What have I to fear from a cyber-attack?

United Kingdom

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

Summary and implications

Do you have anything to fear from a cyber-attack? The answer is probably yes. Intrusive or disabling attacks of critical computer systems by malefactors is becoming increasingly commonplace and the position currently apprehended by Western governments and regulators is that the incidence of such attacks is likely to increase to a level of serious concern.

So why is this relevant to funds and other indirect investment in real estate?

All businesses are potential targets and no sector is immune. Since computing systems hold information it could be said that this is a form of information war. The two strategies of a hacker are either:

  1. to disable your computer system either temporarily or permanently, so denying you access; or
  2. to take or change something that is held on or in a computer system, usually by stealth.

In the latter case, the activities are solely for the purposes of gain whereas in the former case it is possible that attacks may take place on ideological grounds.

So even if you think that it does not apply to you, it probably does. Here we explain simply what you can expect by way of a so-called cyber-attack.

Denial of access to your system

The denial of service activity is usually associated with an individual or group that bears some sort of grudge against an organisation which relies heavily upon its computer systems. The grudge can be ideological such as an animal rights group trying to disable the server of a bio-experimental organisation. This is less likely to apply in the real estate sector. Alternatively, it can be personal, for instance an ex-employee seeking to embarrass their ex-employers because of some perceived slight or indignity either at the workplace or as a result of being discharged from it. This could happen in any organisation.

Denial of service attacks have been known to last anything from minutes to days and are first noticed either by a very marked decrease in traffic going to and from your server or a phone call from a security agency informing you that the domain name system (DNS) is being attacked and that access to your server as a result is being compromised.

The essence of a denial of service attack is to ensure that so many repeated requests are made of the DNS that legitimate customers cannot access the servers of people with whom they wish legitimately to trade. This would suggest that those who are carrying out the denial of service attack do so because they wish to deprive the target organisation of the ability to communicate in some way or another. In the real estate sector, trading is not generally computer based, so it is likely to be less business critical than in many other sectors.

Whilst it is possible to obtain insurance and adopt procedures to weather out a denial of service attack, they are fairly difficult to stop once they have started and the best strategy is simply to wait until the storm is over. Catching the perpetrators of such attacks is nigh on impossible unless there is an insider who is willing to provide evidence of their wrongdoing and that of those in their cohort.

Entry to your system

The other form of cyber-attack is more insidious in that it involves a person gaining entry to your server without you realising it. Instead of having the DNS besieged by repeated requests compromising your bandwidth, it is more a case of a person entering your system as a single user and expropriating, deleting or otherwise corrupting your informational assets (or threatening to do so unless funds are deposited in a far away and untraceable bank account).

In some cases direct entry may not be possible and indirect methods may be used such as implanting a virus on detachable media or in an email, or by way of downloadable information from an unsecure or unverified website. Of course once the disrupting software is in your computer system, the hacker has a better chance of circumventing entry security.

In addition to the impact of the theft of your own financial or strategy information, if you are the victim of a cyber-attack you will also have to comply with the requirements of financial and information regulators, including personal information which may be compromised during the attack. So if you are in an organisation with an IT team, comply with their security requirements. Make sure that data are hard to get at and not easily lost, and that passwords are secure.

What is being done?

There are two strands of activity which may be of interest to you.

The first is that the EU is striving for much more coordination and sharing of information between cyber authorities and agencies of different member states. Whilst this will not stop cyber-attacks as such, it will enable them to be understood more completely – a current problem is that we know little about "the who" and "the how" and precious little more about "the why".

The second is that cyber-attack insurance is becoming increasingly available and is reasonably well priced (although in both cases less so if large levels of cover are required). This, in turn, is due to an increased willingness to insure based upon a better understanding and appreciation of risk – more information is needed but the network security initiatives of the European governments should assuage that problem in time.

What should I do now? The answer is not nothing. Assess your own risk and vulnerability. The following table might help:

Do you hold data? Probably yes.
If so then are any of those datavaluable? Almost certainlyyes (and possibly all of it, in particular data relating to business strategy, IP and financial information).
If so, then how valuable mightthose data be to others outside your organisation? The answer is likely to be thatit more precisely depends upon the kind of data in question.
How regulated are you? You are most certainly regulated by the Information Commissioner but you might also be regulated by the Financial Conduct Authority orequivalent.
Be aware of your company’spolicies and follow them.

Do those policies cover the following:

- Privacy.
- Detachable media.
- Over the shoulder.
- IT Security.

Has your organisation thoughtabout insurance? Insurance is available – yourpremium may depend upon what measures you adopt to protect your businessagainst a cyber-attack. Having a security consultant goes a long way to reducing your premium.
Is there a PR plan if things go wrong and are you aware if:

- Reception policy – are your staff trained as to what to say?
- Website policy.
- PR consultants ready?
- Who is going to make the announcements?

Do you know your organisation’s recovery plan? Make sure you find out about it.You probably employ recovery consultants. Do you know who to contact?
Might court proceedings help? Always best to have solicitorson standby with application notices and outline evidence ready, enabling you to act quickly if appropriate.

If you or your IT team would like any more detail on any of this, please get in touch with the authors, or your usual Nabarro contact.