This year security threats have dominated the headlines, and cyber security has more often than not been the big story. From the USA and China working towards a ‘cyber truce’, to the Hacktivist group Anonymous declaring online war on the terrorist group Islamic State, cyber security has been a high profile battleground. However, it is how individuals and families have been targeted that has been one of the most concerning developments.
It is estimated that more than 800 million individuals are affected by cybercrime each year. In the UK, 21% of individuals who suffered breaches thought that they had been specifically targeted by the hackers. Increasingly, high net worth individuals are being targeted and some of the personal losses have run into millions of pounds. The average financial loss in the UK is £738.
Recent breaches, such as the hacking of Ashley Madison (the dating website that purports to enable married individuals to engage in extra-marital affairs), show a ruthless side to cyber criminals and also highlight a trend – that of stealing sensitive information and asking for ransom money to stop it being published or destroyed.
High net worth individuals, often from all over the world, can present an easy target to hackers due to their wealth and public profile, the sensitive information they hold, and (crucially) their frequently low levels of cyber security. It is evident that cyber-criminals have worked out that they are an easier target than most corporates and it is therefore all the more important that all individuals ensure they have a good standard of cyber security in place. The potential consequences of security breaches range from significant financial loss through to the unwanted publication of sensitive information. This in turn can lead to significant reputational damage and embarrassment.
Individuals therefore need to consider both how to pre-empt any attack on their information and how to respond to any such attack.
What are you trying to protect?
Technology plays a vital role in the work, play and communications of all individuals and families throughout the world. This means that for the majority of people there is a huge amount of personal data online and many key activities are dependent on accessing the internet.
Those matters that individuals and their families will want to protect can be divided into eight broad categories:
- Personal identifiable information – Many want to keep their name, address, passport details, contact information and health information confidential.
- Financial information – Loss of confidentiality of banking, investment and payment information can lead to direct financial loss.
- Privacy of digital media – Family photos, music collections, emails, text messages and sensitive documents that are important to the individual need to be protected from unwarranted disclosure or misuse.
- Physical location information – Standard schedule and holiday/trip movements can lead to enhanced risk of physical crime such as kidnap or burglary.
- Security information – Usernames, passwords, alarm and entry system codes often give criminals complete access if they are stolen.
- Reputation – Reputations can be destroyed in seconds and it is critical to control your online identity.
- Computers and devices – The health of devices used to store, process or transmit information needs to be protected. Many individuals have multiple devices including smartphones, tablets, laptops and desktops, all of which are potentially vulnerable.
- Innocence – There is some unpleasant content on the internet and many parents are nervous about their children surfing online unsupervised and unprotected.
Who wants to attack you online and why?
A wide range of threat actors target wealthy individuals and their families. They can include family members, staff, criminals, hackers, lawyers, journalists, competitors, political rivals and even foreign intelligence services. While most of these groups are seeking financial gain, other motives include stealing identities, causing disruption, learning secrets, gaining competitive advantage, causing physical harm, negatively affecting reputation, making a political statement or seeking revenge.
How will they do it?
In fact, many cyber-attacks are completely non-technical. It is often much cheaper and quicker to attack the people and process rather than the technology. Humans, by our nature, want to help others and this can often be exploited by criminals in their attacks.
For instance, when people receive an email from someone asking them to take action – maybe clicking a link, opening an attachment or sending money – the default position is generally to comply with the request. As a result, email remains a popular method of cyber attack and many will simply try and trick people into sharing confidential details or downloading malicious software to help them get what they want.
Physical security is also a key part of protecting the eight key areas listed above, and it is therefore vital to ensure that devices are properly secured. If the attacker has the device, they have full access to the data on it. Addressing physical security of devices and information is therefore critical to an individual's cyber security strategy.
In addition to email and direct access to a device, there are many other ways that cyber-attacks can be launched. These include malicious software, hacking, intercepting wireless or mobile phone traffic or simply paying staff, such as cleaners, to share information. It is vital to understand who might target an individual, how they might do it and ensuring the right protection is in place.
Being proactive: put protection in place before you are targeted
A few key steps can help protect individuals and their families from the majority of cyber-attacks and provide a solid base should the level of threat increase. It is important to begin by understanding the information that is already online and which could be used in an attack.
High net worth individuals should be warned about what they share online as it can be used against them or used to impersonate them. They should be advised never to share personal information online, or information about their whereabouts or the electronic devices they use. Cyber criminals often research this information in order to target people effectively.
In many cases the only thing that stands in the way of criminals accessing data is an individual's password. It is therefore vitally important for online accounts and devices to be protected by complex passwords (not the name of a pet, partner or child or the word "password"!) and for different passwords to be used for different types of site or device.
There are many other security measures that can be taken such as backing up data, using anti-malware software, updating the software on devices and being very careful of emails with links or attachments. However, individuals who are worried about their cyber security should also consider asking an expert to provide additional advice on ensuring the right protection is in place.
