The past 12 months have triggered unprecedented digital growth across all sectors of business, with more companies than ever before turning to collaboration tools and virtual services to accommodate a more streamlined remote experience.
Of course, this sort of digital transformation was always on the cards, but with brick and mortar offices out of action, the process has accelerated beyond what anyone could have predicted. Even traditionally “old-school” businesses like estate agencies and solicitors have been forced to offer online services.
For many, these in-person restrictions have opened up a world of possibility and increased flexibility, particularly for those workers struggling to adhere to traditional working hours.
However, this collective-shift has also laid bare the severe deficiencies in many businesses’ cybersecurity strategies, with millions of new attack surfaces suddenly accessible to cybercriminals. According to a survey by the National Cyber Security Centre (NCSC), around a quarter of all cyberattacks in 2020 were connected to the pandemic, with the number of incidents reported increasing by almost 30%.
Experts up and down the country predict that as many as 40% of employers expect that more than half their workforce will work from home on regular basis, with an additional 23% looking to enable employees to work from home full-time.
Wired journalist Claudia Natanson said that companies across all sectors of business would need to innovate and adapt in order to survive the growing threat of cybercrime and data theft.
She said: “During 2020, institutions of all kinds were forced to adapt to a dynamic world where the usual projections and five-year marketing plans did not apply.
"Economic reports show marked GDP reductions of greater than 20 per cent in many countries, with continued decline into 2021. Businesses and workplaces will increasingly turn to models of work in dynamic fields – such as cybersecurity – to make them more resilient.”
But despite a growing need for expert-led cybersecurity action, those in the industry say that as it stands, the law in the UK is making it impossible - and even dangerous - for its workers to do their jobs.
Rise of the Ethical Hacker
Businesses across the globe are spending millions in improving their digital security - and ethical hackers are at the centre of the movement. In the past, the term hacker was used as an all-encompassing term for criminal web-bandits. Today, this term has taken on a whole new meaning as more and more companies seek out their skills.
Ethical hacking is the exploitation of IT systems with the owner's permission to identify weaknesses and vulnerabilities. It's a hightly effective method of assessing and troubleshooting an organisation's cyber security situation, and the results gathered from hacker research are often the best way to identify ways to prevent or mitigate criminal attacks.
Mårten Mickos, CEO at HackerOne, said: “We are starting to see more organisations choosing to work with the ethical hacking community to strengthen their defenses. Attitudes towards hackers soften with every passing year and we are now at a tipping point where more often than not hackers are seen as a force for good.
"By the end of 2021 there will be few non-digital organisations. The COVID-19 pandemic has forced change and, as we become more digital, we need the ethical hacking community’s skills and expertise to become more secure.”
However despite this cultural shift in attitudes, cybersecurity experts warn that hackers still face major roadblocks to their work, with outdated cyber laws posing a serious threat to those that continue to operate.
Acceptable in the 90s
According to a survey commissioned by techUK and the CyberUp Campaign, four in five UK cybersecurity professionals worry about the legal repercussions of their work. A further two thirds of hackers said they had avoided reporting bugs to companies due to “threatening legal language” on their website.
The Act was established in 1990 as a way to deter hackers, and criminalises the act of accessing or modifying digital data without “approriate permission”. However, legal experts claim the Act hinders the work of cyber threat analysts, due to the narrow definition of authorisation and limits on who can grant it.
Peter Sommer, a cybersecurity and digital evidence specialist, said: “The main problem is not with the wording of the act but the difficulty of assembling reliable evidence, particularly in cases with an overseas element.
"The Computer Misuse Act continues to work well for law enforcement purposes and now includes ‘data interference’ as an offence, but the problem is the very tight definition of ‘authorisation’ and who can give it.
"There are exceptions for the police and the intelligence agencies via section 10 of CMA and Part 5 of the Investigatory Powers Act 2016. But private sector investigators are constrained in how far they can examine computers which they believe may be the source of an attack, or the source of tools to enable an attack.”
This sentiment was echoed by the CLRNN in 2019, when it released a report reviewing the effectiveness of the legislation. It argued that instead of securing Britain's cyberspace, the legislation provided a “confused legal framework” that prevented ethical hackers from conducting efficient threat intelligence research for fear of criminalisation.
The organisation proposed a number of reforms, including a set of measures to align existing offences with the UK’s international obligations and contemporary legal systems, and the inclusion of a new public interest defences to protect cyber threat intelligence professionals, academics and journalists.
Speaking about the report, Barrister Simon McKay, a Civil Liberties and Human Rights Law Practitioner, called for law makers to rethink its treatment of ethical hackers.
He said: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on.
“In particular, section 1 of the Act prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology.
"With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access”.