Cyber-crime is reported to be one of the fastest growing areas of crime, often involving fraudsters gaining access to IT systems, either to exploit them directly or as a step towards acquiring access to online banking facilities or other exploitable information.
To gain access, fraudsters typically exploit security weaknesses in a business’s IT systems. For example, that might involve a direct effort to bypass security and take remote control of servers or terminals, or by “tricking” businesses into installing malicious software. Sometimes, businesses might be “tricked” into installing malicious software by hiding it inside something legitimate – perhaps, for example, within your product. As products get ever-more sophisticated, and in an on-line world, it could be harder and harder to spot if a third party has maliciously tampered with your product.
Imagine your business was exploited to modify your product so as to sneak malicious code into your clients’ IT systems. It might be that your software or “app” has been compromised to effect a ransomware attack, that the website you designed is passing on confidential information, that the cloning image you use when building new machines has been tampered with to enable a fraudster to gain access remotely, or that your embedded product has become a remotely-controlled snooping device. Where would that leave you, if the scam succeeded?
The first problem might be proving that you weren’t involved in the scam. If someone has compromised your product, they will have left as little evidence as possible of doing so therefore identifying the fraudster may be near-impossible. Storing your code securely is a start though not an infallible solution by itself. Do you have sufficient change logs, audit records and security procedures to be able to identify what happened and piece together a basic defence demonstrating that the scam was perpetrated by someone other than you? And do you check these records regularly to monitor for any tampering before harm is done?
The second problem will be managing your liability. If your product had – through the actions of a third party – been rendered as not fit for purpose by having become malicious, then a Court would likely be very reluctant to uphold any terms of business that would bar a claim by your clients for their losses. You might be able to maintain a cap on your liability to a particular client, or perhaps exclude consequential losses (i.e. losses that are not a direct consequence of the faulty product), but this could still leave you with a significant financial exposure. Overall liability could rapidly spiral if many of your clients were affected, especially if the scam has been operating unnoticed for some time.
The third problem might be the damage to your reputation. This could be particularly difficult to manage if the scam gives rise to any reporting obligations under the General Data Protection Regulations (GDPR), as the Information Commissioner might decide to publicise the incident to help protect other clients. The swift resolution of any claims might reduce any adverse publicity, though might also be expensive.
So, this is likely to be a case of prevention is better than cure. Keeping your terms of business up to date is a sensible precaution, but having excellent quality control and security processes – to ensure that the code you distribute is the code that you have written – is likely to be preferable to trying to defend claims if things go wrong.