Some of the biggest corporations in the world have fallen victim to cyber attacks in recent years. But it’s not just information held by global giants that’s attractive to cyber criminals: small and medium-sized businesses face the same risks. Cyber security is now an essential consideration for every organisation. Here we look at some of the main risks and how you can mitigate them, and we consider the general legal framework that companies should follow when considering cyber security.
We will examine the following:
- Cyber security: what are the risks your business could face?
- What regulations do you need to comply with?
- How to reduce cyber security risks
- How to manage risk with commercial transactions
- Cyber security risk assessment checklist
- Will Brexit have an impact on cyber security?
- How to deal with a cyber security breach
Cyber security: what are the risks your business could face?
As cyber criminals become increasingly sophisticated in their methods, the risk to businesses from cyber crime is greater than ever. A 2018 survey of 400 small businesses in the US revealed that two-thirds of the organisations surveyed had experienced at least one cyber security incident in the previous two years.
It’s notable that most of those questioned in the survey blamed human error, lack of training and a poor understanding of the repercussions of cyber crime for their exposure to an attack. A cyber attack on your business that jeopardises personal data could result in heavy fines from the ICO as well as long-term reputational damage to your business as consumers lose faith in your ability to securely process their data.
What regulations do you need to comply with?
The measures you are required to take to combat cyber security will depend on the nature of your business and the risk your processing poses. But taking some kind of proactive action to prevent cyber attack is no longer an option for most businesses. There’s no single set of regulations that apply in this area.
Instead there is a raft of regulations – some rules apply to everyone and others relate to specific industries and sectors.
The two main sets of regulations are:
- GDPR: The security principle means that when you process personal data you must do so securely and take all appropriate ‘technical and organisational measures’. This will involve some form of risk analysis and an assessment of your internal procedures. It will often include measures like pseudonymisation and encryption of data.
- The Security of Network & Information Systems Regulations (NIS): These govern IT systems and apply to businesses in the energy, health, and transport sectors. They also apply to cloud service providers. They are designed to mitigate the fallout from incidents affecting the security of network and information systems
Other laws apply to cyber security in financial services companies and businesses providing electronic communications. It’s important to remember that the regulations across all sectors are flexible: the measures a business is required to implement should be appropriate and proportionate for the business in question.
How to reduce cyber security risks
We referred above to a survey that showed most successful cyber attacks resulted from human error. To reduce risk, it therefore makes sense for businesses to invest in staff training and awareness around cyber security.
- Educate all staff – not just those working in IT – about malware and unsecured networks and introduce strict protocols around opening email links and other electronic communications.
- Ensure there is proper training when new systems are introduced. For example if new software systems are introduced across the organisation it’s crucial to equip staff with the understanding to operate them correctly.
- Introduce an information security policy that co-ordinates the right teams and people, limits access to company devices and systems and ensures regular security reviews.
How to manage risk with commercial transactions
An effective approach to cyber security doesn’t just involve assessing your internal processes. When you do business with third parties you must also consider their processes: if an external company – a contractor, client, service provider or customer – has inadequate security, this poses a risk to your own data and information systems.
It’s essential then to make proportionate and appropriate due diligence enquiries into third party IT systems, data security policies and staff training to ensure that any data you share with them is secure and will be processed in a way that complies with GDPR and any other relevant legislation. Depending on the circumstances you may wish to implement security policies that any third parties you deal with must sign up to.
Cyber security risk assessment checklist
As part of our data protection training, we put together checklists to help companies meet their obligations under GDPR. Specifically, these checklists encourage companies to observe GDPR’s security principle – protecting their data against unauthorised processing and accidental loss with appropriate technical and organisational measures.
A checklist for cyber security measures should direct staff to:
- Analyse the risks to data security posed by the way the organisation processes personal data.
- Assess the cost of implementing any security measures: are they proportionate?
- Introduce an information security policy.
- Review information security policies regularly and update where necessary.
- Implement essential technical controls and consider signing up to the government-backed Cyber Essentials certification scheme.
- Use encryption and/or pseudonymisation where appropriate.
- Introduce adequate recovery systems to deal with any security breach.
- Regularly review your security systems.
- Ensure third party processors you deal with maintain adequate security protocols.
Will Brexit have an impact on cyber security?
Advances in cyber security over recent years have been aided by cross border collaboration within the EU and through the sharing of expertise and data by European agencies and companies.
Might these improvements in security be jeopardised when the UK leaves the EU?
Some have suggested that the ending of free movement will affect the number of cyber security professionals able to work in the UK and that this could potentially alter the country’s cyber security capabilities. Others have raised the possibility that new cyber threats may emerge post-Brexit as UK companies forge new business relationships with companies outside the UK subject to less stringent data protection regimes.
All of this remains to be seen. But one thing won’t immediately change: the cyber security regulations (or their UK equivalent) contained in the GDPR and the NIS we mentioned above – are set to remain part of UK law.
How to deal with a cyber security breach
Many cyber security incidents will have internal implications only and it will be up to you as a company to take the steps you think appropriate to deal with the consequences of the attack. Some attacks however will involve a breach of personal data that must be reported to the Information Commissioner. This means:
- You must report a breach to the ICO within 72 hours of becoming aware of it, unless you can demonstrate that it’s unlikely to result in a risk to individuals’ rights and freedoms.
- If you think there is a high risk to individuals you must also inform them of the breach without delay.
- Reporting the breach to the National Cyber Security Centre. It’s not a legal requirement but the NCSC has the expertise to help companies minimise the reputational damage caused by a cyber security incident involving personal data loss.
We’ve explained how your business could be at risk from a cyber attack and the legal obligations you need to be aware of. Small and medium-sized businesses that lack the IT resources of larger companies can often be seen by cyber criminals as an easy target so it’s essential to ensure you have adequate security protocols in place.