Cyber Crime in the Trust Economy:

The last few years have been rewarding for cyber criminals. Advances in technologies powered by artificial intelligence (AI) coupled with the growing professionalism of ransomware-as-a-service providers have made it easier than ever for attacks to succeed. 

Indeed, 72% of organisations responding to the World Economic Forum’s 2025 Global Cybersecurity Outlook report said cyber risks had increased over the preceding 12 months while 63% said the complexity of the evolving threat landscape is now the greatest barrier to their cyber resilience.

At a time when the accelerating shift to online and ‘mobile first’ means organisations have to work harder than ever before to gain the trust of their customers and suppliers, that is problematic. Against the backdrop of the Trust Economy in which we operate, Ben Martin, Director of Privacy at online reviews platform Trustpilot, says it is vital that businesses are able to prove to partners that any information shared with them will be kept safe.

“At Trustpilot we need to ensure we have the trust of both consumers and businesses,” he says. “We need to have the trust of reviewers and the trust of our business customers. For reviewers, we focus on transparency and data minimisation, and ensure we don’t have any more data than we need on individuals. But from a business customer perspective, like many software-as-a-service businesses we see a greater level of concern around security and data protection - and carrying out due diligence on us as data processors.”

For Eddie Hawthorne, outgoing chief executive of car dealership Arnold Clark, the stats published by the World Economic Platform just highlight how big a task that is. “Over the last six months to a year we've seen an ever-increasing rise in the number of people trying to do us harm,” he says. This is often manifested by criminals trying to gain access to the company’s systems through ever-more authentic-looking phishing emails, with their ability to convincingly mimic senior management and third-party suppliers posing a significant risk.

Hawthorne says that “like any big company” Arnold Clark has long had systems in place to mitigate against these risks being realised, but notes that while “all companies have to be lucky every day the hackers only have to be lucky once”. Just over two years ago, the hackers’ luck was in and Arnold Clark’s systems were compromised.

“We were in the process of making a number of changes, including migrating our system to the cloud ahead of shutting it off within a month or two.  However, the cybercriminals managed to exploit specific Microsoft vulnerabilities which, coupled with the theft of an ordinary user credentials, meant they got into our system”, Hawthorne explains.  “They then waited until the holiday weekend to conduct the attack. The alarms went off when they started to take certain actions within our system on 23rd December 2022.  The cybercriminals were trying to increase their access and when they saw us reacting to this, they then tried to deny us access to our system.”

Jude McCorry, chief executive of the Cyber and Fraud Centre, says the way the Arnold Clark attack unfolded is typical of how cyber risks are currently playing out. Bad actors initially gain access to a company’s system – increasingly via phishing emails which, thanks to AI, no longer have the kind of grammatical errors that used to make them easy to spot – and once inside they spend time snooping around, familiarising themselves with everything they need to know in order to unleash a successful attack.

“Sometimes the ransomware attack won't come for a while,” she says. “Sometimes they might download stuff from the system over a few weeks and the system could be slow, but you might not know that you are under attack because they're doing it undercover.”

Bob McKay, security and operations director at cyber security specialist Aspire Technology Solutions says while phishing emails are the most common way for cyber criminals to gain access to a company’s systems there are “myriad ways” for bad actors to launch their attacks. That, he notes, means organisations can no longer rely on a traditional perimeter approach to security, defence needs to be ‘in depth’.

“In the last 12 months we’ve seen threat actors taking advantage of what we call a zero day, which is a vulnerability in a system – a bit of software or in a device – that hasn't been patched with a security update from the vendor,” he says. “Organisations can have the best security posture in the world, but you can't stop somebody taking advantage of that zero day and getting that initial foothold. You can have layered security with other stuff in place which means that, if they do get in through a zero day, they can't get any further or they're drastically slowed down, but you fundamentally can't plan for the unknowable.”

“Malware tools were previously used by organised crime, but it’s now very much a commercialised industry where tools are for sale..."

 CALUM MICHIE - RISK LEAD, I-CONFIDENTIAL 

One of the main reasons attacks are on the rise, according to Calum Michie, risk lead at cyber security firm i-confidential, is that the process has become so commercialised it is no longer the preserve of specialised criminals.

