Hacked off: good practice for cyber security

read time: 4 mins

Professional services firms who hold significant and sensitive data are at particular risk of cyber security breach, according to stat’s from a recent government survey. This article reviews these stats and a recent high profile case, to provide advice for organisations to minimise the risk of ‘cyber attacks’ and data breaches. 

The UK government’s Cyber Security Breaches Survey from 2022 found that 39% of UK business were subject to cyber-attacks in 2022, with 31% of businesses being subject to an attack at least once a week and over one-third of businesses experiencing at least one “negative impact” from an attack over the course of a year. Professional services firms, who hold significant and sensitive data are a particular target.

A recent high-profile incident was the cyber-attack on Zellis, one of the largest payroll software providers in the UK, which had the knock-on effect of impacting hundreds of organisations in the UK including British Airways, Boots and the BBC. The attack is reported to have potentially exposed the personal data of tens of thousands of employees at these organisations, including ID, bank account details and national insurance information.   

The attack was reportedly caused by a weakness in the third-party MOVEit file transfer software, which is used by Zellis. The vulnerability has been fixed by the software supplier,  but affected organisations were asked to investigate the extent of the potential data breaches. As it was a ransomware attack, the threat actors responsible – ‘cl0p team’ –threatened to publish the compromised data of individual organisations if a ransom was not paid.  

Article 5(1)(f) of UK GDPR requires firms to process personal data in a manner that “ensures appropriate security”. Article 32 then requires firms to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.   

The Zellis attack serves to highlight that data security is only as good as the weakest link in the supply chain. Firms that do not consider and assess security risks at all levels, could therefore be in breach of their data protection obligations under Article 5 and 32, and face fines from the ICO if a data breach or cyber-attack occurs. By way of warning, Interserve was recently fined £4.4m for failing to put in place appropriate security measures, which enabled hackers to access the personal data of up to 113,000 employees.  

One positive finding from the UK Government’s survey was that 82% of boards and senior management rate cyber security as a “very high” or “fairly high” priority. This is an increase on the findings from 2021.  However, only half of firms updated their board on cyber security matters quarterly, and only just over half (54%) have acted in the last year to try to identify and monitor cyber security risks. Of greater concern, only 13% of businesses assessed risks posed by immediate suppliers, with cyber security not appearing to be a principal factor in the procurement process despite the clear risks this presents.  

In the case of Zellis, the MOVEitrisk might not necessarily have been identified, but the case does highlight the risks that are posed by the various levels of the supply chain. Any preventable failure in this regard could lead to an investigation and a fine from the Information Commissioner’s Office.  

The majority of the headlines relating to cyber-security concern cyber-attacks and ransomware, but an organisation’s obligations in the event of a data breach apply whether it was a one-off accidental breach, or a sophisticated cyber-attack.  Where personal data is compromised a risk analysis must be carried out and, where appropriate, the ICO and affected data subjects should be notified.  Where the breach can be rectified, steps should also be taken to do so. 

To minimise the risk from cyber-attacks and data breaches, organisations should:

  1. Regularly review and update information security framework and policies, with extra protections in place for higher risk special category data;
  2. Audit cyber security risks in the supply chain and ensure there are contractual protections in place with suppliers; 
  3. Consider cyber insurance;
  4. Regularly review and update their cyber incident response plan, which includes legal, PR and cyber security experts; and
  5. Ensure Cyber Security and Data Processes regularly feature as a Board agenda item.

In addition it is crucial that firms document their procedures and their consideration (at Board level) of threats and actions, so that in the event of an incident they can readily demonstrate the responsible steps that they have taken.

For advice on cyber security or data protection matters please contact Tom Llewellyn or Charlotte Kingman.

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up