Breaches of data security, as a result of a cyber-attack, are frequently reported in the news and evidence suggests they are becoming more commonplace, writes Maria Peyman, senior associate at Birketts LLP.

In 2017 the Government undertook a ‘Cyber Security Breaches Survey’. The survey was of 1,523 businesses of differing sizes and 46% stated that they had discovered a cyber security breach in the preceding 12 months – the most common example cited was employees receiving fraudulent emails (72 per cent) and the next most common example was viruses / spyware / malware (33 per cent).

If the often promoted view, that it is not possible to guarantee your organisation will not be subject to a cyber-attack, is correct (and certainly the survey figures seem to suggest it is a common problem) then what should businesses be doing to protect themselves? 

Firstly, and rather obviously, take all reasonable steps to avoid an attack but, secondly and just in case, ensure there is a plan if the business is the subject of a cyber-attack. Below are initial considerations to get your organisation thinking about whether it is addressing cyber security; these are broken down into five proactive steps and five reactive steps. 

PROACTIVE

Assess your risk 
Identify the business’s valuable assets, where and how the information is stored and who has access to it. In tandem consider the business critical systems as well, for example, what would be the impact of no access to email or electronic documents? 

Strategy for managing incidents
In the event of a cyber incident time is key. Every business should have a clear plan of what happens in the event of an incident and who is responsible for each action. Ensure that the plan tested to ensure that it will work. 

Education of your employees
At board level, there should be a proactive approach to cyber security as well as an overall business commitment to teaching employee awareness. To educate and maintain awareness you should produce user security policies, establish a safe staff training programme, implement effective security awareness campaigns, maintain user awareness, promote incident reporting so employees can do so without fear of recrimination and make sure that you test the policies and training that you have in place.

Governance and compliance
Currently laws and regulations are developed through different entities to address cyber security threats which can make it difficult for businesses to identify all of their legal and regulatory obligations. For example, if you operate in more than one jurisdiction make sure you comply with the obligations for each of those jurisdictions and if you are a regulated entity that you comply with your regulatory body’s obligations. You should also be paying particular attention to relevant data regulations.

Network and IT security
This may seem simple but ensure that you have measures in place to help protect against external and internal attacks. For example, establishing anti-malware and firewall defences, intrusion and prevention and detection systems, filtering out malicious content and sites, monitoring and testing security in place. 

REACTIVE

Detection
In the best case scenario, as an organisation, you will detect a cyber incident yourself. It is much worse if it is released through the media. Once detection has taken place, you need to move swiftly.

Assess the cyber attack
This is sometimes more difficult than it sounds but key early stage decisions need to be made such as notifying the regulators or, if you are a large entity or the information is particularly sensitive, managing the media. It is worth noting that cyber-attacks often happen at weekends and bank holidays which make a response more difficult as detection is less likely.

Containment
Once a security attack or incident has taken place, the hacker may remain ‘within’ your business’s systems and therefore you may choose to take compromised systems offline. You may well also want to revert to backup systems or a disaster recovery / business continuity plan if you feel that the systems are severely compromised.

Investigation
The technical investigation will be carried out by in house / external IT, security and forensic experts but this should all be done under the supervision of the legal team to preserve legal privilege.

At the same time as the investigation takes place, consideration needs to be given to the legal position following the results of the investigations. For example, does the Information Commissioner’s Office (ICO) need to be notified? For regulated organisations, does there need to be a notification to your regulator? It is worth bearing in mind that regulators, including the ICO, want to be notified promptly. This is a careful balancing exercise between prompt notification and ensuring that it is not a false alarm.

Review
At the end of an investigation and you are clear that the cyber incident has been contained and dealt with, your business can reflect on the cause of the breach and identify the remedies that will prevent the same attack recurring. This is a review of software and human actions.

When you get to this point, the lessons that you learn can be taken and fed into your business’s proactive steps.

Of course the list is not exhaustive and there will be many other considerations and aspects which are particular to an individual business so it is key to seek advice and input from all your professional advisors.

You can call Maria Peyman on 01223 326596 or email her at: maria-peyman [at] birketts.co.uk