Cyber-attacks are a growing threat to businesses of all sizes, with the latest Government Security Breaches Survey finding that two thirds (65 per cent) of large organisations were affected by a breach in the last year, along with half (51 per cent) of medium-sized, and a third (33 per cent) of small organisations.
What's more, it seems too many businesses still aren't taking the threat seriously, with the 2016 Global Threat Intelligence Report from NTT Com finding that roughly 77 per cent of organisations are unprepared for cyber-security incidents. That's a lot of vulnerable businesses!
You only need to look at examples in the news to see the potential financial and reputational costs of a data breach. Take TalkTalk for example, which suffered a breach and the loss of around 157,000 customers' data last year. It's estimated that the incident cost the company a total of £60m, along with between 100,000 and 250,000 of lost customers.
More recently the beleaguered Yahoo! has faced a similar situation, with at least 500 million user accounts compromised in what many are saying is the biggest data breach in history. Not only does it further dent the reputation of the former internet giant, it could also jeopardise its takeover $5bn takeover by Verizon. The financial and reputational fall-out don't bear thinking about.
So, if you're one of the unprepared 77 per cent, what should you be doing?
First things first, a cyber risk assessment helps you understand the areas you need to protect and those where you could be most vulnerable.
Start by auditing the data and information you hold that is most valuable and therefore where you need protection. Then look at how you store this data, who has access to it and how it's protected. This will help give you an idea of where you could be most at risk.
If you're not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Get the tech sorted
Once you've identified your most valuable data assets, make sure you've covered all the bases to secure it with the appropriate technology, including firewalls, anti-malware and anti-virus software on all your computers and devices. If some or all of your data is stored in the cloud, make sure your provider has watertight security controls.
If you don't have any dedicated IT expertise in house, it's probably best to consult an expert on the best approach for your needs.
Communication and training
The right technology is of course hugely important, but getting your people and processes up to speed perhaps even more so. A scary 95 per cent of cyber incidents involve human error, according to a study by IBM, yet this is an area that is often overlooked - the Government's recent survey found that only 17 per cent of businesses have given staff some kind of cyber security training in the last 12 months.
Your communication should begin with a cyber security policy, outlining key processes and procedures, what staff should and shouldn't do, and the potential repercussions if the guidelines aren't followed. The exact issues covered will vary from business to business but potential topics could include:
Guidance on handling sensitive information
Stipulations regarding password security
A policy covering remote working and the use of personal devices
How to look out for, report and respond to a security issue
Required checks on suppliers to ensure they are complying with security best practice
You should ensure the cyber policy is easily accessible to all employees, is updated regularly, and that staff are also given training around the issues at least every 12 months.
And for further insights on how to avoid employee misuse of data, check out our dedicated blog here.
Even with the best technology and security measures, sometimes you're powerless to stop a breach. Which is where an effective response plan comes in, enabling you to control the situation as quickly as possible, with minimum impact to you and your customers.
Yet, despite its importance, only 30 per cent of organisations have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
Your legal response – you need to outline how you'll handle the legal aspects of the breach, for example informing the Information Commissioners Office (ICO) of the issue and defending your business against any claims of negligence.
Handling media queries – your business could be the focus of media attention following a breach, so be ready to handle all external communications about what happened and how you're handling it. You are likely to need professional PR expertise to do this effectively.
Finding out what happened – you'll also need to have IT forensics experts on hand to find out what caused the breach, with a view to rectifying the problem quickly and ensure it doesn't happen again.
Informing customers – depending on your customer-base and the scale of the breach, you could have a lot of unpleasant phone calls to make! You'll need to be ready with a way to handle this communication efficiently.
Make sure you're covered
If the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight and specialist cyber insurance policy.
Some key aspects to look out for include:
The Information Commissioners Office (ICO) can give fines of up to £500,000 for breach of the Data Protection Act. The Superscript cyber insurance policy will cover notification costs, legal fees defending regulatory action, and in some cases the penalty itself (where this can legally be insured).
Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
Finally, it's also worth noting that the new data protection regulations coming into force in 2018 mean the potential impacts of a breach will become even greater. The new rules will give customers greater powers to take legal action in the case of a breach, while fines are set to increase to as much as €20m. So even more of a reason to make sure you're on top of cyber security - before it's too late!
We've made buying insurance simple. Get started.
- 15 October 20201 minute read
Cyber attacks don’t just affect large companies. Cyber security is becoming an increasing concern for individuals and small companies. Here’s how to stay safe.