Fraud has reached epidemic levels in the UK and should be seen as a national security issue, says think tank the Royal United Services Institute (RUSI) in a paper published last week[1]. It is the crime to which UK citizens are most likely to fall victim[2]. Its impact on the private sector has consequences for both the stability of individual companies and the broader reputation of the UK as a place to do business.
85% of reported fraud in 2019/2020 was cyber enabled[3] fraud[4]. With limited in person interaction due to the pandemic, and increasing levels of remote working, this figure is expected to increase in the coming year. Cyber fraud is a constantly evolving area with perpetrators adapting their methods as new technologies become available. Common examples of cybercrime are denial of service (DoS), botnet, phishing, and ransomware attacks.
The UK has a robust set of laws relating to data breaches that commonly arise out of cyber-attacks. These laws place onerous obligations on organisations who fall victim to cybercrime. There are ever increasing penalties for businesses that fail to respond swiftly and appropriately to a cyber-attack.
The European Union’s General Data Protection Regulation (“GDPR”) (which despite Brexit still applies in the United Kingdom) requires all handlers of personal data to implement appropriate security to prevent the personal data they hold being accidentally or deliberately compromised such as through a cyber-crime attack.
Every organisation needs to understand cybersecurity risk just as they need to understand financial risk or legal risk. It is now a key function of business to have a comprehensive cybersecurity programme in place.
The possible components of such a programme will depend on the organisation. The following are some considerations:
- Acting as detective. A cybersecurity policy is key. The GDPR requires businesses to regularly test, assess and evaluate the effectiveness of any information security measures in place. This will allow the business to conduct an in-depth risk analysis before an incident takes place. Having checks in place to detect breaches pre-emptively is a proactive way to get ahead of the repercussions of a cybersecurity issue.
- Reporting lines. The prompt reporting of security incidents is of fundamental importance. It is essential that staff (including temporary and contract staff) know how to report – who, what and when. Until an organisation knows that something has happened, it cannot react appropriately. Balance needs to be struck between instilling in personnel a clear understanding of the importance of cybersecurity and not discouraging them from reporting (or perhaps owning up to) a concern.
- Response plan. Incidents should be responded to swiftly, efficiently and comprehensively. A clear structure of responsibility aids in such efforts and allows for accountability. The team implementing the response plan will likely consist of members of senior management, legal and IT; to maintain the integrity of the process, it is often prudent to exclude from any investigation people who were involved in, or responsible, for the incident. It is sensible to have an outline of what immediate counter-measures could be taken if the issue is something progressive rather than isolated. In addition, the GDPR requires data handlers to be able to restore the availability and access to personal data in the event of a physical or technical incident in a ‘timely manner’. Businesses should therefore consider the resilience of their systems: can they continue operating under adverse conditions, and can they be restored to an effective state?
- Investigation. Conducting an effective investigation into a cyber-breach is essential. The aim of an investigation will be to understand the scope and impact of the cybersecurity incident. An investigation’s findings will be put to multiple uses, including preventing repetition of the incident, managing all the repercussions, helping with reputational damage, assisting with operational disruption, and identifying harm to customers/clients. These objectives should be reflected in any investigation plan and records. The investigation will also be key to enforcement action, so it is vital that it is conducted properly. Records need to be kept of the breach and response regardless of whether the matter is ultimately reported to the authorities. It is advisable to engage external legal counsel as soon as a breach has been detected or is suspected, particularly so as to ensure that steps are taken to understand and protect legal professional privilege.
- Evidence. One aspect of the investigation process is collecting evidence. Digital evidence is likely to need to be gathered and care must be taken to establish a clear picture of what happened without compromising evidence. It may be necessary to engage third-party forensic experts, and to consider taking a forensic image of affected servers and hardware. For privilege and continuity such engagement is best done through external legal counsel. Reasons for selecting some witnesses to interview and not others should also be contemporaneously recorded. It is likely to be too early to anticipate all the legal actions that may flow from the incident, so it is sensible to secure evidence in accordance with the law so it can be used as required and, if necessary, at a trial. It is prudent to take local law advice from experienced cybersecurity counsel.
- Reputation. Unfortunately, however blameless an organisation may be, fraud and data breaches can cause great reputational damage to organisations. Organisations may wish to consider having policies specifying what personnel should do if confronted with external questions about an incident – such as from a journalist or client/customer. Nominating a particular individual to deal with all such queries is sensible, along with implementing a blanket prohibition on others discussing the matter externally without approval from that individual. Consistency in response is usually important.
- Liaising with authorities. Dependent on where the cyberattack took place, where an organisation is located, where the data is held (which, with the use of cloud technologies, is now commonly multiple locations) and where any individuals whose data has been compromised are located, there are often several enforcement authorities with an interest in the event. For example, in the United Kingdom and the European Union a ‘personal data breach’ (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”) must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, unless it can be demonstrated that it is unlikely to result in a risk to individuals’ rights and freedoms (in which case other requirements are imposed by the law). Organisations and their advisers should assume that information provided to one data regulator will be passed on to others and that this could give rise to liabilities in multiple jurisdictions. However, the organisation should ensure it meets its reporting obligations in all jurisdictions applicable to the incident.
- Asset recovery. In certain situations, organisations may wish to instruct lawyers and other external advisers to seek the recovery of lost assets. To that end, thorough records should be kept of assets lost or affected by the malicious actions.
It remains important for organisations to implement and maintain comprehensive cybercrime prevention strategies. If your organisation would like to discuss any of the issues raised herein please do not hesitate to contact the authors.
1. Royal United Services Institute (RUSI), The Silent Threat: The Impact of Fraud on UK National Security by Helena Wood, Tom Keatinge, Keith Ditcham and Ardi Janjeva. Occasional Papers, 26 January 2021.
2. The Office of National Statistics (ONS) Crime Survey for England and Wales noted 3.7 million incidents of fraud against individuals in the year ending March 2020. This outstrips 3.3 million theft offences against the person. See ONS, ‘Crime in England and Wales: Year Ending March 2020’, 17 July 2020, <https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/
crimeinenglandandwales/yearendingmarch2020#toc>, accessed January 2021.
3. Her Majesty’s Government’s National Cyber Security Strategy 2016 – 2021 uses cybercrime as an umbrella term to define two linked areas of criminal activity: cyber dependent crime which can only be committed through the use of information and communication technology devices and cyber-enabled crime which are traditional crimes that can be increased in scale or reach by use of computers.