Out-Law News 1 min. read
29 Jul 2015, 2:59 pm
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said there are legal constraints on businesses wishing to "hack back" at cyber attackers, but questioned whether prosecutors in the UK would have an appetite to prosecute those engaging in such activity.
"Cyber risk was, until recently, seen by most businesses as a problem for the information security teams in their organisations, where the focus was on preventing hackers from gaining access to systems and obtaining confidential business and customer data," Birdsey said. "There is now widespread acceptance within the business community that it is impossible to defend their entire IT estate 100% of the time, and that security breaches will happen."
"Businesses, including senior management teams, are now judged on how well they prepare for an incident and how well they respond in the event of a breach. In recognition of this, companies have been investing in anticipation of breaches occurring," he said.
According to a recent report by the Financial Times, which quoted figures from the Ponemon Institute, 46% of US businesses have increased their cyber security budgets in the last two years, and half expect to increase their spending further in the next two years.
The Financial Times reported that some businesses have turned to hacking back at attackers of their IT systems in an aggressive form of defence. Birdsey said that such activity is likely to breach the Computer Misuse Act in the UK which contains broad restrictions against computer hacking and does not provide hackers with a public interest defence to justify their activities.
"There is a practical question around whether law enforcement agencies in the UK would ever become aware about a business' computer hacking activities against foreign-based attackers and, if they were, whether prosecutors would have an interest in enforcing criminal penalties, which can include fines and imprisonment, given the dynamics of international cyber crime," Birdsey said.
Birdsey said businesses can turn to other ways to improve their approach to cyber risk.
"Companies are increasingly aware of the cyber risks they face but different divisions within businesses are not always aware of what each other are doing to combat the threats they face and prepare to respond to breaches when they happen," Birdsey said.
"Organisations should establish an incident response team, bringing together expertise from departments such as IT security, information systems, HR, communications, legal and risk. This team could not only help develop a plan of action for minimising the impact of security breaches when they occur, but also be encouraged to meet regularly to share best practices developed within their own teams and ensure a coordinated approach to cyber security across the organisation," he said.