Whilst stories of cyberattacks against large and high profile organisations make headline news, the risk of personal data and cybersecurity breaches affects organisations of all sizes. Any business relying on digital technology and/or retaining electronic data (10 points to anyone who can identify a business not falling into that category) ought to consider their cyber resilience and security measures.
In this article, the first in a series of articles in our Contentious Business Update, we take a look at some key issues arising in this area and provide some guidance on steps that can be taken to protect your position.
What is cybersecurity?
Cybersecurity is the practice of protecting electronic systems, confidential or commercially sensitive information and personal data from digital attacks. According to a report by the Department for Digital, Culture, Media and Sport, the most common cyber threat is phishing, typically an email asking the recipient to provide certain data. Other examples include malware or ransomware attacks.
Why does it matter?
In short, a successful cyberattack is likely to cost your business money and time. You may lose business critical information or be unable to access critical business systems, grinding your business to a standstill and severely impacting its profitability. Confidential or commercially sensitive information may be leaked into the marketplace. Your business may suffer reputational damage. You may be subject to regulatory action by the Information Commissioner’s Office (ICO) or on the receiving end of claims for breaches of data protection obligations or third party contractual obligations. None of these consequences are in any way appealing.
By way of example, in May 2020 construction company, Interserve, was the victim of a cyberattack. A phishing email forwarded by one employee to another led to hackers gaining access to personal data of 113,000 staff members. Whilst the company’s antivirus software quarantined the malware, Interserve failed to investigate sufficiently leading to a further attack and the compromise of numerous accounts and systems. The ICO investigated and found there to be a lack of appropriate systems at the company, staff training and account management, as well as poor incident response. Interserve were fined £4.4 million.
What should you be doing?
Investing in cybersecurity is similar to insuring your home – hopefully you never need to use it, but if an incident arises you will be glad it’s there.
According to the National Cyber Security Centre, every organisation should take ten steps to manage cyber risk.
Prepare for cyber incidents
1. Risk management – undertake a meaningful risk assessment of your business and identify areas of weakness. Seek engagement from key personnel within your business (the board, IT departments, any data protection officer) and, as required, external expert technical assistance;
2. Engagement and training – all staff should be trained to allow them to identify and avoid cyberattacks. All staff should know what to do in the event of a cyberattack;
3. Asset management – know your data and systems and have the capability to isolate/ring-fence them if necessary;
4. Architecture and configuration – design, build, maintain and manage systems securely;
Understand your organisation’s risks
5. Vulnerability management – keep your systems protected. Do you have backup systems? Cloud storage? Anti-virus software? Firewalls? Are appropriate policies in place, for example preventing staff from downloading apps or software that has not been included in any risk assessment;
6. Identify and access management – control who can access your systems and data;
Implement appropriate mitigations
7. Data security – protect data where it is vulnerable;
8. Logging and monitoring – design systems to detect and investigate incidents;
9. Incident management – plan your response and test that response. If it doesn’t work, change it;
10. Supply chain security – collaborate with your suppliers and partners.
Fundamentally, cybersecurity should be the subject of continuous and regular ongoing review within your organisation. If a cyberattack occurs, you should have an up-to-date incident response plan ready to kick in. The incident needs to be contained and the impact reviewed and managed as soon as possible.
In the next article in this series, we will look at potential claims against wrongdoers and third parties arising from security breaches.
For further information, please contact:
Kate Steele, Partner, Hill Dickinson
kate.steele@hilldickinson.com