Spiders in the Web: The Risks of Online Crime to Legal Businesses
Protective Intelligence provides consultancy and training on Cyber Security and Data Protection. We believe successful information security lies in the heart of an organisation, where everyone understands the importance of protecting data. For too long technology has driven the security agenda, but organisations who are successful in keeping their information safe recognise that without governance and training technology alone cannot prevent security breaches. We have long-standing experience, with previous clients ranging from corporate giants to SMEs and charities. We deliver high-quality consultancy on the strategies, policies and training that your organisation needs, as well as technical solutions such as Penetration Testing.
The rising threat of cybercrime has particular relevance to the legal industry. Whilst at first sight there appears to be little of value for criminals within a typical legal organisation – after all, aren’t these ‘cyber criminals’ just after credit card details? – the reality is much more worrying. Whilst a single credit card number will sell for under £2 on the illicit marketplaces located on the ‘Dark Web’, a person’s medical records will fetch upwards of £150. Criminals are attempting to obtain HR records of businesses, and we know that the reason behind many PPI and Accident Claim cold calls are because data has been stolen from insurance and legal companies, and even from the Police themselves. Could that deal you’ve been working on for months be compromised? It is alleged that the proposed takeover of China Huiyuan Juice Group by Coca-Cola in 2008 was subjected to a cyber-attack designed to allow the attackers to understand Coca-Cola’s negotiation strategy.
Data is a very valuable commodity, and cybercrime is an incredibly effective way of obtaining it. It’s a highly lucrative crime, with estimates putting the cyber black economy as high as $500bn per year, and rising. It’s more profitable than the international illegal drugs trade, far easier to commit and virtually untraceable. Details of upcoming criminal trials, information on potential mergers and acquisitions or sensitive business data of any kind could fetch over six figures, if not considerably more. We’ve seen businesses lose as much as $100m to cybercrime.
Targeted attacks are very difficult to spot and stop. They could be launched from either outside or inside your business, and may take months (or even years) to come to fruition. These could range from standard attacks such as Ransomware or invoice mandate fraud – the cyber equivalent of the old ‘Smash and Grab’ robbery – to much more sophisticated attacks using Social Engineering techniques, backed up by technology and practices used by the Intelligence Agencies. Any organisation conducting business with Russian or Chinese interests will almost certainly be at risk of advanced attacks, which could even extend to ‘Honeypot Traps’.
There is also the risk of untargeted attacks, which are as applicable to the Legal industry as they are to any organisation. Ransomware – where malicious code gets onto your computer networks and encrypts your data, rendering it inaccessible unless you pay a ‘fine’ – is on the increase. February 2016 alone has seen more Ransomware attacks against UK businesses than occurred in the first six months of 2015.
Cybercrime can have a wider impact than just the value of the data which has been compromised. Could you be subject to litigation in the event of a breach? Will the regulators become involved and issue a fine? The incoming EU General Data Protection Regulation can levy a fine of up to €20m or four per cent of global revenue per breach. What about the damage to your brand or public image? Could your share value be impacted by an attack? These are all questions you need to consider when setting your information protection goals.
Cybercrime is a real threat. However, there are a number of steps organisations can take to reduce the risks;
- Create and regularly review your information protection strategies and procedures, and work towards attaining a recognised security accreditation (such as ISO27001);
- Make sure all within your business – from the Board to the cleaning staff – understand and adhere to the policies and procedures. Good security practice must come from the very top;
- Identify where your confidential information is held – both digitally and physically – and regularly review who can gain access to it. Understand what the impact on your business would be if the integrity, availability or confidentiality of your data or systems were to be compromised;
- Training staff in how to protect information is a vital tool. Technology alone cannot prevent security breaches;
- Make sure any third parties you share confidential information with are aware of the need to protect your data. Make it a contractual obligation if necessary;
- Use secure technologies to share information, such as encryption, Virtual Private Networks or Private Cloud Storage, to help mitigate against staff using vulnerable methods;
- Create an Information Protection function within your business for dealing with all security issues. Physical and cyber security are two sides of the same coin. Remember that Information Protection and IT Security are not the same thing;
- Most security breaches come from within, mainly due to accidental mishandling of confidential information. But be aware of malicious insiders as well – if Edward Snowden can steal the NSA’s secrets, then your staff can steal your data too;
- Consider taking out cyber liability insurance.
