Cyber crime is a rapidly evolving threat to businesses’ financial and data security, as set out in the newly published NCSC and NCA 2016/17 annual report. In tackling this threat, the Government appears to be moving towards increased regulation in cyber security for UK businesses.
There were 2 million computer misuse incidents in the year proceding September 2016, and a further 1.9 million cyber related fraud incidents in the same period. Most fraud cases involving the misuse of individuals’ bank details are not referred to the police and the actual figures for this type of cyber fraud are likely to be much higher.
On 15 March 2017 GCHQ’s recently formed National Cyber Security Centre (NCSC), in conjunction with the National Crime Agency, published its first ‘Annual Threat Assessment’ report – “The cyber threat to UK business”.
The report first sets out the threats currently faced by UK businesses and the ways in which existing threats are likely to develop in the future. Cyber criminals can target businesses in a number of ways. There is the obvious threat of theft of money, intellectual property or personal data for use in fraud.
A number of methods of extortion are identified. DDoS (distributed denial of service) attacks involve the use of malware to control a large number of computers, which in turn flood the target network with information so that a key customer service, such as online banking, is disabled until a fee is paid. Criminal groups also make demands for money following the theft of data, or encrypt data using ‘ransomware’ and refuse to unlock it until payment is received.
The report suggests that 65% of firms detected a cyber security breach or attack in 2016 and predicts that insecurity for businesses will worsen in the short term. This is in part because there is extensive online collaboration between criminal groups and their methods are quickly evolving. Technological expertise and services can increasingly be purchased on the dark web; it is no longer necessary for individuals to possess sophisticated hacking skills in order to commit cyber crime. Employees who have been planted, bribed, blackmailed, or who are simply careless, often provide a route for attackers to access login details or data.
There are new dangers inherent in the increasing number of insecure non-computer devices with online access (also known as ‘the internet of things’), such as equipment used in industry. The report highlights a 2016 attack in Finland where attackers disabled automated heating systems in a number of apartment blocks through the internet. Industrial systems of this nature were not designed to be connected to the internet and thus lack robust protection against attacks.
The report summarises several pivotal cyber crime incidents in 2016, most notably the theft of $81 million from Bangladesh Bank, in which hackers infiltrated a closed computer network used for communication between banks around the world. The warning about the risk of future attacks is stark; the report concludes that larger institutions will continue to be a target and, if successful, an attack could have a major impact upon a UK bank. The technological skill required to hit large targets using financial trojans will soon be available as a service for purchase online.
The proposed solution
The need for collaboration between government, businesses and law enforcement is stressed in the report. The NCSC’s clear approach is that in order for law enforcement to fully understand, then prevent and deter cyber crime, businesses must report each attack to Action Fraud, the UK’s cyber crime reporting centre. The NCSC also encourages membership of the Cyber-security Information Sharing Partnership, where industry and government actors can share expertise and information about attacks in real time.
The NCSC, perhaps unsurprisingly, also recommend businesses invest in cyber security software, improve staff training, and ensure data is backed up to reduce vulnerability to data theft or ransoming.
Government approach – moving towards regulation
The enthusiasm for tackling cyber crime is not confined to the law enforcement services. In November 2016 the Chancellor demonstrated the Government’s commitment by launching the National Cyber Security Strategy and guaranteeing £1.9 billion in investment over 5 years.
The Government has now also confirmed it will adopt the EU’s General Data Protection Regulation (‘GDPR’), despite the result of the June 2016 referendum. Businesses already have a duty under the Data Protection Act 1998 to take appropriate measures to protect personal data and the ICO can currently impose fines upon breach of up to £500,000. The GDPR will apply from 25 May 2017 and imposes a wide range of further obligations and data subject rights. Under the GDPR the maximum penalty for infringements of some personal data protection obligations will be the higher of €20 million or 4% of global turnover.
The two most significant changes for UK businesses are likely to be the new accountability requirement and more robust notification requirements. Under the GDPR, organisations will have to demonstrate how they are complying with the data protection principles, for example by recording decisions made about a data processing activity. Data controllers and processors will be obliged to report a personal data breach to the relevant authority within 72 hours, and in some cases also report to the data subject and the public. The maximum penalty for failing to notify will be the higher of €10 million or 2% of global turnover.
The motivation behind the Government’s determination to preserve GDPR in the face of Brexit is set out in the Minister for Digital and Culture’s ‘Cyber Security Regulation and Incentives Review’ from December 2016. The Minister said: “Every business, charity and institution up and down the country must realise that cyber security is their job as much as it is Government’s. Only when the effort is concerted and persistent can we fully tackle this challenge.… There is a strong justification for regulation to secure personal data, as there is a clear public interest in protecting citizens from crime and other harm, where it may not otherwise be in organisations’ commercial interests to do so.”
The Government is of the view that a collaborative approach between the state and private sectors is the best way to combat cyber attacks against itself, members of the public and businesses. Plainly the Government intends to achieve that collaboration at least in part through regulation rather than simple encouragement. Tellingly, in his December 2016 Review the Minister also said; “For now, Government will not seek to pursue further general cyber security regulation for the wider economy over and above the GDPR.” As the threat to the state and to businesses grows, there is likely to be more regulation to come in this area.
 Office for National Statistics, Crime Survey for England and Wales (CSEW) for the year ending September 2016, published 17 January 2017.