The COVID-19 pandemic would have crippled world affairs if it weren’t for the advanced technology and the efficient digital space that enabled people to use a virtual alternative to the unsafe outdoors. Today, the use of computers and technology is a necessary evil, though risky to use because of privacy and security issues, however, is essential for furthering the idea of globalization and the ease of doing businesses around the globe.
While the world is busy fighting a novel virus attack, there is another attack the virtual world is dealing with simultaneously. Cybercrimes are on the rise these days with the increase in the virtual presence of people and their data that could be dug out and even manipulated against their will. Social media is significantly responsible for the concerning rate of cyber attacks on a daily basis. Cyberattacks during the pandemic have taken a toll on individuals and organizations across the Globe. Swissinfo.ch reported the figures from the National Cyber Security Center that there were 350 cases of cyber attacks in Switzerland in the month of April itself as compared to the normal tally of 100-150. 1
Business Organizations should not neglect the fact that Securing data should be one of the most essential objectives. Cybersecurity Ventures predicted that the damages due to cybercrimes would hit 6 trillion USD by 2021.2 Any successful cyber attack can cause major damage to an individual or an organisation and so in order to protect oneself from this, one needs to understand what are cybercrimes, how they take place and their impact.
A Cybercrime refers to any criminal activity that involves a computer(s) and a network. Such crimes are committed not only by individuals but by organizations as well. The purpose behind cybercrimes, more often than not, is to extort money from the victims. Other times they are committed to exploit confidential/sensitive information or to blackmail the victims as well. Some cybercriminals are organized, use advanced techniques while a lot of inexperienced hackers also get involved these days.
Types of Cybercrime
Cybercrimes can be broadly divided into (a) such activities that target a device through a network (i.e. often by the use of viruses or other types of malware), or (b) such activities that use computers to commit other crimes (i.e. mostly to spread illegal content or spread viruses). A lot of times both kinds of above-mentioned crimes are committed simultaneously when the target devices are infected with viruses and then it’s used to spread malware to other devices through a network.
The following are certain common types/forms of cybercrimes:
- Identity fraud (i.e. personal information is stolen and used).
- Cyber Extortion (i.e. to demand money in order to prevent a threatened attack).
- Ransomware attacks (i.e. a type of cyber extortion).
- Cryptojacking (i.e. hackers mining cryptocurrency using resources they do not own).
- Theft of financial or card payment data.
- Theft and sale of corporate data.
- Email and Internet fraud.
The US Department of Justice recognizes the third category of cybercrime where ‘a computer is used as an accessory to crime’, for example: storing stolen data in a device.
The European Convention of Cybercrime, signed by the United States, casts a wide net and there are numerous malicious computer-related crimes which it considers cybercrime including, inter alia, selling illegal items online, illegal gambling, stealing or intercepting data illegally, and manipulating systems enough to compromise a network.
The following are certain popular examples of cybercrime:
A malware attack is where a computer system or network is infected with a computer virus or other type of malware to compromise the security of individuals and organizations, including stealing sensitive data for criminal purposes.
WannaCry ransomware attack of 2017 was one of the worst global cybercrime.3 Ransomware is a type of malware used to extort money by holding the victim’s data or device to ransom. WannaCry is a type of ransomware that targeted a vulnerability in computers running Microsoft Windows where 230,000 computers were affected across 150 countries. Users were locked out of their files and sent a message demanding that they pay a BitCoin ransom to regain access, which caused an estimated worldwide financial loss of around USD 4 billion.
Phishing refers to such acts of tricking the public into doing something (i.e. like opening spam emails, or malware-infected pop-up ads, etc) that compromises the security of individuals or organizations. One’s confidential information may be collected by manipulating or tricking the receiver.
In 2018, a major phishing scam took place where football fans received mails trying to lure them with fake free trips to Moscow to witness the WorldCup. The people who opened and clicked on the links contained in these emails had their personal data stolen.4
When phishing is targeted to an individual in order to compromise the security of an organization then such a campaign is referred to as spear-phishing. These are worse than normal phishing campaigns as the spear-phishing messages seem to have come from trusted sources, say, internal management of your organisation. Thus, it makes it a dangerous cyber attack.
