the BARBRI International Cyber Crime Blogging Prize Competition

“It bothers me that my webcam stares at me all day long,” said my colleague regarding a new addition to our work life, “you never know who might be watching you”.

I agreed with her and said that is the reason why my webcam is not attached to the monitor and always faces away from me. In my naivety I said: “I have seen enough movies to know anything can be hacked and I don’t want a stalker looking at me. I hoped that our company’s security system has strong firewalls to prevent against such attacks.”

But in reality, do people know when they are hacked or have been a victim of a cyber crime? According to Chris Novak at Verizon, an international company that specialises in information security, it takes most victims almost eight months to realise they’ve been victimised, whereas it can take a cyber criminal a day, or less, to pull off an attack.

In January 2017, KPMG reported cyber crime cost the UK £124,000,000. In 2016, the global cost of cyber crime was estimated at $445,000,000,000 (£345,600,000,000). To put this figure into perspective, this is larger than the GDP of 160 nations, including Ireland, Finland and Portugal, to name a few.

Nowadays, computer viruses and trojans are designed to watch you in your webcam, steal data to the theft of billions of pounds. Cyber security experts believe eight new users are joining the internet every second including 250,000 individual new computer viruses. These viruses attack around 30,000 new websites. People think that if you visit porn sites you get more viruses. Statistically speaking you are safer if you only visit porn sites. Data shows that about 80% of the websites that get infected are those of small businesses.

The question is how do you protect your business from a cyber attack? Even big businesses with appropriate infrastructure to safeguard their data have not been able to prevent an attack. Last year, hackers stole around 427,000,000 customer records, undermining ecommerce giant Alibaba with 99,000,000 records stolen. In a 2014 attack, hackers stole data from 500,000,000 Yahoo users; this was only made public in 2016.

According to Javier Brias at Secon Cyber Security, the answer is education.

In 2016, Verizon conducted a Data Breach Report and found that 90% of security incidents happen due to people. Employees must be trained on practices and to look out for malicious websites and fake emails. In order to protect your business think of security as a two-step process. Firstly as a business, have appropriate measures such as robust email and web gateways. You should have a system in place where you can monitor suspicious behaviour through endpoint security and protect your website and email system against any unpatched security holes. Your network should have advanced capabilities across all traffic, ports and protocols to stop suspicious malware. In order to secure your company’s servers, make sure any unpatched vulnerabilities are protected via virtual patching. Regularly backup during offline hours and in phases.

Secondly train your staff to be vigilant and think before they click on a link. It’s very simple but many of us forget to do this. On social media, don’t share everything with everybody and make sure you are not sharing personal information.

Experts believe that most cyber criminals they have encountered have not been arrested despite stealing millions and causing havoc. The internet is borderless and international by definition, therefore it has been difficult to enforce cyber security from a legal perspective.

In Europe, criminal liability for cyber crime has been aided by EU Directive 2013/40. This directive is in line with the ever growing threat of cyber crime and the sophisticated technology being used to target companies and infrastructure. The directive stated there are four main substantive offences:

i. illegal access to information systems;
ii. illegal system interference;
iii. illegal data interference and
iv. illegal interception.

Member States had to make it a criminal offence by 4 September 2015 to intentionally produce, sell, procure for use, distribute or make available certain tools intended for use with the above mentioned four offences.

The UK already had a significant number of laws in relation to cyber crime. The directive was further implemented by the Serious Crime Act 2015.

Section 41 of the 2015 act states if an unauthorised computer act causes serious damage to human welfare in any place and national security of any country, a maximum sentence of life imprisonment is imposed. Damage to environment of any place and economy of any country imposes a maximum sentence of 14 years.

Section 42 of the 2015 act amends to state that making, supplying or obtaining malware is also a crime as well as unauthorised access to computer material, unauthorised acts with intent to impair the operation of a computer and causing, or creating risk of, serious damage.

Section 43 of the 2015 act amends the Computer Misuse Act 1990 to state an offence is committed even if the accused is outside of the UK at the time of the offence, so long as the act is illegal in that country too and the offender is a UK national.

In stark contrast to the UK’s 2015 legislation, Ireland along with other Member States did not meet the EU’s deadline. In January 2017, the Criminal Justice (Offences Relating to Information Systems) Bill was published to transpose the directive. The projected timeline for enactment is as yet uncertain.

The governments are slowly but surely catching up to ensure the appropriate laws are in place to protect businesses and infrastructure.

TalkTalk was hit with a fine of £400,000 following a cyber attack in 2015 for failing to have basic security measures to encrypt customer data, which led to the theft of personal data from almost 157,000 customers. In order to protect your business, you must have your own safeguards in place to make it harder for cyber criminals to hack your systems and then rely on the government to bring them to justice if you have been a victim of cyber crime.

Marina Perry is a litigation assistant at Shakespeare Martineau. She studied law at Middlesex University. Her entry was shortlisted in the BARBRI International Cyber Crime Blogging Prize. You can read the winning entry here.

BARBRI International will be hosting a 4 July Independence Day party at its London office. Register to attend here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

2 Comments

Anonymous

‘Verizon, an international company that specialises in information security’

It’s a multinational telecommunications conglomerate and the largest wireless/ mobile communications provider in the US. It also provides fixed-line communications inc. broadband, digital TV and network services. They do not specialise in information security.

Chris Novak, manager of Verizon’s Investigative Response Unit, DOES specialise in information security.

Anonymous

Great Blog!

Join the conversation