Cyber-crime is rapidly increasing and remains steadfastly in the media spotlight.
Some alarming statistics are being reported, information that UK businesses should carefully heed.
According to the Government’s latest Cyber Security Breaches Survey published in April, nearly half of British businesses discovered at least one cyber-security breach or attack over the previous 12 months. That proportion rose to two-thirds among medium and large companies. Most often, these breaches involved fraudulent emails being sent to staff or security issues relating to viruses, spyware or malware.
Some £1billion was also lost to online crime 2015/2016 with seven in 10 business leaders admitting that they have yet to take any action to protect their business and employees from attack.
Yet, according to another survey by insurance firm Zurich in 2016, 49% of SMEs planned to spend just £1k or less on cyber security in the year ahead and 22% didn’t even know how much they would spend.
Zurich’s SME Risk Index highlighted that as many as 875,000 firms in the UK have been hit by a cyber-attack in the past 12 months. Further figures from the survey stated of those businesses affected, more than one fifth said it cost them more than £10k and one in ten said it cost more than £50k.
The survey went on to reveal that a lack of planned investment in cyber defence was surprising given the fact that business leaders reported those with an effective and implemented cyber security strategy was giving them a competitive edge because of stronger cyber security credentials.
It further stated that while cyber-attacks and subsequent data breaches highlight the importance of cyber security for some of the world’s biggest companies, SMEs need to protect themselves too. The survey said that many SMEs are not yet heeding the warnings provided by large attacks on global businesses.
Since 2009, I’ve been advising clients on how to mitigate against what has become a global phenomenon with potentially dire consequences to those who ignore the threat. The average cost of a cyber-attack to our own clients has been averaging £30k-£40k, losing them brand value and the trust of customers.
That's significant for any business. And that’s not forgetting the reputational issues and facing hefty fines if a business fails to act or doesn’t have stringent measures already in place to combat cyber-crime.
You may recall the cyber-attack on Talk Talk in 2015, which resulted in a £400,000 fine from the Information Commissioner’s Office (ICO), or the Sony hacking scandal in 2013 which cost the company £250,000 in fines.
The ICO fined Talk Talk for security failings which led to the theft of personal data of almost 157,000 customers. In the weeks that followed the attack, the company’s shares plummeted by around 20 per cent. It also reported losing 29,000 broadband customers and 56,000 TV customers in the first half of its financial year.
The cyber-attack on Sony wiped out massive amounts of data and led to the online distribution of emails, personal and sensitive employee data, as well as pirated copies of new movies.
The ICO can currently impose a fine of up to £500,000, even if the breach is not your fault.
But legislation is changing to help combat cyber-crime.
The Government has warned that organisations could face future fines up to £17m or 4% of global turnover if they fail to protect themselves and their customers from cyber-attack. Whilst the new levels of fines will only be applied to the most serious breaches, you could still be fined if you are attacked and aren’t able to demonstrate that you put in place appropriate safeguards to protect your business.
Last year the Government unveiled a five-year National Cyber Security Strategy and announced it was investing £1.9 billion in defending its own systems and infrastructure. It also disclosed the setting up a new National Cyber Security Centre that will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.
The European Commission, in co-operation with member states, has further agreed a directive with the aim of increasing the security of Network and Information Systems (NIS) within the European Union. A government consultation is currently underway, determining how to implement the NIS directive which becomes law across the EU next May. It states that as our reliance on technology grows, the impact of failure in systems and the opportunities for those who would seek to compromise those systems and data increase.
This is separate from the General Data Protection Regulations (GDPR) which are aimed at protecting data, rather than services. The GDPR will replace the UK’s Data Protection Act 1998 from 25 May next year and the Government has confirmed that the UK’s decision to leave the EU will not change this.
If GDPR were already in place, the fine faced by Talk Talk would have run into many millions of pounds.
However, regardless of how diligent you are in complying with data protection, I recommend to clients having a Data Protection Breach Action Plan in place. The creation of a suitably qualified fast response team too, with representatives from all areas of the business, so actions can be implemented quickly.