Distributed DoS attacks (DDoS)
This kind of cyber attack is intended to collapse networking systems. IoT or ‘Internet of Things’ devices (like amazon echo, etc., virtual assistance devices that run on wifi and Artificial intelligence technology) are often used for launching DDoS attacks.
Criminals could use this tactic to extort from the victims, or even use it as a distraction tactic to carry out cyber attack(s).
How does UAE law deal with cybercrime and the penalties associated with Medical Records and Electronic Information?
The new cybercrime law stated under Federal Decree-Law No. (5) of 2012 issued in Ramadan 1433 AH corresponding to 13th August 2012 AD deals with Combating Cybercrimes.
During the pandemic, the most sensitive data that could be misused causing an infringement to the privacy of the individuals are the medical records. Under Article 7, it lays down that –
“Shall be punished by temporary imprisonment whoever obtains, possesses, modifies, destroys or discloses without authorization the data of any electronic document or electronic information through the computer network, a website, an electronic information system or information technology means where these data or information are related to medical examinations, medical diagnosis, medical treatment or care or medical records”
The medical records may contain the patients’ health insurance details, billing numbers, doctor’s credentials etc which if hacked into can cause a major breach of anonymity of the patients and the doctors compromising their safety.
There are several categories under the new law defining various penal provisions for unauthorised access to Electronic Information, bank information, electronic communication etc. As per Article 2, unauthorised Access to the Electronic Information shall be punishable with a fine not less than AED100,000 or imprisonment, or both if found guilty.
Risks Associated with Cybercrime
A cyber attack can impact your organization in various ways and it can have bottom-line repercussions, which can cause long term damage to an organisation.
There are mainly three types of Risks associated with the cyber attack.
Building a reputation can take a long time but it can be destroyed in seconds. If your organisation does not take proper precautions securing the data, it can result in reputational damage. It further leads to reduced corporate goodwill, damaged relationships with customers, suppliers and public perception.
In addition to the above, the organisations suffer negatively in regards to the expansion and the growth of the business, which creates an adverse inability to hire the desired staff.
A cyber attack can not only damage an organisation’s reputation but can also cause negative financial and economic consequences. An International Monetary Fund survey says that the average annual potential losses from cyberattacks could account for around 9% of banks’ next income on a global note (i.e. around USD 100 billion).5 In aggravated forms of cyber attacks, the loss could range from USD 270 billion to USD 350 billion. In the rarest of the rare cases, the average potential loss could be as high as half of a bank’s net income, which could put the entire banking and financial sector in jeopardy.
Financial damage will cause major loss to the business due to reasons ranging from the publication of trade secrets to the breach of electronic data. Such a breach can cause an institution to pay for fixtures and repair damages which can result in loss of finance.
If your organisation is under a cyber attack then your organisation has failed to comply with data safety measures, unable to protect the personal data of the clients, or the corporate information about the organisation. This can land the organisation into serious legal consequences facing hefty fines and regulatory sanctions.
Prevention from Cyberattacks
We cannot ignore the fact that the closing of physical spaces and the use of online modes enabled most businesses to cut down on their expenses and thus, helped balance the loss incurred. Irrespective of the size of the organisation, everyone is a potential victim of cybercrime.
Fortunately, there are various measures an organisation can take to prevent themselves against these cyberattacks, such as:
- Ensuring that there is a proper password protection policy.
- Preventing any alien software to run or install itself automatically.
- Establishing network perimeter defences, particularly web proxy, web filtering, content checking, and firewall policies.
- There should be a control on the limited users who are able to access the data with proper permission.
- Putting a Patch Management system in place is necessary to correct bugs and vulnerabilities.
- There should always be secured monitoring to identify any suspicious activity.
- Educating and training oneself and staying aware of suspicious activities.
Such measures are not only effective but are also affordable to implement.
The importance of efficient but secured digital connection has been realized today, more than ever before. Most businesses and individuals cannot function without the use of technology and electronic devices, especially computers and related networks. However, the demerits should be realized and safeguards should be put in place to avoid mishaps, ensuring a smooth use of the digital space.
Mansi Lalwani co-authored with Sarjana Das