On 19 April 2017, the Government published its Cyber Security Breaches Survey (see here). This measures how well UK businesses approach cyber-security, and the level, nature, and impact of cyber-attacks on businesses. Nearly half (46%) of British businesses discovered at least one cyber-security breach or attack in the past year, a proportion which rose to two-thirds among medium and large companies. Under the same survey in 2016 (see here), a quarter (24%) of all businesses detected one or more cyber security breaches in the last 12 months. The cyber-security problem is therefore only getting worse.
It’s also worth noting that, although three in ten (31%) businesses now say that cyber-security is a “very high” priority for senior management, a “sizeable proportion” of businesses have failed to put in place basic protections or formalise their approach to information security.
The survey found that the most common types of breaches related to staff receiving fraudulent emails (72% of those who identified a breach or attack), followed by viruses and malware (33%), people impersonating the organisation online (27%) and ransomware (17%).
Cyber security breaches were often linked to human factors. However, relatively few organisations currently provide staff with cyber-security training (20%) or have formal policies in this area (33%).
The Government’s survey finds that that breaches frequently result in a financial cost to the business. Among the 46 per cent of businesses that detected breaches in the last 12 months, the survey finds that the average business faces losses of £1,570 as a result of these breaches. This is much higher for the average large firm, at £19,600 in losses.
Cyber security breaches can also have regulatory consequences for organisations, particularly for those that handle personal data within the meaning of the Data Protection Act 1998. According to the survey, 61% of firms now hold personal data on their customers electronically. At present, external reporting of breaches remains rare. Only a quarter (26%) reported their most disruptive breach externally to anyone other than a cyber security provider. There is currently no general requirement to report security breaches to the Information Commissioner’s Office. This will change when the General Data Protection Regulation comes into force in May 2018. In event of a breach, organisations will be required to demonstrate they have robust technical and organisational measures in place to manage and store data.
So the bottom line is that, large and small businesses alike, this latest survey shows that cyber security breaches are becoming a near certainty. The dramatic growth of the internet and electronic communication means that Cyber Crime is now a daily threat to our businesses and our people. Organisations and business need to take this threat seriously, be ahead of the curve, and be proactive not reactive.
An organisation’s confidential information and the personal data of their customer base is a valuable commodity. Combine this with an increased reliance on doing business in a digital world and the regulatory scrutiny surrounding cyber breaches, organisations big and small need to tackle the cyber risk proactively within a broader context of crisis prevention and management.
Once the domain of adolescent hackers in their bedroom, cyber attacks are now the product of a diverse range of perpetrators ranging from organised criminals, governments, terrorists and activists, to employees and competitors. These cyber attackers use a variety of increasingly sophisticated methods, such as malicious code (e.g. viruses and the like), network based intrusions (e.g. botnets, denial of service) and behavioural exploitation (so-called social engineering).
Information Risk Management Regime: First of all, organisations should carry out a comprehensive assessment of their existing processes and procedures to identify what valuable assets need to be protected, alongside the specific risks and potential impacts on the business if such assets were compromised. It is not possible to eliminate all risks, so it is a question of balancing them with risk appetite to ensure the business can operate effectively.
Incident Management: Organisations should establish an incident response and disaster recovery capability: produce and test incident management plans, and define roles and responsibilities of an incident response team. This team should include representatives from all relevant internal (and external) stakeholder groups, including a technical team to investigate the breach, HR and employee representatives, the data protection officer, public relations and legal representatives, and the board. Input from external advisers may be valuable in providing a different perspective (particularly if a breach is suspected to be an inside job) and supplementing internal skill sets.
Regulatory and Compliance Governance: Cyber security is the focus of increased regulatory attention across the world. However a lack of harmonisation of cyber security-related legislation makes it difficult to investigate and prosecute offenders if the categorisation of cybercrime and other misuse of cyberspace differ from country to country. Therefore it is of vital importance to the organisation to seek legal advice as soon as possible to ensure regulatory, reporting and compliance obligations are understood and that, in the event of a cyber attack, the investigations surrounding it can maintain appropriate legal privilege.
User Education and Awareness:Given that many data security breaches happen as a result of employee action or inaction, user education and awareness is crucial. An organisation can have in place the most comprehensive policies and procedures but if its employees are not educated on them, they will not be effective as a risk mitigation tool. Organisations should therefore produce user security policies covering acceptable and secure use of the organisation’s systems, establish a staff training programme, and maintain user awareness of the evolving cyber risks.
Network and IT Security: The steps described above are in addition to the usual network and IT security measures undertaken by many organisations. Steps should be taken to ensure that networks are protected against external and internal attacks, including establishing anti-malware and firewall defences, intrusion prevention and detection systems, filtering out malicious content, monitoring and testing security controls (e.g. through penetration testing), and applying security patches.
Our lawyers are experts in technology law and in eliminating threats and losses caused by Cyber crime. The Lupton Fawcett LLP TMT (Technology, Media and Telecommunications) Team working in collaboration with our IP (Intellectual Property) Team and Commercial Team can assist whatever the nature of the risk you face, be it hacking, identity fraud, denial of service attacks, harassment by electronic means or phishing. We can resolve issues locally and nationally working alongside our trusted network of external technical experts and enforcement authorities. We can eliminate the risk, trace and identify those responsible and act accordingly. We can also help you devise commercial strategies and security policies to protect your business from attack.
Once those responsible are identified, our specialist technology lawyers will take all action necessary through the courts to protect your business and employees, recovering compensation where available. We regularly engage with internet service providers and are familiar with obtaining injunctions and disclosure orders where necessary.
If we can help with any aspects of your business, in the first instance please contact Neil Large (Corporate Partner) or a member of the Corporate Team.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.