These typically come with a range of benefits, such as cyber forensics and public relations advice, as well as insuring against financial loss, regulatory fines and brand damage; - Encourage a security culture and mind set throughout your business. As Ronald Regan stated during the SALT disarmament talks with the Soviets – ‘Trust, but verify’;
Having said all that, there’s really nothing special about cybercrime – it’s just another business risk you need to consider. As with all your risks, you need to assess the threat, impact and likelihood and come up with a mitigation plan. At the end, it really is as simple as that.
Cybercrime – how can businesses combat it?
Cybercrime isn’t going away anytime soon. The number of threat vectors, the ease of producing and distributing malware, and the lack of an effective global criminal investigation and legal prosecution are making cybercrime the method of choice for Serious Organised Crime. On a global scale, the issue will not get any better until there is a cohesive effort by the majority of world governments to tackle the issue – and that’s unlikely to happen any time soon.
At a business level, cybercrime is going to become a de facto commercial risk – it is not going to go away, and the only course of action you are able to take is to reduce the risk of a serious breach occurring. That will require affirmative action at the Board level, that an organisation will undertake to reduce the risk from the top down and encourage a ‘healthy suspicion’ as part of the organisational culture. Education and awareness are just as important tools in your arsenal as anti-virus and firewalls.
Once a business makes a decision to become as security-centric as possible, it needs to re-inforce the message with staff. There’s no point in buying a state-of-the-art burglar alarm system for your home if your teenage son is going to leave the front door wide open when he goes out at night. The consequences of failing to tackle the risk of cybercrime and data loss in your business are potentially quite severe. Ransomware attacks could prevent you from accessing your files and systems, forcing you to restore from backup (you do check that your backups work, don’t you?) which could take days. A serious security breach could land you with a hefty fine from a regulator, or force your CEO to undertake an embarrassing public apology, as recently happened to TalkTalk. There’s increasing evidence that consumers and other businesses will perceive your company in a very negative light in the event of an attack, especially if confidential data is lost or stolen, with a recent survey showing that 86% of UK procurement managers would axe an SME for suffering a cyber breach. In extreme cases, it’s not inconceivable that a cyber-attack could result in a business being forced into bankruptcy or administration.
The challenges for Protective Intelligence in 2016
Our challenge is to get organisations to understand that cyber security is not simply an ‘IT problem’. We see businesses increasingly taking cyber security on-board as an essential, but they then fail to make security an overall responsibility for everyone within the structure. There’s a sense that many organisations see cyber security as a necessary evil, and want nothing to do with it on an operational and cultural level. We try to emphasise that IT Security can only provide the tools to help protect the business, but the wider issue revolves around a willingness to embrace the idea of security. We need to move people away from thinking this is a technology problem, to understanding that instead it’s a people problem.
Even in 2016, it’s difficult to get data protection onto the corporate agenda. Whilst things are generally moving in the right direction there’s still a perception at C Level that their company is somehow immune to the risk, or already has all the protection it needs. Convincing Boards to spend on cyber security, especially when budgets are still under pressure, is a difficult job – it’s hard to prove a Return on Investment for cyber security. There’s a feeling that, even when a business has a Chief Information Security Officer on board, security is still seen as a ‘techie’ problem and ranks beneath areas such as finance, sales and marketing in the grand scheme.
The challenges for industry in 2016 We’re facing a critical shortage in skilled cyber security professionals globally. The demand for these key resources is only going to rise in the coming years, and we may well see businesses operating with completely inadequate protections simply because they cannot find the appropriate skill set. This, combined with the increasing numbers of attacks, has the capability to overwhelm the available resource base.
There’s also the risk of ‘Breach Fatigue’, where companies and individuals become inured to the danger of cybercrime and see the risk of an attack as inevitable as more and more reports come out in the media. For organisations, there’s the risk that cyber liability insurance is seen as a ‘Get Out of Jail Free’ card and do little more than the minimum required to protect their data.
Finally, there’s the risk of market and product saturation. As the demand increases, there’s potential for investors to jump in looking for a quick win and overloading the market with too many products, as with the Anti-Virus industry where there are well over 100 mainstream products available on the market to customers.
Company: Protective Intelligence
Name: Vince Warrington
Web Address: www.protectiveintelligence.co.uk
Phone: 44 (0)1869 247814