Each year, Cisco company presents an information security report that details the techniques and strategies used by attackers to conduct various hacker attacks. Unfortunately, you can notice the trend that technology is improving day by day, creating an increasing number of threats and malicious software, while the degree of business protection is seriously lagging behind. News of the hacking of information systems of banks and payment services of large companies flooded web resources, and cause fear in many organizations.
But do not think that the object of interest of hackers are only large companies with a high degree of income. Small and medium businesses may also be subject to a hacker attack. First of all, this is due to the low degree of security of the information systems of such companies, or the lack of any means of protection against threats, using unlicensed software (often to save money), and also ignoring corporate training in the enterprise. The consequences of hacker attacks for some representatives of small and medium businesses can be fatal – an insurmountable obstacle will be the cost of restoring all systems, as well as a blow to the company’s reputation.
Cybercriminals have a heightened interest in the cryptocurrency market. With the help of various methods of carrying out attacks, hackers carry out the theft of electronic money directly from their owner, or use for this purpose improvised resources – wallets, exchanges and so on.
Types of attacks
Attacks on business structures can take completely different forms. This may be phishing, which is carried out, for example, by sending e-mails to employees. In such a letter, the attackers offer their victim to follow the link to a specific website with a malicious code embedded in it. Thus, they will get access to the corporate network and will be able to steal the necessary data. Very often hackers use so-called social engineering. Hacker can study accounts on Facebook, Instagram, LinkedIn, in search of information about personal interests, hobbies, contacts. With its help, to entice a person to follow an interesting link and to achieve your goal is much easier. In this case, the victim is unlikely to suspect something. Also, attacks can be hidden, aimed at penetrating the network and long-term collection of information.
Separate attention deserves the use of malicious software. This problem often arises due to the carelessness of employees and the reluctance to use money for licensed software products. Downloading the necessary programs from the network is absolutely free, there is a big risk of “infection” of computer systems with various viruses that can both disable the equipment and steal important data.
Cyber attacks on business often take the form of crimes, because they cause irreparable damage to their victims. As a rule, such acts are financially oriented, that is, they are carried out for the purpose of extortion, blackmail, and fraud. Stolen data is sold to competitors or becomes a subject of ransom.
One of the key factors that can deter uncontrolled waves of cyber attacks is the harsh penal system of cybercriminals, for example, in the United States. Ukraine, unfortunately, at the moment does not have such a developed and improved legislation to prosecute for illegal malicious actions of hackers.
Cybersecurity legislation in Ukraine
The first step towards the creation of cybersecurity legislation was the adoption of the Law on the Basic Principles of Ensuring Cybersecurity of Ukraine in 2017. Analyzing this regulation, it is worth noting that it is more likely to be declarative in nature, providing no requirements for security systems or instructions in case of an attack. Along with this Law, which has a rather limited scope, there are a number of other by-laws that are still valid, but have lost their relevance.
Ukrainian legislation undoubtedly lags behind European and American legal regulation of cyber security issues, however, it is good news that the Criminal Code of Ukraine provides for responsibility for committing such crimes as interfering with automated systems, creating, distributing or selling malicious software, unauthorized actions with information that is processed in computers. The full list can be found in Section 6 of the Criminal Code of Ukraine.
As a rule, the commission of such crimes entails liability in the form of a fine, restriction of freedom or correctional labor. And only the sanctions of articles about unauthorized interference with the work of automated systems, the creation and distribution of malware contain such kind of punishment as imprisonment.
The priority role in the investigation of cyber-attacks is played by the timely conduct of the necessary investigative actions, during the implementation of which an IT specialist and a lawyer must necessarily be present. Their interaction will help to collect all the necessary materials for the evidence base, observing the norms of the current criminal procedure legislation.
Proving the commission of cybercrime is quite problematic. According to the Code of Criminal Procedure of Ukraine, evidence in criminal proceedings is evidence obtained in the manner prescribed by law, and the source of evidence, in turn, is attestation, physical evidence, documents and expert opinion. To fix the traces of the crime is often impossible, because the specificity of cybercrime provides the ability to destroy traces. The hard disk of the computer can become a physical evidence, but by itself it will not be able to provide all the relevant information. Almost the only appropriate and valid evidence would be an expert opinion on the results of computer-technical expertise.