“Malware tools were previously used by organised crime, but it’s now very much a commercialised industry where tools are for sale,” he explains. “Very limited knowledge is required to utilise those tools to attack an organisation and the knowledge that is required to conduct a fairly sophisticated attack is much easier to find. AI is driving that, but a general commercialisation of the cyber attack supply chain is making it much easier. A lot of the commercial organised crime networks are originating in Eastern Europe and Russia, but China, North Korea and Iran are all really big players in this space as well.”

During the Arnold Clark attack, which was eventually identified as being orchestrated by the Play Ransomware Group with links to Russia, the hackers created a series of admin accounts that systematically shut out the people that should have had genuine access. Although the company’s cyber team was on site dealing with the problem in real time, Hawthorne says that once the attack was under way it became apparent it was going to be impossible to stop without an impact.

“It's a bit like playing Whac-a-Mole where one pops up, you shut it down, and another pops up,” he says. “It really is man against machine. Eventually, at about 2:45 in the morning, we were beginning to lose control because we just couldn't keep up. We took the decision at that point to disconnect from the internet and pulled the plug on all our systems. The minute we pulled the plug, the ransomware deployed on some of our servers encrypted them. It was only a small part of our estate at that point so in hindsight, we were fast enough to prevent a wider spread of this, but the downside of pulling the plug is that you actually do the damage that these people were trying to do in the first place.”

“It's no different to fire drills. Everybody does fire drills in schools and businesses, and people know exactly what it is they've got to do. It's in your muscle memory and you do it without thinking, but the reality is people don't always practice for cyber events. They tend to think of it as an IT issue, but the impact is broader than that.”

DONNA GODDARD - DIRECTOR OF CYBER SECURITY, PULSANT

Donna Goddard, director of cyber security at Pulsant, says most organisations facing an attack will find themselves in the same position, but that they can mitigate the impact by planning for every eventuality and knowing exactly what they are going to do when their worst fears are realised.

“Organisations need to ensure that when they do have an issue – and I say ‘when’ rather than ‘if’ because every company will – they know exactly what they're going to do and they practise because what can make a bad situation even worse is not dealing with the issue straight away or in an effective manner,” she says. “That’s all about delivering the message without panicking people. That not only protects your clients, but it protects the company as well because it makes sure that people have a rational response rather than an emotional response – that's the piece we need to try and avoid.

“It's no different to fire drills. Everybody does fire drills in schools and businesses, and people know exactly what it is they've got to do. It's in your muscle memory and you do it without thinking, but the reality is people don't always practice for cyber events.  They tend to think of it as an IT issue, but the impact is broader than that. Personally, I prefer to run exercises to make sure that everybody that needs to be involved knows what they've got to do, from legal counsel to IT teams that might need to resolve the issue and communications experts to help manage the message.  For example, in the case of insider risk, you tend to find that employers and managers like to believe think there are no bad insiders in their organisation. Overall they're right, bad employees are actually quite rare, but there are loads of people that make mistakes and unfortunately when this happens the situation needs to be managed sensitively rather than as an overreaction.”

“Understanding the business, operational and legal risks and being prepared for the inevitable cyber attack is crucial”, says David Goodbrand, Burness Paull partner and head of data privacy. “The timely and efficient flow of data is the lifeblood of many organisations, so losing control of, or access to, your data can be hugely damaging.  Not just from a financial and legal perspective, but it can also erode trust within the business and with its people, customers and community.  Where we have assisted organisations to undertake gap analyses and proactively prepare for and mitigate cyber threats, the feedback is that this can help to maintain trust and increase confidence.”

For Mackay, the fact that cyber crime has become so commercialised in one sense makes it easier to identify who the perpetrators are and that in turn helps organisations gauge how they could or should respond.

“When threat actors, often criminal gangs, are successful with a particular technique, rather than picking their next target and working out how to get in, they'll pick their next target based on that technique,” he says. “If there’s a vulnerability in a particular type of software, a particular firewall, they'll look for that firewall globally and hit companies just so that they can repeat what they're good at.

