What is data security and why is it important?

Data security involves procedures an organisation follows to protect all data in any format or form from unauthorised access. It obliges organisations implementing ICTs to design and operate data systems with data security in mind. While, data security measures recognise that information must be easily accessible and available, organisations must build these systems so that a authorised users utilise the data and information stored in a lawful and ethical manner.

The measures taken to protect data involves developing procedures to minimise data loss either from internal errors or external attacks. This includes unwitting errors by well-meaning actors as pre-meditated and organised cyber criminals who attack systems as malicious actors.

Some consequences of poor data security are:

  • financial loss - fines, loss of revenue, decline in stock price, decline in customer numbers
  • reputational damage - bad press, social media posts, trust deficit
  • system damage - compromised data, system availability, system functioning
  • supply chain security threats
  • psychological and emotional harm
  • national security risks

The Hiscox Cyber Readiness Report(2024) reveals business leaders place fraud, white-collar crime and cyber-threats as the biggest perceived risk over and above economic and geo-political risks and skills shortages.

More than one in two organisations reported financial loss due to payment diversion fraud. This was up by 34% compared to 2003 with 58% of organisations reporting this kind of financial loss. Six-in-10 (61%) organisations, the report said, believe that reputational damage from a cyber attack would significantly damage their business, and 64% believe they risk losing business if they do not handle client and partner data securely.

Risks from authorised access to ICT Systems

Risks to information and communication technology (ICT) systems do not arise solely from unauthorised external attackers. Significant damage can also result from authorised users who have legitimate access to systems. These risks can be categorised into unwitting (unintentional) actions and malicious (intentional) actions. Both pose serious threats to organisational security, data integrity, and operational resilience.

Authorised Access – Unwitting Risks

Unwitting risks occur when authorised users inadvertently compromise systems or data through human error, lack of awareness, or insufficient controls. Common examples include data leaks or spills, accidental data deletion, or improper handling of sensitive information. For instance, an employee may mistakenly send confidential data to the wrong recipient, misconfigure access permissions, or overwrite critical system files.

One major consequence of such actions is data corruption. Incorrect modification of records, accidental overwriting of files, or improper system updates can compromise data integrity, making information unreliable or unusable. In sectors such as finance, healthcare, or public services, corrupted data can lead to incorrect decision-making, regulatory non-compliance, and potential harm to individuals.

Another significant impact is data availability challenges. Accidental deletion, system misconfiguration, or failure to follow backup procedures can result in data becoming inaccessible when it is needed most. Reduced availability can disrupt business processes, delay service delivery, and increase recovery time following incidents. Even without malicious intent, authorised users can therefore cause substantial operational disruption.

Authorised Access – Malicious Risks

Malicious authorised access involves individuals who deliberately misuse their legitimate privileges to cause harm. This may include theft and onward sale of confidential material, such as customer data, intellectual property, or commercially sensitive information. In some cases, disgruntled employees or contractors may engage in data misuse or revenge hacking, intentionally damaging systems or leaking information in response to workplace grievances.

Because these individuals already possess valid credentials, their actions can be difficult to detect and prevent. Insider threats often bypass perimeter security controls, allowing attackers to access critical systems, exfiltrate data, or sabotage operations over extended periods before being identified.

Consequences of Authorised Access Abuse

The consequences of both unwitting and malicious authorised access can be severe. Financial loss may arise from regulatory fines, legal action, incident response costs, and loss of business revenue. System downtime caused by corrupted data or deliberate sabotage can halt operations, affecting customers and stakeholders.

Reputational damage is another critical consequence. Data breaches or prolonged outages can erode trust, reduce customer confidence, and harm an organisation’s public image. In certain sectors, particularly critical infrastructure or defence-related industries, insider misuse of systems can pose national security threats, especially where sensitive or classified information is involved.

Finally, intellectual property theft and the sale of business secrets can undermine an organisation’s competitive advantage, leading to long-term strategic harm. Once proprietary information is leaked, it is often impossible to fully recover or contain the damage.

In summary, authorised access presents significant risks to ICT systems. Effective governance, access controls, staff training, monitoring, and insider threat management are essential to mitigate both unintentional and deliberate misuse of legitimate system access.

Common cyber crime offences from cyber attacks

A cyber attack is any type of offensive activity that targets computer information systems, infrastructures, computer networks, or personal computer devices. The crimes can be against individuals, organisations or governments. The attacks could be on hardware, software or networks that connect systems, for example disruption to internet connections.

The motivations could be for commercial gain or to cause emotional or structural damage.

Crimes with commercial gains are digital versions of the crimes committed in other non-digital arenas - theft, fraud, blackmail, psychological harm or to demonstrate malicious power and control. Each of these motivations are nuanced and different when case studies are investigated.