As noted above, information security breaches also have the potential to cause severe reputational damage and distress to the victims. This is particularly the case when it comes to those individuals and their families who have significant international profiles and for whom the leaking of sensitive information can be especially damaging to their commercial and private interests.
Such individuals would be well advised to have a crisis management plan in place in order to ensure that any disclosure of sensitive information can be managed as effectively as possible and any reputational damage caused can be mitigated. Issues to consider include designating a point of contact who will lead in the event of a breach, as well as identifying in advance the type of information that might be subject to attack. Effectively, there needs to be a collective approach between individuals and their advisers to develop a chain of procedures that will come into action if and when a breach takes place.
Responding to a breach
As should be clear, it is critical to understand that the response to a cyber security breach is rarely just a technical or legal response. Most breaches have technical, communication and legal experts working together on containing the issue and recovering from it.
For example, if a cyber criminal steals sensitive pictures belonging to an individual and threatens to post them online unless they receive a ransom, the cyber team will start gathering evidence and putting better security in place, whilst the legal and communications experts will work to reduce the chance of the photos being published and limiting damage if they do.
From a legal perspective, where sensitive information is threatened to be published or is in fact published, there are a number of possible causes of action. For instance, the unlawful accessing, and any subsequent publication, of sensitive data is likely to constitute a misuse of private or confidential information, as well as a breach of the principles set out in the Data Protection Act 1998. In such circumstances, the individual whose data is compromised may be able to obtain an injunction preventing publication of the information, together with damages for the distress caused. Damages may also be recovered for any financial loss suffered as a result of the security breach. Repeated threats of publication or a campaign of publishing damaging information may constitute a course of conduct that amounts to civil harassment under the Protection from Harassment Act 1997. Again, damages are available in respect of any anxiety or financial loss caused, as is an injunction restraining further harassment.
Of course, one of the problems associated with information security breaches is that those responsible rarely want to identify themselves. However, the law does offer some options where threats are made or information is published via seemingly anonymous means. Frequently those responsible will contact the victim through email or social media and/or publish information via the internet. In such circumstances, there is a procedure, known as the Norwich Pharmacal procedure, whereby third parties (such as email providers, social media websites or internet service providers), whose services have been used to commit a wrong-doing, can be ordered by the Court to disclose any information they hold that may assist in identifying those responsible. Generally speaking, such third parties should not oppose the procedure meaning that it can often be completed very quickly. It is worth noting that where such third parties are based outside England and Wales, the procedure can operate more slowly and take longer to enforce, although experience suggests that some of the major international companies (Google and Skype among them) are increasingly willing to comply with orders made by the English courts. Nonetheless, this again highlights the need for a joined up approach, with cyber security experts conducting their own technical investigation to try and identify those responsible.
The reality is that security breaches are also almost certain to entail criminal activity, particularly where financial loss is involved. Cyber-crime and the use of information illicitly accessed often involve elements of blackmail, criminal harassment, theft, fraud and offences under the Computer Misuse Act. Individuals may therefore consider reporting the matter to the police, although it is important to understand that the involvement of law enforcement will remove a significant degree of control from any response to the security breach and should therefore not be taken lightly. Conversely, the police do have investigative methods available to them, which are not available to those not involved in law enforcement. If it is possible to open dialogue with the police, then this can be an effective approach.
The importance of acting now
There can be little doubt that technology and the internet will continue to shape our lives and the balance of convenience and privacy will always be a challenge. Nonetheless, by being proactive and ensuring that they have the basics covered, high net worth individuals and their families can minimise the risks associated with their information being compromised. The ability of hackers to break through the security of multi-national corporates should serve as a telling reminder to individuals that the safety of their personal information cannot be guaranteed. Nonetheless, the adoption of precautionary measures, together with a team of advisers ready to act in the event of a breach can be invaluable and can turn individuals and their families into more difficult targets.
If you require further information on anything covered in this briefing please contact Thomas Rudkin (email@example.com; 020 3375 7586) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Private Wealth page on our website.
Rory Innes, Head of Cyber Security Services, S-RM
Rory is responsible for ensuring both private clients and organisations can operate in a secure online environment. His team are leaders in private client cyber security and work across the globe to support proactive security and respond to breaches. Rory has spent over 13 years in the information security industry and prior to S-RM, he was a Director at Dell SecureWorks where he was responsible for key functional groups across Europe, the Middle East and Africa.
Founded in 2005, S-RM is an intelligence-led, risk consulting business that helps clients understand the risks to their business and identify and implement the most effective means of mitigation. S-RM’s Private Clients practice, services clients that come from all over the world including entrepreneurs, CEOs, celebrities, sports professionals, multi-generational families and multi-family offices by enabling their business interests and supporting their lifestyles.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2015
A collective approach to cyber security – preventing and responding to a breach .pdf222kB