“The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities.”
Cieran Martin, CEO of the National Cyber Security Centre
Digitalisation is the future of economic growth in your business. However, with great technological advances comes cyber risk. How do you embrace the digital era and the profit growth which comes with it but not expose your business to cyber risk and potential financial instability. This article will help you to understand the risks posed and give you guidance on how to mitigate the risk of a cyber attack.
In the wake of the WannaCry attack only last month, we are seeing yet more havoc and kayos being caused to businesses following another successful global ransomware attack. The latest attack thought to be a clone of the GoldenEye variant of the Petya family capitalises on weakness targeted by the WannaCry attack. Despite the US Department of Homeland Security advising victims of the attack not to pay the ransom, it’s reported that so far more than 30 companies have paid into the bitcoin account connected to the attack. The full repercussions of this latest attack have not yet been fully assessed but it would seem lessons aren’t being learnt quick enough. In our article “Internet of things to watch in 2017”, our first prediction was that we fully expected to see more high-profile organisations being the subject of cyber attacks. This latest attack is likely to be just the start of things to come. Therefore, what can your business do to reduce the risks associated with cyber attacks?
- Reduce the risk being subject to an attack
- Awareness: attain a good awareness of the legal framework, particularly the General Data Protection Regulation (GDPR) which comes in to force in May 2018, so that you can plan ahead, identify compliance gaps and determine the measures needed to achieve compliance.
- Board agenda: cyber security should be top of your board agenda.
- Data analysis: identify the amount and type of personally identifiable information, customer data, confidential corporate data, financial data, commercially sensitive information, regulated information, intellectual property and trade secrets held and maintained by your company, and where and how it is stored, used and transmitted.
- Business critical system review: look at what is critical to your business and will stop it functioning. Most business will be unable to function without email and access to electronically stored documents.
- Risk assessment: assess where the risk of penetration, infiltration, theft or loss of such data or disruption of service can come from and how to prevent it.
- Gap analysis: review what policies, processes and documentation you have in place to prevent a cyber breach and assess where your compliance gaps and weaknesses lie.
- Controls, procedures and processes: once you know where your risks lie and what compliance gaps you have, you can start to build your defences with controls, procedures and processes.
- Policies: establish a cyber security policy and an information security policy.
- Training: Employees must be adequately trained in the policies put in place and understand what they should and shouldn’t be doing.
- Ethical hacking: test your cyber security by operating ethical hacking, meaning authorised hacking of your network to test its robustness and identifying its weaknesses and vulnerabilities.
- Internet safety and network security: engage with your IT team and ensure your systems and networks are adequately protected against attacks.
- Software updates: ensure your software is up to date.
- Data backup: ensure your data is backed up so that it is easily recoverable and accessible in the event of an attack.
- Data access: consider encrypting certain data and assessing which employees need access to what data and why. Limit access to certain sensitive data if an employee does not require access.
- Contract review: Review the contracts you have in place and understand your cyber security obligations within them.
- Insurance: identify the gaps in your policies in relation to cyber risk and either enhance coverage under current policies or look at taking out a specific dedicated cyber policy.
- Ongoing maintenance, improvement and updating: Regularly review and update your policies, ensure cyber security is a regular feature on the board’s agenda and carry out ongoing audit and risk assessments.
- Background checks on employees: ensure you carry out adequate background checks and vetting on employees with access to data and systems.
- Third parties: assess the type and level of access a third party (e.g. a consultant) has to your IT network, carry out appropriate due diligence on that party, ensure it is compliant with appropriate cyber security standards, ensure it adheres with your policies, impose contractual obligations in relation to cyber security and data protection, require that third party to ensure that any software it introduces is free of malware or other flaws, faults and vulnerabilities.
- Cyber Essentials Scheme: look into the Government-backed, industry supported scheme which provides expert guidance on how to protect against the threat of a cyber attack. It enables businesses to become certified for having met a good-practice standard in cyber security.
- Incidence response and disaster recovery: Put in place a tried and tested incidence response plan for when your cyber security is breached with a dedicated incidence response unit.
- Relationship with regulators: Establish and maintain a good working relationship with appropriate regulators and advisory bodies.
2. Identify areas of vulnerability
The likelihood of your business being hit by a Trojan Horse is relatively low but you are at risk of less sophisticated cyber attacks the consequences of which can be just as serious and damaging to your business.
A company’s biggest vulnerability to cyber attacks is its employees which was proven in the NHS attack. The most common attacks rely on human weakness and play on a human’s natural trusting and inquisitive nature. The recent Government report on cyber security revealed that the most common attacks related to staff receiving fraudulent emails (72% of reported cases).
