Cyber crime crisis

The release of the hacked data from an extramarital dating site will have given its customers more than the usual worry that accompanies news of cyber-crime. Geoffrey Sturgess, Company Commercial Consultant Solicitor, explains the different ways in which cyber-crime can occur and advises businesses to carefully review their information risk management regime, assessing their processes with the same rigour as legal, regulatory, financial or operational risk.

In the case of the dating site Ashley Madison, which promotes itself with the strapline ‘Life is short, have an affair’, two data files have been released on the “black web” by the hackers who stole the total database of the site comprising of more than 33 million members in 46 countries. The company has faced a barrage of calls from customers, concerned that their personal details and credit card information have been compromised.

And whilst the true picture for the internet daters continues to unfold, Ashley Madison’s problems are a reflection of a fast-growing area of crime, as more and more criminals exploit the speed, convenience and anonymity of the internet. The Government has issued guidance for businesses in a bid to stem the range of criminal activities that know no borders, either physical or virtual, while the Metropolitan Police recently announced an expansion of its tackle cyber-crime team.

The opportunities for cyber-criminals include attacking the functions of computer hardware and software, financial crimes such as online fraud or by penetrating online financial services, or ‘phishing’ for confidential information. There are suggestions that some Ashley Madison customers have received blackmail demands. There are further suggestions that the site itself may have used false female profiles to attract paying male users.

There are requirements under the Companies Act 2006 which place a duty on directors to keep themselves informed on relevant issues. They may be held to be negligent and thus personally financially liable, if they do not take appropriate professional or expert advice to tackle any identified threats. As well as having to meet the requirements of the Data Protection Act and the Communications Act in the UK, company directors should also be aware of the current EU proposals for a Data Protection Regulation which will be much more prescriptive than the UK’s current data protection rules, and the proposed EU Cybersecurity Directive.

The key requirements for any business are to undertake a risk analysis, develop a cyber-security programme, set in place the right policies and take appropriate technological measures. Every business must ask itself what value there is in the information it holds electronically, for example, it may be valuable intellectual property, sensitive customer information or provide access to client funds. Then it needs to consider where the risk lies; it’s not just hackers, the greatest risks could be posed by current or previous employees.

The response to that review should include a clear cyber-security strategy, with policies in place and employees well informed, backed up by a regular review and updating of technological practices. IT system reviews would range from how networks are monitored for attack and what firewalls and malware detection software is in place, through to how internal and external users are controlled and how access may be segregated or restricted.

There are simple measures businesses can take to protect themselves, such as careful choosing of who holds the passwords, and making sure staff don’t open spam mail. Thorough education of staff, with regular updates, is essential. As well as demonstrating that the company takes the matter seriously, staff are often in the front line, and if they are well informed of the risks and encouraged to take responsibility, they can be very effective gatekeepers.

Cyber security is very important and is often overlooked. A board director should be given specific responsibility for it and required to report to each board meeting on risks and measures taken to alleviate them.

To view the government guidance on this area click here, or for advice on how you can safeguard your business, you can contact Geoffrey or one of the Commercial team on 02380 717717 or visit their section of the website here.

ENDS

This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.