“That helps with attribution of the actual threat actors. Once we've identified who the attackers are, or which three or four they might be, we know where to look for information on the dark web that they might post if they've got any data. We know what kind of things we can expect to see, the kind of encryption tools that they use if it gets as far as ransomware, how often they live up to their word in terms of releasing the data once a ransom has been paid. All these bits of information are important in making decisions during an incident response.”

Perhaps the biggest decision an organisation will have to make as part of that response is whether to engage with the people holding their business to ransom and, ultimately, whether to give them what they are after: money.

“The UK authorities have made clear their opposition to the payment of ransoms, and are actively looking for ways to reduce the number of payments made in order to make the UK an unattractive target for ransomware attacks,” says Nick Warrillow, a director in Burness Paull’s cyber security team.  “The UK Information Commissioner’s Office and the National Cyber Security Centre wrote jointly to the legal profession in 2022 to state that “Law Enforcement does not encourage, endorse nor condone the payment of ransoms.” In addition, in January, the UK Government announced a proposal to ban all UK public bodies and critical national infrastructure from making ransomware payments, and to implement a mandatory reporting regime for ransomware incidents – those proposals are now subject to a public consultation.” 

However, the authorities’ position is focussed on limiting the payment of ransoms, and not on communications with threat actors.  Zibby Kwecka, chief information security officer at Arnold Clark, says negotiation is often linked with paying the ransom, but that the two should be treated as two separate things. “You should never pay, but you should always negotiate – that gives you time and gives you information,” he says.

It is nevertheless a tricky line to walk. There is a significant bond of trust between businesses and their customers and, particularly when so much business is now transacted online, being able to show customers their data is safe is vital for maintaining that bond. Hawthorne says no bank details were comprised in the Arnold Clark attack, but that the information taken would have enabled the perpetrators to impersonate its customers online. The company worked with affected customers, walking them through the steps necessary, such as contracting their bank, to help ensure their safety. It paid for everyone affected to have free credit protection for 24 months.

Yet while the vast majority of customers were understanding, for a small number that bond of trust had been broken, which is something the business is still feeling the repercussions of more than two years later.

“I would say that 90% of our customers were very thankful for us telling them,” Hawthorne says. “Out of that, there were probably 5-10% who were a bit concerned but we were able to talk to them about it and say that as long as they took the advice that we had put together with the help of Police Scotland and GCHQ they would be okay. Then we have a small cohort of customers who want to take us to court for, in their view, losing their data. My view is that the data was stolen.”

“Although legislation requires that organisations notify individuals “without undue delay” if they are at a high risk of harm as a result of a breach, this decision shouldn’t be taken lightly or rushed..."

JO MCLEAN - DIRECTOR, BURNESS PAULL DATA PRIVACY TEAM

It is a nuance that is not lost on Trustpilot’s Martin, who says that whilst organisations must ensure they are on the front foot when dealing with data incidents, it is vital that they do not make a decision on whether it is an actual breach until they are in possession of enough of the facts to warrant that decision.

“It's really key that whenever there is an incident that it's framed as such and isn’t treated as a breach from the off,” he says. “If your team thinks of it as an incident, often the approach is: ‘okay, we've uncovered something here. Let's investigate it. Let's discover more. Let's see whether something has happened.’ These things often evolve minute-by-minute and if you start by framing it as a breach, it can change the mindset of the team to being resigned to something having gone wrong, being on the back foot and potentially having to think about notifying a regulator (or regulators) - rather than adopting a problem solving and discovery mindset.”        

“Although legislation requires that organisations notify individuals “without undue delay” if they are at a high risk of harm as a result of a breach, this decision shouldn’t be taken lightly or rushed,” says Jo McLean, director in Burness Paull’s data privacy team. “I have certainly seen situations where organisations have “jumped the gun” and notified individuals before all the facts have been confirmed.  This can cause a lot of worry and confusion – sometimes unnecessarily if it transpires that customer systems or datasets have not been compromised.  You may be inundated with queries and complaints from customers about what has happened to their data, which can be difficult to manage if you are also still trying to remediate the breach and get your business back online.  Taking a staged approach to communications, with clear timeframes as to when customers can expect further updates, is the best approach for meeting notification obligations while maintaining trust.”