This is usually in the form of an employee opening attachments to emails containing malware, viruses or spyware or responding to phishing emails from individuals posing to be a trusted internal or external source. Other risks posed by employees are use of personal or third party removable devices containing viruses or malware, bribes or blackmail to employees or a disgruntled current or departing employee leaving malware on the network.
Viruses, spyware and malware
The next most common attacks reported in the recent government survey related to:
- viruses, spyware and malware (33%);
- people impersonating the organisation in emails or online (27%); and
- attacks using ransomware (17%).
Commercial transactions which involve third parties introducing goods or services into, or being provided access to, your IT network can pose a cyber risk. Such third party could bring with it viruses, spyware or malware.
3.Understand the consequences and repercussions for your business of a successful attack
A cyber attack can be devastating to your business. Here are just some of the risks posed by having inadequate cyber security:
- Fines: currently the Information Commissioner can impose fines of up to a maximum of £500,000 for serious contraventions of the Data Protection Act 1998. Under the GDPR there will be a tiered approach to penalties with some infringements costing up to the higher of 4% of annual worldwide turnover and EUR20 million. If you are a regulated company you may also suffer fines or sanctions from your regulator.
- Reputation: dependent on the size and nature of a cyber attack, they can be widely publicised. The prevalence of social media also causes the spread of community reporting on cyber attacks. Brand damage from a cyber attack can be extensive and detrimental to your business.
- Competitive edge: if valuable trade secrets or intellectual property are stolen you may lose your competitive advantage causing your profits to dip.
- Loss of customers: if your online presence is crucial for the sale of goods or services, a denial of service attack could mean a huge loss in sales and diverting customers to competitors; if you are prevented from or delayed in providing ongoing services to customers they could go elsewhere; damage to reputation could mean existing or potential customers look to a competitor.
- Disruption to the business: loss of business-critical files or data can lead to serious delay in your service offering and employees may need to redeployed from their day-to-day job to fix the problems caused by the attack or putting emergency measures in place.
- Contractual and tortious liability: affected customers or individuals may seek compensation for damage and/or distress caused by the loss and/or use of their personal information and/or a cyber attack may put you in breach of your contractual obligations regarding your service offering.
- Financial: financial loss can come in many ways including the costs associated with notifying affected customers, restoring the network and providing mitigating measures, deploying staff to deal with the breach, restoring reputational damage, investigating the cause of the attack and repairing defences, complaint handling, and litigation from affected parties, as well as potential loss of investors and funding, and the loss of potential or existing customers.
- Personal liability: a board’s failure to understand and mitigate the risk of a cyber attack could mean a breach of fiduciary duties and could lead to claims by the company or shareholders.
- Have an action plan in place
If all else fails and your defences are breached you must act quickly. Jamie Saunders of the UK’s National Crime Agency calls it “the ‘golden hour’ where every minute counts”. As a minimum, you should consider the following:
- Convene your dedicated incidence response unit and implement your disaster recovery plan.
- Investigate what is happening: When and how has the breach happened? What have the hackers accessed? Are the hackers still in the system? Is data still being transferred?
- Communicate with staff and provide clear instructions on what they should and shouldn’t do.
- Notify affected parties and the regulator, particularly where personal data has been breached. The GDPR will require businesses to notify the National Data Protection Authority of all data breaches without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals. If the breach is likely to result in high risk to individuals, the GDPR requires businesses to inform data subjects “without undue delay” unless an exception applies. If you are a regulated business, you may also need to notify your regulator.
- Consider alerting the police.
- Consider your notification requirements under your insurance policies.
- Communicate with suppliers and customers where appropriate or required.
- Consider communicating with the press before someone else does to alleviate any bad publicity.
How Myerson Can Help You
- advise you on current legislation and the upcoming GDPR to help you understand your compliance requirements;
- help you write a note to the Board on cyber security;
- help you write cyber security and data related policies;
- help you to identify gaps in your cyber security measures, assess the risk to your business and implement defensive measures;
- provide support and advice for your nominated data protection officer;
- provide tailored training and talks to your employees;
- review your current contracts to assess your obligations in relation to cyber security, data protection and force majeure clauses;
- draft and negotiate new contracts to ensure that cybersecurity and data protection is adequately provided for;
- help you deal with an incidence response following a cyber attack by providing advice on compliance requirements immediately following a breach, liaise with the regulators, provide advice on complaints handling, and advise and assist in any ensuing litigation from affected parties.
Look out for the date of our seminar on GDPR. For more information on your compliance requirements and what to do if you are attacked get in touch with our specialist Data Protection legal team.