Cybercrime and cyber risk, like any other risk to your business, needs to be managed properly and considered a high priority risk for the internal compliance or legal team.
- The biggest threat businesses face relates to client or customer information, such as:
- Clients personal data
- Financial information
- Payment and transactional information
- Personal details of prominent client/customers’ dealings, and
- Trade secrets
The potential consequences of getting it wrong are severe. The global cost of cybercrime is estimated to be around £338 billion (or US$575). A study commissioned by the Department for Digital, Culture, Media & Sport, found that 43% of commercial organisations have experienced some kind of cybersecurity breach in the past 12 months. The average cost of dealing with a cyber-attack/breach for medium businesses is £16,100, and large businesses £22,300. On top of this you may have to factor in referral to the Information Commissioners Office (ICO), reputational damage and business interruption.
How to manage a cyber-attack or data breach
Your incident management plan is likely to consist of four elements:
- containment and recovery (identify the nature and scale of the breach/attack)
- assessment of ongoing risk
- notification (ICO and data subject)
- evaluation and response (any improvements that the business could implement to avoid further attack).
Containment and recovery
You should investigate the cyber-attack or breach. This stage is likely to start with a meeting of individuals responsible for managing such incidents. Responsibility for these individuals should fall with the person who has overall control of the strategy and plan. It is likely that you will want to include IT, legal, marketing, HR and other personnel fulfilling functions potentially affected by a breach or attack.
The team should confirm, as quickly as possible, the nature of the breach or attack and whether it is ongoing (e.g. where a breach is potentially still occurring due to a failure of IT security). The priority is to stop any additional loss or damage, and if possible recover any lost data.
Assessment of ongoing risk
During the investigation, you should:
- confirm what data has been affected, what happened, whether relevant data was protected and how sensitive it is
- confirm who has been affected by the breach, how many people have been affected and assess the potential adverse consequences for individuals affected, and
- identify any other consequences of the breach
You should seek to mitigate harm against affected individuals, and this may involve notifying the individuals concerned that their data has been lost/compromised.
You may be under an obligation to report the cyber-attack or breach to the ICO. If this is the case, then you have certain time limits to adhere too (72 hours for controllers). If you are data processor do you have contractual obligations to your data controller to report breaches to them within a certain time?
When deciding whether to notify individuals concerned you should consider whether notification would mitigate the harm done to an individual or pointlessly alarm them in circumstances where they can do nothing with that information.
Evaluation and response
You should consider any improvements you can make to your data security processes—audit where your data is held, consider how it is stored, and evaluate future threats to security. Additional measures are outlined under the next heading – Cybercrime preventative steps.
So, we have established that cyber-attacks and data breaches can be costly, time consuming and damaging. Prevention is better than the cure, and while taking preventative steps obviously makes good sense, it is not possible to totally eradicate the risk of cyber-attack. However, an effective plan and procedure will help deal with the effects of a cyber-attack.
Your starting point should be a risk assessment. A high-quality risk assessment involves identifying your critical IT/data assets, considering the targets and potential types of attack, and pinpointing effective defences against those specific types of attack.
Any plan is likely to build on and supplement the other data management and security policies and procedures which you may already have, namely:
- Data breach action plan
- Data breach policy
- Information security policy
- Social media policy
- Bring your own device policy (BYOD)
- Remote working policy
- Internet use policy
Other measures (which the ICO will expect you to have undertaken) include:
- Staff awareness - ensuring staff know the importance of cybersecurity and what to do if they suspect an attack has occurred is essential.
- Identify a cyber-attack or breach team
- Have a system or plan in place so that everyone knows how to report a concern and who too.
- Have you conducted a data mapping exercise to determine what data is held, why, how and who it is shared with?
- Do you have a cyber prevention strategy or incident management plan? Data breach plan?
Technical measures are beyond the scope of this article; however, they could include firewalls, encryption, malware protection, choosing trusted third party providers.
While it is a daunting prospect, cyber-attacks are also very real. Cybercrime and data breaches make the news headlines weekly. We can help you put in place preventative measures to defend against an attack. Many policies are readily available to purchase on our website. We also offer an online consultancy service to help deal with data protection issues or help with a suspected attack or breach.