Over the past few years we have seen increased awareness of cyber security as an issue, especially at the European level. In early July, the European Union voted on a new directive focusing on the prison sentences of those convicted of hacking. The directive focused on the penalisation of illegal access, illegal system and data interference, and specifically addressed the maximum terms of imprisonment with individuals now facing two years behind bars. The directive increased the sentence to three years if botnets were used, and five years for attacks causing serious damage or if they were targeted at critical infrastructure.
Whilst at a high level the directive is certainly noble, the problem is it’s just another example of adding to the ever growing, complex patchwork of cyber security laws. The memo from the European Parliament primarily addresses a small subset of computer crimes that focuses on botnet activity, however, you don’t need a botnet to carry out attacks of the targeted variety. In addition to this, the language is unclear and is therefore open to interpretation, even by industry experts, which presumably was not the intention.
Taking hackers off the street
While it is a step in the right direction, this directive alone is not enough to significantly decrease cybercrime. The directive will certainly be useful at taking some hackers "off the street", but this won’t improve the effectiveness of catching perpetrators. After all, cross-border law enforcement cooperation is a process and will not change overnight.
As part of the European Union’s cyber security strategy, an EU Data Protection regulation was proposed in an attempt to mandate companies that process, store or transmit personal data to appropriately protect it. The proposed regulation would place an onus of securing personal data recordsupon individual organisations, sometimes referred to as data custodiansalbeit, there are significant questions around how smaller businesses will be appropriately guided and educated on the matter.
Who is responsible for "cyber security?"
Ultimately, Cyber security needs to be a board level issue. Directors need to realise that technology has increasingly become the heart of their business rather than something that aids it. Attacks targeted at their organisation have the potential to disrupt business operations permanently. What we know from our client engagements is that many employees still remain relatively unaware of some basic security principles. In the 2013 Trustwave Global Security Report, for example, we found that ‘Password1’ still remains the most commonly used password.
Organisations have a duty of care to protect their customers’ data, and need to have a robust cyber security strategy in place.For any cyber security plan to succeed it needs to come from the top, whether that is the boardroom of a large enterprise or the director in a small business. Meanwhile, legislation at both national and international level needs to be focusing on working to catch cybercriminals, as well as work towards developing regulations that can help understand and help implement cyber security strategies.
The new directive on attacks against information systems is part of a much wider EU strategy in tackling cybercrime and there is more that needs to be done. Namely there needs to be wider cooperation between law enforcement agencies and governments in sharing information to effectively target and take down cybercriminals. Businesses, however, must not get complacent, and must understand that cybercrime is not an issue that only legislation can solve. They should continue to implement security strategies that will ultimately help to protect their systems and data.
