Cybercrime event summary: current threats, prevention and the role of criminal enforcement

Written on 4 May 2016

On 25 April Osborne Clarke Partners Jeremy Summers and Charlie Wedin hosted a client seminar on “Cybercrime: current threats, prevention and the role of criminal enforcement”.

The event included presentations from Owen Brady of the Financial Conduct Authority’s Cyber Specialist Team; Peter Yapp, Deputy Director of Operations at Cert-UK; and Detective Superintendent Terry Wilson, Cyber Crime Programme Lead at the National Police Chief’s Council.

The clear message from all speakers was the need for increased collaboration amongst businesses, regulators and enforcement authorities.  Intelligence and information sharing (including the sharing of lessons-learnt and success stories) is a powerful tool for businesses in the fight against cybercrime.

Owen Brady: Cyber Specialist Team, Financial Conduct Authority

Financial services businesses are particularly attractive targets for cybercriminals given the sensitivity and valuable nature of the data they hold.  Typical attacks include attempts to acquire price sensitive information affecting market integrity, customer details (which can be sold on to third parties) and electronic theft of client funds.

The FCA works with financial services firms to better understand the threats of cybercrime in an attempt to strengthen cyber resilience.  Owen explained that the FCA’s role is not one of mitigating specific cyber risks, but of supervising firms from a regulatory perspective to ensure they themselves are taking adequate steps to mitigate those risks. As businesses continue to use bigger and more sophisticated electronic systems, the challenges they face in relation to cyber security are increasing.

Owen identified the key industry shortcomings uncovered by the FCA as both cultural and technological.  While technical capabilities often fall short – for example, failure effectively to detect cyber-attacks and identity threats – awareness of cyber security issues is also often poor.  Staff training on cyber security often needs to be improved as does the oversight and auditing of internal IT security teams and systems.  As we move towards greater storage of data in the Cloud, the need for firms to oversee their third party suppliers’ cyber risk mitigation plans will become increasingly important.

Peter Yapp – Deputy Director of Operations, CERT-UK

CERT-UK is the UK’s National Computer Emergency Response Team.  It is responsible for coordinating the management of national cyber security incidents, providing cyber security support to national infrastructure companies and promoting cyber security awareness.  It also acts as the international point of contact for coordination and collaboration between other national CERTs.

Since CERT-UK was formed in 2014 it has dealt with over 600 cyber security issues that have required additional work. Peter identified two of the top five sectors reporting incidents to CERT-UK as being financial and professional services.

The Cyber security Information Sharing Partnership (CiSP) is a key part of CERT-UK.  CiSP is a free to join, government funded initiative, through which industry and government can share cyber threat and vulnerability information.  Over 2,000 organisations are currently members, from a wide cross section of sectors. As part of the service, organisations can provide their IP ranges or domains to CERT-UK, who will monitor network abuse coming out of those ranges or domains from their feeds as the national CERT and let the affected organisation know in a format dictated by the organisation.

Member’s can also access a real-time secure electronic information exchange, where they can raise issues and seek advice as to how to counter them.  They can also report cyber incidents directly to the authorities, which may expedite the closing down of a problem and so mitigate the potential for damage to be sustained.

Peter explained that malware is currently responsible for around 35% of all cyber security incidents, 80% of which could have been mitigated through implementation of the National Technical Authority for Information Assurance within the UK (CESG) “10 Steps to Cyber Security” (available here).

Detective Superintendent Terry Wilson – Cyber Crime Programme Head, National Police Chief’s Council

Terry started by identifying the current critical cyber threats as network intrusion, banking malware, extortion (denial of service) and ransomeware.  Key enablers are criminal market places, inside agents, poor staff awareness / training and poor cyber security.

Terry went on to provide a number of statistics on the growing impact of cybercrime on UK business. Allianz has reported that cybercrime cost the UK economy £2.8 billion in 2015.  The average cost to a large organisation of its worst security breach in 2015 was between £1.46m and £3.14m (up from £0.6m – £1.15m in 2014), whereas the average cost to a small organisation was between £75k and £311k (up from £65k – £115k in 2014).

The police estimate that 88% of cybercrime could be prevented through improved procurement policies and staff awareness. However, given the rapidly changing threat landscape and the fact that cybercrime often crosses multiple jurisdictions, law enforcement agencies are particularly reliant on collaboration from industry to provide an effective response. Collaboration can be achieved indirectly through your legal advisor.

Osborne Clarke’s top tips for cyber security

1. Conduct regular risk assessments.

2. Identify your most valuable pieces of electronic information and tailor risk management to ensure your crown jewels are protected.

3. Implement a cyber security risk management policy and provide all members of staff across your business with training. Have a cyber security incident response plan and make sure you stress-test it regularly, ideally in a simulated real life environment.

4. Give both external and internal risks due attention – according to certain estimates a large proportion of cyber incidents occur as a result of inadvertent or deliberate acts of the affected company’s own employees rather than from an external attack.