Cyber-attacks – Are you next?
Each day, an average of about 4,500 businesses in the UK become victims of cyber-attacks that successfully break into their IT systems.
The COVID pandemic as made us realise more than ever how reliant we are on our IT infrastructure – and so have malicious hackers. The National Cyber Security Office advises businesses that doing nothing is no longer an option. It calls on businesses to protect their organisation by establishing basic cyber defences.
But what does this mean?
This article explores what you can do to protect yourself against cyber-attacks, and what to do when your business has been attacked.
What are the risks of a cyber-attack?
A cyber-attack is an attempt by hackers to damage or destroy a computer network or system. Cyber-attacks pose a risk to both your company, your employees and your customers. Your business operations may become interrupted, important data lost and confidential information shared with third parties. The attacker may even ask you to pay a ransom as a condition to unlocking your IT systems.
Where your business suffers a cyber-security incident as a result of a failure to implement appropriate security measures, you may also become subject to an investigation by the Information Commissioner’s Office (“ICO”). This could result in a fine and reputational damage.
What can you do to protect your business against a cyber-attack?
The following are examples of steps which your business can take to reduce the risk of cyber-attacks:
- Produce a cyber-security policy, setting out a clear defence strategy. This should be reviewed and updated regularly.
- Assess the increased security risk of working from home.
- Carry out regular penetration testing of your network security.
- Use encryption mechanisms.
- Appoint an individual within the organisation who will be responsible for addressing any data protection issues.
- Back-up data regularly.
- Ensure that customers and staff use strong passwords and that they change them regularly.
- Install anti-virus and malware protection.
- Dispose of records and equipment securely.
- Restrict access to data and information, and have a clear policy in place about who can access what.
- Impose equivalent restrictions on your supply chain.
What’s the worst that can happen?
There have been a number of prominent cyberattacks in the news over the past few years which illustrate that even big brands with sophisticated IT systems can become victims of cyber-security attacks and suffer significant loss:
- British Airways failed to detect a major security breach from 2018 for nearly two months, which enabled an unauthorised third-party access to the personal data, including payment information of 400,000 British Airways customers and staff. This resulted in a fine of £20 million from the ICO.
- In early 2020 EasyJet suffered a cyber-attack which affected 9 million customers whose personal details were accessed, including the credit card details of 2,000 customers. The ICO is continuing to investigate this incident.
- In late 2018 Marriott Hotels Inc discovered a data breach which had been ongoing for the previous four years. The hackers had been obtaining over 300 million guest records globally. Marriot were found to have acted negligently and fined £18.4 million by the ICO in September of 2020.
What should I do after my business experienced a cyber-attack?
In the immediate aftermath of a cyber-attack, we recommend that you consider your response carefully and ensure it is adequate and proportionate to the risk faced by your business. Below are a number of steps you might want to consider:
- Incident Response Team – We recommend that you set up a team that is dedicated to cybersecurity and ready to manage incidents immediately. This will most likely be your IT department. They can investigate what happened, develop a remedial plan and create a strategy for avoiding similar breaches in the future.
- Interaction with the Board – Cyber-attacks can have a detrimental impact on all aspects of your business, causing potential legal, financial, operational and even reputational issues. If the incident is material, you should inform the board or leadership team of your business immediately to determine the response that is required and assess the potential legal and financial liabilities.
- Damage Limitation – Once your business is aware there has been a breach, the primary concern should be to stop or contain it as soon as possible. You should then undertake a risk assessment to consider the impacts and the risks of the breach and how best you can ameliorate the position.
- Reporting obligations – You will need to assess whether the breach is reportable to the ICO. Amongst others, this will depend on the severity of the breach and its impact on affected data subjects. If in doubt, consult your compliance or legal teams.
Prompt mitigation and transparency had a substantial role to play in reducing the overall fines that were imposed in two of the cases we reported above: British Airways and Marriott Hotels were initially due to be fined £189.39 million and £99.2 million respectively, but the fines were then reduced to £20 million and £18.4 million in part to acknowledge the way these companies handled the incidents and co-operated with the ICO.
Should you tell your customers?
Whilst it won’t be an easy conversation to hold, customers have a right not know if their personal data was accessed by a hacker. It's important they hear this from you in the first instance, with an overview of what happened, and how you have dealt or are dealing with the incident. Maintaining the trust of your customers is key and this requires being transparent regarding the attack.
Above all, your customers want to feel assured that your business has the cyber-attack under control. They, and also the ICO, expect you to have procedures in place for dealing with such attacks, and that the issue will be resolved or contained at the earliest possibility with minimal risk or damage to the personal data of customers.
Get in touch
Do you have any questions about how to protect your business against cyber-attacks? Do not hesitate to get in touch with Matthew Holman.
Whether we're negotiating, drafting or reviewing trading contracts, or advising on issues of data protection and technology law, our Commercial, Technology & Data team always start with what's in the client's best commercial interests.