For example, cyber attacks can take many forms with diverse players. From organised groups meticulously seeking out system vulnerabilities with the purpose of gaining access to systems to steal information, money or intellectual property to well-known listed companies.

Entry points and tactics are varied as this (far from comprehensive) list of cybercrimes compiled from Kaspersky, Panda Security and Ceuto Law Group demonstrates:

  • Artificial Intelligence-Powered Attacks (AI-Powered Attacks): Cyberattacks that leverage artificial intelligence to automate or enhance hacking techniques.
  • Botnets: Networks of hijacked devices controlled remotely to spread malware or launch attacks.
  • Computer Vandalism: Deliberate destruction or defacement of digital systems or data.
  • Cross-Site Scripting (XSS): Injecting malicious scripts into trusted websites to steal data or manipulate users.
  • Crime-as-a-Service (CaaS) platforms: Dark web marketplaces for sale of illegal goods and services
  • Cryptojacking: Secretly using another person’s device to mine cryptocurrency without consent.
  • Cyberstalking: Using the internet to harass, threaten, or intimidate individuals.
  • Cyberterrorism: Attacks on government or critical infrastructure systems for political or ideological purposes.
  • Cybersnooping: Infilteration into personal computers or government, company data for commercial gain, blackmail.
  • Cyber/Typosquatting: Registering domains with slight variations of legitimate names to mislead users.
  • Denial of Service (DoS) Attacks: Flooding a system or network with traffic to make it unavailable.
  • Domain Squatting: Registering web domains similar to brands or individuals to resell at inflated prices.
  • Drive-By Attacks: Automatically installing malware when a user visits a compromised website.
  • Eavesdropping Attacks: Intercepting communications to capture sensitive information.
  • Exploit Kits: Pre-packaged tools that exploit software vulnerabilities to deliver malware.
  • Insider Threats: Malicious or negligent actions by authorised users that compromise systems or data
  • Indentity Fraud: Impersonation after personal information is stolen and used
  • Intellectual Property Theft: IP like copyright, trademarks, patents are exploited without payment to original creator of content
  • Link Jacking: Altering hyperlinks to redirect users to fraudulent or malicious websites.
  • Malware (Worms): Malicious software that replicates itself to spread through networks and devices.
  • Online Libel/Slander: Publishing false or defamatory statements online that harm reputations.
  • Online Scams: Fraudulent offers or messages designed to steal money or sensitive information.
  • Packet Sniffing: Monitoring network traffic to capture sensitive data such as passwords or personal details.
  • Phishing/ Smishing/Vishing: Sending fraudulent emails, text or voice text messages to steal user information.
  • Prohibited Content Sharing: Distributing illegal or harmful material, sometimes for blackmail.
  • Ransomware & cyber extortion: Malware that encrypts files and demands payment to restore access, or extortion with threats of crime that could be committed in the future
  • Social Engineering: Manipulating people into revealing confidential information or credentials.
  • Trojans (Trojan Horses): Malware disguised as legitimate files or applications that create a trapdoor into systems.
  • Potentially Unwanted Programs (PUPs): Software installed without consent that negatively affects system performance.
  • Web Scraping: Extracting data or content from websites, potentially violating copyright or intellectual property laws.

Cyber-crime case studies to demonstrate types of crime and risk associated

Here are only a few case studies to highlight how complex and diverse the area of cyber-security has become.

Theft case studies

In the case of the EU space agency, Tech Republic reports an organisation who called themselves ‘888’ claimed responsibility for stealing the agency’s data and selling it on a cyber crime forum. Earlier, the agency had a link-jacking incident, where links to its merchandising were redirected to a fake shop front amplyfying the issue of theft not just to financial losses but to exposing supply-chain fragility, the report said.

Generative AI companies like Alphabet’s Gemini, OpenAI’s ChatGPT and Perplexity all have litigation against their algorithms that scrape information from publishers, artists and musicians. The generative AI alogrithms then repurpose the information with the companies claiming the newly generated version as their IP.

The companies contest the claims as the concept of “fair use” in the acquisition and repurposing of data. In a paper titled “Good models borrow, great models steal: intellectual property rights and generative AI Open Access”, the author, Simon Chesterman argues that gen-AI produces these models to directly compete with the owners of the copyright, trademarks or intellectual property, which can not be considered “fair use”. The author says, “No one is seriously suggesting that generative AI should not be trained. But it is reasonable to expect that models are not trained on stolen data, and that those who profit from this technology pay something to—or at least recognize—the creators whose works serve as its fuel.”

The National Intellectual Property Rights Coordination Center (IPRCC) reports on enforcement actions taken by the US government against IP theft, counterfeit goods, and fraud. In 2024 alone, cases initiated against IP theft was up 21% with the total estimated cost from IP theft estimated to have gone up 36% to $1.12 billion.

