Cyber security dominated the headlines in October following the high profile cyber-attack on telecommunications company Talk Talk. Yet this is just one example in a growing number of cases. Recent ONS figures show a huge increase in reported instances of cybercrime in the UK, estimating that 2.5 million incidents of crime fell under the Computer Misuse Act in the past year. If further evidence were needed, cyber-risk is ranked as a tier one threat by the UK National Security Strategy and is a key priority in the National Crime Agency's current annual plan.
Most businesses hold information that is valuable to someone, somewhere. In almost every business, that information is held, accessed and shared electronically. Any business that has an online footprint or computer network is at risk of those systems and networks being compromised by someone who wants to get their hands on that valuable data. That risk is only heightened by the increased use of cloud computing, smart phones and "bring your own device" policies. As cybercriminals become more sophisticated, the reality is that no organisation or individual is safe.
Hackers are now targeting business information, which could include confidential data concerning planned M&A strategies, property deals and other financial arrangements. They are not just after the personal data held with banks or stored in customer databases.
However it is only as larger organisations continue to fall victim to large scale cyber-attacks that the realisation begins to dawn: this is a threat to be taken very seriously. It may only be once a large company has been completely brought down by a cyber-attack that individuals will fully deploy the safeguards available to them and their business.
A crisis can feed paranoia and uncertainty for employees and customers alike. For a company that falls victim to a successful cyber-attack there are immediate financial ramifications from the business lost whilst your systems are down, the valuable data that has been stolen or the queue of litigants seeking compensation. Additionally, there can be a broader impact on customer trust and confidence following an attack which can lead to reputational damage that is more difficult to quantify. Yet basic alert mechanisms and security measures can help businesses to investigate a data breach quickly and accurately, before responding decisively to an incident if it does happen. There are simple things businesses and individuals can do to protect their business before a data breach occurs and in the event that a breach takes place.
Before a data breach
- Introduce the correct management structure and clearly define responsibilities. Create a crisis response team and train them regularly in how to respond to a breach.
- Recognise and register legal rights: make sure you have identified and taken steps to protect valuable data.
- Ensure compliance with regulatory obligations, including having adequate software and systems in place to protect your data.
- Introduce watertight contractual arrangements, cyber security policies and procedures then raise awareness about them and train your staff on how to implement them.
- Ensure your insurance policies give you the right cover. If you have concerns, it is within your rights to challenge your broker: this is still an emerging space.
After a data breach
- Move quickly: you need to investigate who is behind the breach, how they have got in, what has been taken, when it happened and why. The first few hours are critical to ensure that any money or valuable information stolen can be recovered.
- Contact your insurer and confirm your responsibilities in terms of appointing experts to contain, track and recover lost data.
- Decide who you need to notify and what they need to know – the Information Commissioner and other regulatory bodies may be expecting your call.
- Communicate with your customers, shareholders and staff: reputations take a long time to build and can be damaged in no time at all. Showing that you are working hard to resolve the issue and keeping customers well informed will limit the fallout.
- Take legal action to recover your data and prevent its misuse.
It is clear that there is no silver bullet: the cyber threat constantly changes and re-models itself and it is therefore a risk that requires constant attention. The most valuable thing you can do is put this issue high on the agenda of your next board or management meeting. Then it is important to raise awareness internally in order to foster a workplace culture that understands the risk and has the capabilities to manage it.
Hugo Plowman is a Partner in Mishcon de Reya's Dispute Resolution department, specialising in cybercrime. A version of this article first appeared in Property Week on 13 November 2015.