Cyber-crime is on the rise. Large attacks, such as Talk Talk, Ashley Madison and most recently, Mossack Fonseca grab the headlines. However, cyber-attacks in various forms are happening daily against businesses of all sizes.
The impact on customers, whose data is often the target of the attack, has forced the Government to act. The General Data Protection Regulation ("GDPR") and the Network Information Security Directive ("NISD") are likely to come into force in 2018 and an organisation's approach to cyber-security will become the subject of even greater scrutiny and could attract large fines (up to 4% of global turnover for serious breaches) in circumstances where not enough action has been taken to protect data.
So what can a business do?
How an organisation prepares for and handles a breach can make an enormous difference to mitigating the reputational and financial consequences and strengthen its ability to satisfy a regulator that steps were taken to protect a customer's data.
The level of security needs to be assessed in light of each business' particular requirements and the sensitivity of the data being processed. However, generally, an organisation should be taking the following steps:
- Put in place Cyber Insurance - contact your broker in this regard.
- Risk Assessment - use computer analysts to identify the relevant data, networks and assets that need to be secure.
- Systems Policies and Procedures - ensure that the security controls are embedded into operations.
- Education and Training - raise your employees' awareness and understanding of the risk and ensure that they are fully aware of what policies and procedures you have in place. Employees are often the weakest link - 'phishing attacks' rely on employees to open an innocuous email allowing the hacker to gain access to the company's server. This can easily be avoided with proper training.
- Monitoring and Vetting - monitor the performance of the systems and the controls you put in place; vet personnel and suppliers as they come on-board and exit to ensure that they are not being used by a hacker to infiltrate your business.
- Incident Response Plan and Testing - undertake scenario planning and simulation exercises to better respond to a breach should one occur.
Responding to a breach
When a breach occurs, time is not on a company's side. It is therefore crucial to have in place an incident response plan that identifies who in the organisation will be responsible for handling the breach and the steps that should be taken to ensure a co-ordinated and cost efficient response.
A company's initial response to a breach can have far-reaching consequences, bearing in mind that any documents or steps taken may be scrutinised by a regulator or Court further down the line.
Use a specialist lawyer or 'breach coach' to co-ordinate the response. Communications between a lawyer and its client attract legal advice privilege and will not need to be disclosed to any regulator or Claimant. Careful use of a lawyer can therefore avoid damaging information coming into the hands of third parties.