The risk needs to be quickly assessed, reported to the ICO and actions taken to avert a potential crisis. Remember that some breaches are out of your control, and an action plan will provide you, and your employees with guidance you can follow, if you find yourself in breach.
You must provide your data subjects with adequate protection from cyber-attack, which is not easy.
The Government’s Cyber Essentials scheme also offers basic protection. The scheme is designed to protect organisations from the most common internet threats.
As far as coming up with a Data Protection Breach Action Plan itself, it'll be different for every organisation. Unfortunately, there is no one size fits all to protecting your business against cyber-attack. You must consider both the internal and external threats likely to affect your organisation.
Ensuring that all the legal safeguards are in place to protect you from the consequences of a cyber-attack is also just as important as having a continuity plan and a disaster recovery strategy. A cyber-attack could expose you to claims for breach of contract or mean you contravene other legal and regulatory obligations. The consequences could be both far-reaching and expensive.
You should implement a legal risk assessment as part of the defence strategy, across the whole business, and make sure that you identify how key business assets could be exposed to legal risk. Then you can put in place a cyber-attack response and management policy to protect any risks. This will include fully understanding legal and regulatory obligations so that you can act swiftly to minimise your exposure.
However exclusive a network may be, there is always the threat posed by cyber-criminals. With the ever-changing nature of working practices, fluid movement of personnel, use of mobile devices, cloud services and the Internet of Things, the risks have become even greater. The risks of cyber-crime are no longer limited to an attack from some faceless hacker chancing their hand from a far-flung place. They are often much closer to home than that. The more we engage with new technology, the more we're exposed to potential cyber risks. And if the subject is not yet being discussed at Board and management levels, it should be.
Educating personnel to threats from bringing their own devices to work to recognising phishing attacks should be part of any action strategy. Anyone who has access to your business data and information should be trained in how to keep it secure.
A common question also asked by our clients is can you insure against cyber-attack? Yes, you can, and it's a market that is quickly maturing. To get the very best premium and advice you will need to have carried out your own appropriate assessment of what your perimeter risks are and be able to detail how you will address them in the event of a cyber-attack. Anyone can now get cyber security insurance, but you will only find the right type of insurance for you by knowing what the real risks are to your business first.
Responding robustly to threats and ensuring the safety and security of cyberspace, is an essential requirement for a prosperous economy. We need to secure technology, data and networks to keep businesses, citizens and public services protected.
It is certain that the future of the UK’s security and overall prosperity will be reliant on strong digital foundations.
So, what are actions are needed when a cyber-attack strikes?
I advise clients on five key steps…and you can also Read my blog…
Step 1. Investigate
A prompt and thorough investigation needs to be undertaken as soon as you are made aware of a data breach. Investigation should always be your first step. It’s crucial that you have the right team together ready to respond to any type of incident immediately. Waiting until an incident occurs before you get your team in place will leave you seriously exposed.
Step 2. Take action
Once you are confident you have as much information as you can gather, take steps to stop the release of data. What you can do will obviously depend entirely on the circumstances. Make sure you preserve any evidence not only of your position but around how the attack occurred.
The ICO will want proof that you have made some attempt to stop the release of data, or at least to stop the breach escalating further.
Step 3. Notify
Its good practice, as far as the ICO is concerned, to report the breach quickly, particularly if it’s of a serious nature, such as a lot of data has been released or if it’s particularly sensitive. There’s always the risk that someone else will notify the ICO, so you need to be a step ahead with a coherent and sensitive approach to how you are managing the incident.
Step 4. Is disciplinary action needed?
The data breach might have been completely out of your company’s control, but more often than not there has been some action, or inaction on the part of an employee, which led to the data breach.
Step 5. Audit!
Once you have investigated the breach, taken what action you can to minimise the consequences, notified the relevant parties and taken the disciplinary action necessary, now is the time to revisit what happened and consider how to improve and strengthen your processes and procedures to help prevent a breach happening again.
Rob Cobley is a partner with law firm Harrison Clark Rickerbys. He continues to advise to clients from small owner-managed businesses to large international telecoms providers, advising on IT, cyber-crime, digital breaches, GDPR, intellectual property and general commercial contracts.
Reader Reply Number 206020
Harrison Clark Rickerbys