In 2017 the government undertook a ‘Cyber Security Breaches Survey’ covering 1,523 businesses of differing sizes. A huge 46% of respondents stated that they had discovered a cyber security breach in the preceding 12 months. The most common example cited was employees receiving fraudulent emails (72%) with viruses/spyware/malware coming in as the second most commonly cited example (33%).
It is generally accepted that most organisations cannot entirely eliminate the risk of succumbing to a cyber-attack, but there are certainly steps that can and should be taken to minimise cyber risk. To ensure proper management of risk, organisations should, of course, be implementing avoidance measures but, equally importantly, must also ensure they have a tried and tested breach management plan in place should they fall victim to an attack.
Below are initial considerations to get your organisation thinking about whether it is addressing cyber security, and is broken down into five proactive steps and five reactive steps.
- Assess your risk: identify the business’s valuable assets, where and how the information is stored and who has access to it. In tandem, also consider the business critical systems, for example, what would be the impact of no access to email or electronic documents?
- Strategy for managing incidents: in the event of a cyber incident time is key. Every business should have a clear plan of what happens in the event of an incident and who is responsible for each action. Ensure that the plan is tested to ensure that it will work.
- Educate your employees: at board level, there should be a proactive approach to cyber security as well as an overall business commitment to teaching employee awareness. To educate and maintain awareness you should produce user security policies, establish a safe staff training programme, implement effective security awareness campaigns, maintain user awareness, promote incident reporting so employees can raise issues without fear of recrimination, and make sure that you test the policies and training that you have in place.
- Governance and compliance: currently laws and regulations are developed through different entities to address cyber security threats which can make it difficult for businesses to identify all of their legal and regulatory obligations. For example, if you operate in more than one jurisdiction make sure you comply with the obligations for each of those jurisdictions and, if you are a regulated entity, ensure that you comply with your regulatory body’s obligations. You should also be paying particular attention to relevant data regulations.
- Network and IT security: this may seem simple but ensure that you have measures in place to help protect against external and internal attacks. For example, establish anti-malware and firewall defences, implement intrusion and prevention and detection systems, filter malicious content and sites, and monitor and test the security in place.
- Detection: in the best case scenario, as an organisation, you will detect a cyber incident yourself. It is much worse if it is released through the media. Once detection has taken place, you need to move swiftly.
- Assess the cyber attack: this is sometimes more difficult than it sounds but key early stage decisions need to be made such as notifying the regulators or, if you are a large entity or the information is particularly sensitive, managing the media. It is worth noting that cyber-attacks often happen at weekends and bank holidays which make a response more difficult as detection is less likely.
- Containment: once a security attack or incident has taken place, the hacker may remain ‘within’ your business’s systems and, therefore, you may choose to take compromised systems offline. You may well also want to revert to backup systems or a disaster recovery/business continuity plan if you feel that the systems are severely compromised.
- Investigation: the technical investigation will be carried out by in-house/external IT, security and forensic experts but this should all be done under the supervision of the legal team to preserve legal privilege. At the same time as the investigation takes place, consideration needs to be given to the legal position following the results of the investigations. For example, does the Information Commissioner’s Office (ICO) need to be notified? For regulated organisations, does there need to be a notification to your regulator? It is worth bearing in mind that regulators want to be notified promptly – in the case of the ICO within 72 hours of breach discovery.
- Review: at the end of an investigation once you are clear that the cyber incident has been contained and dealt with, your business can reflect on the cause of the breach and identify the remedies that will prevent the same attack recurring. This is a review of both software and human actions. When you get to this point, the lessons that you learn can be taken and fed into your business’s proactive steps.
Of course the above lists are not exhaustive and there will be many other considerations and aspects which are particular to an individual business so it is key to seek advice and input from all your professional advisors.
If this subject is of interest why not come along to the CBI Cyber Security Business Insight Conference – full details can be found on the CBI’s website.
For further information, please contact Maria Peyman in our Commercial Litigation Team.
This article is from the October 2018 issue of Upload, our newsletter for professionals with an interest in technology. To download the latest issue, please visit the newsletter section of our website. Law covered as at October 2018.
To keep up-to-date with the latest news, legal updates and seminar information, please register and select the areas that are of interest to you.