Thanks to the patience of the bulk of its customers, Arnold Clark was given the time it needed to recover from its attack. Hawthorne says that when the business reopened on Boxing Day 2022 he was trying to run a £5bn organisation “with a bit of paper and a pencil and a couple of mobile phones”. “If you were planning for a disaster and not being able to do anything that's exactly how it was,” he adds. For the first 10 days things “limped along”, with first the phones then emails then customer data centres gradually being brought back online. It took a full six months for the business to be fully operational again but Hawthorne says the silver lining of the experience is that Arnold Clark now has a “very robust resilience plan” in place.

For Michie that is key. Though he says many organisations are nervous about cyber risks and have brought in non-executive directors with knowledge of the cyber security space, not all are putting the time and effort into ensuring the necessary protections are in place. Businesses may assume the likelihood of suffering a cyber attack is low and manage their resources accordingly. But, as the impact of an attack will generally be high, that is a mistake, Michie says.

“The scoring of cyber risk is difficult because it's a high-impact, low frequency event but good risk management practices are really important,” he says. “The threat is constantly evolving so you might think you’ve understood the threats and have the right controls to protect against them, but if you're not refreshing that view at least on an annual basis and conducting an annual threat-modelling assessment to consider new threats and whether your controls are still the right ones that can potentially quite quickly reduce your defences. AI is a perfect example of a technology that's evolving so rapidly that an enhanced focus on the controls in that space is going to be really key.”

"Most of us won't have our car stolen or our house broken into, but we will be victims of some sort of cyber-enabled crime and we're not putting enough money into innovation around cyber and using AI to help protect ourselves." 

JUDE MCCORRY - CHIEF EXECUTIVE, CYBER FRAUD CENTRE

McCorry agrees and, like Goddard, says businesses should by operating on the basis of when, not if, they are going to be the victim of an attack.

“We've got police on the streets looking at crime prevention, but over the next few years cyber and cyber-enabled crime is going to be the one thing that we're all going to come across,” she says. “Most of us won't have our car stolen or our house broken into, but we will be victims of some sort of cyber-enabled crime and we're not putting enough money into innovation around cyber and using AI to help protect ourselves. There's a saying that fraud is everybody's problem, but nobody owns it and it’s the same with cyber. I see lots of money going into data and AI, but I don't see us putting in the effort and work around fraud prevention and stopping cyber attacks.”

Ultimately, McCorry says it is meticulous resilience planning that will help organisations come back from an attack – and retain the trust they have spent so long building up.

“The biggest thing is to get the business back on the road,” she says. “That's the biggest thing for stakeholders, for clients, for employees because the longer you're out, the more discussion [about what went wrong] will be happening in the background. You need to get the systems back up and running, get the organisation back up and running. You might lose some customers, but it’s in these situations that a lot of companies have found out who really supports them.”

“Cyber attacks and the consequential disruption they can cause remains one of the top 3 risks an organisation can face today,” says Hazel Moffat, head of Burness Paull’s cyber team.  “Unlike most other risks on a risk register a cyber attack can have catastrophic implications for every part of any organisation – operational, financial, legal, regulatory and reputational.  How can organisations address and mitigate these risks?  Effective planning and preparation, a very clear understanding of your data set and what you hold and where and - critically - a tried and tested cyber incident response plan are all critical components of risk mitigation. The statistics suggest that organisations may not be able to guard against cyber crime in its entirety but there are really effective steps they can take to be ready if and when any threat occurs.” 

This paper is part of Burness Paull’s “Trust Economy” series. You can read other papers in the series here, The Trust Economy, Trust in the Age of Artificial Intelligence and Vulnerable customers in the Trust Economy.

Whether your business creates, sells or is enabled by technology, as a digitally native legal firm, we give thoughtful and precisely informed advice.

To discuss how to ensure you have the right assurances and protections in place to win earned trust and benefit from growth in the trust economy, get in touch. We’d love to have a conversation.

Key Contacts

Related News, Insights & Events