Byte-size Bulletins

UK laws limiting cyber security experts from protecting your business

Written by Rachael Brown | Aug 2, 2021
 

If you're a business owner, you know all too well how rapidly cyber attacks have increased during the Covid-19 pandemic. No doubt you feel for your Chief intelligence Security Officer who has endured significant stress over the past year fighting to keep your sensitive customer and company data protected. 

This is a fight that countless cyber security professionals continue up and down the country. A fight made harder by something unexpected, the very cyber security legislation created to protect them. 

That's right. UK cyber security laws, most prominently the Computer Misuse Act (CMA) are limiting the ability of cyber security experts to help protect your business.

In fact, according to a study by CyberUP, 80% of UK cyber security professionals feared accidentally running foul of laws like the CMA.  

Let's look closer at this law to understand why. 

The Computer Misuse Act was brought in back in 1990 when fax machines were still the norm in offices up and down the country. In a time where only 0.5% of the UK population had internet access. In an era where viruses and Malware were just beginning to explode onto users chunky Microsoft desktops.

When created the CMA did not have in mind the current cyber security risks businesses face now. This is a major problem, as instead of empowering cyber security professionals to help protect your business, this legislation creates a climate of uncertainty that leaves them feeling too unprotected to protect you. 

This fear is a product of the lack of authorisation at the heart of laws like the CMA. The act criminalises unauthorised access to computers, which rightfully covers cyber attacks like malware and ransomware. 

However, they define this lack of authorisation in very specific terms. An unauthorised user is defined as someone who does not have responsibility for the computer or consent to perform acts on the computer.

This simplistic definition offers no means to consider individuals motives nor recognise circumstances where this access would be legitimate, such as penetration testing with permission.

This creates difficulties for UK cyber security professionals who want to carry out threat intelligence research against cyber criminals without fear of prosecution. Cyber security professionals are also discouraged by such laws from sharing their intelligence and understanding of these attacks, which would help prevent them. 

Regardless of the ethical goal of their computer-related activities and investigations, these professionals are judged by standards of authorisation that no longer match today's complex cyber security landscape.

Needless to say, this should all signal to businesses the importance of investing in your cyber security. Bureaucratic and outdated laws make it even harder to catch cyber criminals than it already is, and pressure groups are well aware of this.

Existing UK legislation on cyber security like the CMA is outdated and archaic, fuelling a climate where cyber security professionals are not fully empowered to do their jobs. A climate that has a serious knock-on effect for your business. 

It's time to develop laws like the CMA for the 21st century, to give cyber security professionals the protection they need to do their job to the best of their ability.

Photo by Tingey Injury Law Firm on Unsplash