#breachdetected – Overview of Cyber Security Risk & Responsibility

Cybercriminals can and will exploit vulnerabilities in and of IT infrastructure for malicious intent. Consider the National Crime Agency (NCA)’s recent report that a 32-year-old man was convicted to over two years in prison for illegally accessing several victims’ devices and building a collection of indecent pictures of both adults and minors. Cases like this are why the NCA stresses that increasing the barrier of entry into cybercrime by reducing the availability of, and access to, off-the-shelf tools, is of utmost priority. It is paramount therefore, for individuals and small and large organisations to take the necessary precautions to safeguard themselves from cyber security risks.

Cyber Security 101

The UK’s National Cyber Security Centre (NCSC) defines cyber security as the way individuals and organisations mitigate the risk of becoming victims of cyberattacks. It is about protecting personal and/or sensitive data found online and on devices that are connected to the internet, from unauthorised access. Cyber security also involves protecting systems, software, data, hardware, and other information assets from threats in the cyberspace.

Individuals need cyber security to protect personal data like home addresses, contacts, or personal photos. Similarly, companies need cyber security to protect data like financial records and intellectual property. If a cybercriminal gained access to such sensitive data, it could result in significant financial and reputational damage to the company or individual, and fines or prosecutions for failing to prevent the attack.

Cyber Security Risks:

Types of cyber security risks include:

·       Phishing attacks

 

·       Ransomware attacks

·       Compromised credentials

·       Weak and stolen credentials

·       Missing or Poor encryption

·       Misconfiguration

 

·       Malicious Insiders

·       Malware

·       Trojan Virus

·       Man-in-the-Middle attack

This list is not exhaustive, but it outlines the most common cyber security risks out there. Understanding these risks is the most important step to defending your networks and systems from cyber threats.

Cybersecurity and Cybercrime in UK Law

The governing cybercrime legislation in the UK is found in The Computer Misuse Act 1990. The Act introduces three criminal offences:

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit or facilitate commission of further offences
  3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

Their severity is heightened when they are committed as a predicate offence to a more serious offence. The Crown Prosecution Service outlines how cyber security threats could fall under the scope of Financial Crime; phishing and Trojan installation viruses can be prosecuted under the Fraud Act 2006 and more serious penalties can be imposed on conviction. In addition, there could be added implications in cases where the proceeds of a cybercrime would result in money laundering.

Risk & Responsibility

As individuals, our personal data has never been so publicly available—especially with the continued growth of social media platforms, and with a greater deal of day-to-day tasks such as shopping being done online. In March 2020 for example, 41% of people reported shopping online more than before Covid-19; this figure rose to 71% by February 2021.  However, while the risk of placing our data online is ours to take as individuals, for a company the risk and the consequences of that risk materialising rests with the whole company. It is important, therefore, that companies regularly review and test their technical and organisational controls and that staff members are made aware of and comply with all security measures put in place to safeguard an organisation’s data and records.

The consequences of cyber security breaches don’t stop here. Failing to prevent a loss of consumer data in this way can and does attract adverse regulatory attention, with the FCA using its enforcement powers to fine firms who fail to prevent data breaches. The FCA fining Tesco Bank £16.4 million in 2018 is a case in point.

The loss of personal data of any kind will also attract the attention of the Information Commissioner, who, since the advent of the UK Data Protection Act 2018 and GDPR, has been given the ability to issue fines and penalties at levels never seen before in this space. For example, in 2020 theICO fined Ticketmaster £1.25 million for failing to keep its customer’s data secure.

It must not be forgotten that besides being fined for the breach itself, failure to notify the ICO of a breach within 72 hours from the time a firm becomes aware of the breach can result in a heavy fine of up to £8.7 million or 2 per cent of the business’ global turnover.

EU framework

In the EU, the starting point for cybercrime regulation is the EU Convention on Cybercrime. In short, the convention aims to deter malicious acts and misuse aimed towards computers and other digitised systems. It also provides for the criminalisation of such conduct and a proper balance between law enforcement and a respect for fundamental human rights. As we know, the GDPR provides the principles and rules regarding the processing of personal data of natural persons similar to the UK Data Protection Act 2018. In May 2021 the BBC reported that that, since GDPR came into force, the top 5 fines alone account for more than €150 million.

How can Complyport and MAPiTek help?

      

If this article has raised any questions concerning the effectiveness and integrity of your cyber-security framework, or any threats that your company has been exposed to, please contact Jonathan Greenstein now, via jonathan.greenstein@complyport.com, and book in a free consultation.

Our Cybersecurity and Resilience consultancy is providing a portfolio of services with regards to cyber-security, data protection and operational resilience and supports clients to comply with pertinent laws and regulations. We help clients to develop, implement a tailored cybersecurity framework or assist them in certifying existing frameworks to UK and /or international cybersecurity standards.

About Complyport

Complyport is a market-leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.

We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.

Complyport’s multidisciplinary consultants possess extensive expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.

Day to day, we conduct audits and reviews of a firm’s products, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.