Hardly a week goes by without yet another story of a business being subject to cyber-attack in the news.
While the most newsworthy are invariably the larger attacks on well-known names such as Talk Talk or Yahoo, the sad fact is that cyber-attacks are prevalent on businesses of all sizes, and often Small and Medium Enterprises (SME’s) are common targets. Various surveys undertaken in the last two years consistently show that somewhere between 55% and 65% of all UK businesses have been affected by a cyber-attack.
As a consequence, we often advise business clients on issues relating to a cyber-attack, whether it is taking steps to try to avoid being a victim, or trying to pick up the pieces afterwards.
Historically, one of the main risks that businesses used to face was from a rogue employee with their ‘hands in the till’. While the impact of such activities over a period of time could mount up to a significant sum of money, the potential damaging impact of a cyber-attack on a business is immeasurably greater.
As it is possible to move large sums of money and important information around the world at a click of a mouse the interception of transactions and communications can potentially cause significant damage to businesses.
Where are the risks?
There are potentially external and internal forces of attack. If external, a business is unlikely to know who is attacking it. The attack on a particular business may be random, or it may be specifically targeted. In some cases, an attack may come from a competitor business.
If it is an internal attack, then the attacker is known – though usually after the event.
What may be attacked?
The targets of attack are essentially money and / or data. Money can be attacked by seeking to intercept online banking transactions, or by creating false transactions. Data can comprise confidential information such as customer details, orders and confidential pricing information that is helpful to others in its own right, or can be used by a fraudster aid the intercept of later financial transactions.
What are the internal risks?
There is a risk of a rogue employee attacking a business for their own purposes. That may be through creating a false financial transaction or the copying or removal of confidential information to use themselves or supply to others.
More commonly, someone may inadvertently assist an attacker by supplying information when they shouldn’t, or by mistakenly enabling access to confidential systems (such as opening phishing emails allowing malware onto a network), or by mistakenly sending an email containing confidential information to the wrong recipient.
What types of problem can occur?
The most common issues we currently see include:
- An attack on a bank account: There has been considerable publicity regarding attacks against business bank accounts, but there still persists a risk of attack. Typically, the fraudster has access to information by which they gain trust and mislead an employee taking the call. That can lead to the company enabling the fraudster to control their account to make unauthorised transactions without the knowledge of the company. The sums that can be moved can be significant and businesses need to operate with extreme caution when dealing with any call that is purportedly made from its Bank.
- A change in payment details: Another common form of attack is the attempted interception of an established form and destination of payment. The goal of the fraudster is to con the paying party into mistakenly paying monies into a different account under their control.
- Removal of confidential information: While this form of attack could be, and sometimes is, carried out by a competitor, it is more commonly carried out by a rogue employee or employees, who potentially intend to set up in competition with their employer. In such cases the removal of customer lists and data can be a considerable advantage to a new business in setting up.
What should be done to try to prevent an attack?
We often advise businesses on what they can do and how they should implement protective steps. In summary, some of the main points are:
- Adopt Best Practice IT security across the business (for example: using updates, changes in passwords, deleting suspicious emails without opening)
- Exercise caution on the use of memory sticks and laptops
- Ensure that you have appropriate legal protection in documentation (including terms and conditions; employment contracts; emails)
- Manage user privileges carefully
- Ensure a continued programme of training to employees to reinforce the message
- Have an ability to respond quickly if problems do occur
What legal action can be taken after an attack?
If you find that your business has been subject to a cyber-attack, there are steps that can be taken to try and rectify, or at least mitigate, the impact of the attack.
The first point to emphasise is the need to act quickly. Often, the early stages after an attack are confused, as it is not entirely clear what has happened.
Then, amongst other steps, legal action can be considered. If the attacker is known there may be criminal issues that need to be investigated, or there may be civil legal action that needs to be instituted. This may involve an application for an early injunction to prevent use being made of data, or for it to be destroyed or handed back if it is in the hands of an unauthorised party.
If there has been an unauthorised removal of monies, they may need to be traced and action taken for them to be repaid. If they cannot be traced, how did the attack occur? Was it due to others releasing key information when they shouldn’t, or might it be due to your Bank’s errors or omissions?
We provide guidance and training to businesses on these issues, and we provide advice and representation if a business finds themselves the victim of an attack. We are happy to discuss requirements on a no-obligation basis.
Contact Nick Parker on 029 20 34 55 11 or firstname.lastname@example.org for further information.
Nick Parker (Partner, Dispute Resolution Solicitor) frequently provides advice and representation to clients that have encountered a cyber-attack or are affected by these issues.