However, not only the stage of obtaining evidence will be difficult. Determining the computer from which the attack was carried out, as well as identifying the person directly involved in the crime, is not an easy task. Therefore, an experienced lawyer will help to provide legal assistance, monitor the effective conduct of the investigation, and promptly contact a competent law enforcement agency.
In our practice, the specialists of the Legal Consulting Center Law Firm have repeatedly defended the interests of clients whose companies suffered from the destructive actions of hackers. For example, the Ukrainian software development company for submitting reports to the regulatory authorities underwent a massive cyber attack, which caused many users of this software to suffer. Information on the reporting of many companies was destroyed by a virus that caused irreparable material and reputational damage to the developer. The attempt of such hacker intervention in the software was comparable to the raider seizure, however, the company was able to withstand the fast and well-coordinated work of our specialists. Also, our lawyers were able to provide qualified assistance to a client, whose money stored in bank accounts was transferred by fraudsters to one-day firms, through illegal entry into the company’s software.
The carelessness of victims of cybercrime often leads to irreparable consequences, so it is better to protect yourself and your company from possible attacks and threats in advance.
Information Security Policy
An important element of the functioning of any business structure is the information security policy. This is a certain set of rules, requirements, recommendations that exist for regulating the order of information activities of the organization and are focused on maintaining information security. Often this is not one holistic document, but several provision with key positions. For example, the provision on liability for information security, rules for the processing of personal data, the standards of an enterprise for each category of protected information, the policy for responding to cyber threats. Although the legislation of Ukraine does not provide for a clear regulation of information security requirements, however, these legal documents will become a certain guarantee of business security.
Also, it is worth considering that not only external factors may become a threat to the business. Often, employees, either on their own or by malicious intent of competitors, carry out data theft, harm computer systems. The conclusion of a number of legal documents: job descriptions, liability agreements, confidentiality agreements will help prevent this situation or minimize risks. In the world it is common practice to apply agreements on non-competition, which is between the employer and the employee, prohibiting the latter, after being fired, to work for a competitor who operates in the same field as the former employer. In Ukraine, such a clause of the agreement contradicts several clauses of the current legislation, therefore it is unlikely to help bring an unscrupulous employee to real responsibility.
The creation of a security policy and the conclusion of various legal documents is not the only recommendation that is worth considering in order to protect business from cyber attacks.
Firstly, it is necessary to comply with the security requirements at the stage of creating a specific product, site, system that will be used during the activity of the enterprise, to discuss the key points of security with the developer. Secondly, it is worth remembering that the use of unlicensed software will sooner or later lead to various problems. An important role is played by the human factor. A tempting link from an unfamiliar addressee can often play a cruel joke, so it is important to engage in corporate employee training, conduct trainings, and bring the rules of cyberhygiene to knowledge.
Also, no less significant is the continuous use of various technical means of protection – software updates, vulnerability testing. To do this, you can attract a company specializing in systems testing and technical audit. The contract for cooperation with such companies also contains a number of features that may go unnoticed by the client if he does not use the help of a lawyer. Careless attitude of cybersecurity issues can eventually lead to serious problems. For example, a large-scale leakage of data of more than 50 million users of the Facebook social network, carried out with the use of information-gathering application that caused great damage to the company, reducing the critical value of its shares, despite the years of its successful existence. The incident led to law enforcement investigations and caused users to doubt that their data was securely protected.
Cybersecurity business, despite its loud name, is a very important aspect of the success of the enterprise, especially if the company deals with confidential information, databases, thinks about maintaining commercial secrets and values its reputation. Cybersecurity is provided not only by a number of technical methods, in which the legal remedies mentioned earlier play an important role. The main thing is to contact the competent lawyer in advance, who, based on the individual characteristics of the enterprise, will conduct compliance control and develop all the necessary legal documents to minimize the risks in the field of cybersecurity.
Anna Klimenko, Law Firm “Legal Consulting Center”