Psychological harm case studies

Researchers from the Virtual Reality Risks Against Children (VIRRAC) project was conducted by a group of academics from Middlesex University and the University of East London to debate the effectiveness of legislation, such as the Online Saftey Act in dealing effectively with the psychological harm caused by cyber crime. This follows the rapid increase in the number of children in the UK who now have smart phones.

In May 2025, the UK regulator Ofcom said in a report that 20% of 3–5-year-old now own smart phones, with 30% of 6–7-year-olds owning phones. The data-gathering activities of smart-phone operators have risen exponentially with most users preferring smart phones to access social media versus web applications. A significant use of social media platforms was noted for 7-17-year-olds with 18 being the legal age of consent in the UK.

Girls at a very young age are exposed to cyber-bullying with “revenge porn” and other sexualised images being circulated by their male peers. The psychological harm of such material is exacerbated by the AI-generated deep fakes that sexualise women and girls. Fawbush, in an article in Findlaw says this form of cyber crime result in developers who are creating these “nudify” apps are “raking in millions of dollars”. Meta, the owner of Facebook, has sued CrushAI for misuse of its data.

It is not just girls, but young boys who also face risks the VIRRAC and other studies show. ChatGPT, owned by OpenAI and Alphabet’s CharacterAI have also come under scrutiny for providing guidance to vulnerable users on how to commit suicide more effectively.

Seven families have taken OpenAI to court, Technology Org reports, highlighting the case of 23-year-old Zane Shamblin’s chat logs that show he repeatedly said he had written suicide notes, loaded his gun, and planned to shoot himself after finishing his cider. He updated the AI on how many drinks remained and how long he expected to live. Rather than intervening, ChatGPT responded with encouragement. The final message told him, “Rest easy, king. You did good.”, the report said.

Ransomware & cyber extortion case studies

Four major ransomeware attacks in the UK in rapid succession show the capability of cyber criminals to wreck havoc.

Retailers Marks & Spencers (M&S), the Co-op, Harrods and the manufacturer Jaguar Landrover all suffered from ransomeware attacks in 2025.

M&S was forced to pause orders as hackers, calling themselves “Dragon Force” stole data taking customer data demanding a ransom to stop. The BBC report said an “abuse-filled” email was sent directly to the CEO and board members. The hackers infiltered the system through a hijacked employee email account. The BBC says that M&S has not confirmed the hack was a ransomeware issue but it has been widely reported that Dragon Force knew about M&S’s cyber-insurance policy and demanded payment. M&S has not reportedly paid the group, but it is estimated it lost £300-million in operating costs.

Tech Radar reports the M&S attack was “was a calculated, multi-stage operation by notorious cybercrime group, Scattered Spider” Scattered Spider, a consortium of Black-Hat (malicious) hackers working together are likely to be teenagers affiliated with Dragon Force. They also claim responsibility for the Co-op and Harrods attack.

The attacks used multiple infiltration methods, Tech Radar reports from phishing tactics, social engineering using a supply chain link. The hackers convinced an M&S IT employee to reset authentication credentials of who had access to the system and had an open door into the network.

This case study shows the combination of tactics and diversity of cyber criminal actors on the cyber crime stage. Tech radar points out that the exploitation combined psychological manipulation, exploiting trust, creating urgency and confusion. Innocent insiders with authorised access to M&S systems were duped into letting the bad actors in. The attackers then acted rapidly shutting down systems which may have had to be restored from back-ups.

Over £750 million was erased M&S’s market capitalization in the fallout, Tech radar reports.

Cybercrime evoloving as fast as technology and tactics are psychologically sophisticated and varied

Data security is a critical pillar of organisational resilience in the digital age. As demonstrated, threats to information and communication technology systems arise not only from external attackers but also from authorised users, whether through unwitting mistakes or malicious intent. Both forms of authorised access misuse carry significant consequences, including financial loss, reputational damage, system downtime, national security risks, and loss of competitive advantage.

Cybercrime continues to evolve rapidly, with actors employing increasingly sophisticated methods, from ransomware and phishing to artificial intelligence-powered attacks and deepfake-enabled manipulation. Case studies, such as the EU space agency data theft, generative AI IP litigation, and the coordinated ransomware attacks on UK retailers, illustrate the diversity of tactics, the severity of consequences, and the breadth of affected stakeholders. These incidents also highlight the interconnected nature of cyber risks, encompassing financial, operational, psychological, and societal dimensions.

As cybercriminal methods grow in sophistication and scale, organisations must proactively anticipate, prevent, and respond to both internal and external threats to safeguard their information, their stakeholders, and the wider digital ecosystem.

FURTHER READING