Risk Management: Cyber necessities for your business
UK statistics indicate that a third of businesses suffered a cyber breach or attack in the past 12 months, at an average cost of £4,180. The insurer Hiscox has suggested 55 percent of businesses face an attack in 2019, up from 40 percent last year.
It is not possible to achieve perfect cyber security – and it would be ruinously expensive to try. Instead, a successful business needs an awareness of potential issues, to make appropriate investment into systems and controls, and to know where to turn if things go wrong.
So, what are the most common means of attack?
Emails which trick the reader, usually into revealing security details, are increasingly common. There are programmes available that will act as gatekeeper against such communications, though inevitably some will get through. Staff training, to help employees spot such emails and respond appropriately, is a key part of your defence.
Many enter your systems through downloads, emails, messenger services or via cross-infection from other devices linked to yours. At best, they impede the smooth functioning of your computers, and at worst cause you to lose company data (e.g. ransomware) or allow a third-party access to company confidential information. A good anti-virus will stop most, but you also need a clear plan for handling an infection, including ensuring that you have adequate back-up systems.
Denial of Service (DDoS) attacks:
Involve bombarding your IP address with too much traffic, so it becomes overwhelmed and ‘disappears’ from the web. They are becoming more common and you’re likely to need specialist assistance. An attack will cause you disruption but having an appropriate business continuity plan will help mitigate the impact.
What if you suffer an attack?
If you have cyber insurance, your insurer may be able to direct you to technical and business continuity experts, to help you recover systems and ride out the storm. You could also seek help from the 24/7 cyber-attack helpline operated by Action Fraud (0300 123 2040).
Where trade secrets, sensitive information, or staff or customer data has been lost, you’re likely to need specialist legal advice in order to handle the situation vis-à-vis your own customers and relevant regulators. There may be options available to recover information that has been lost or prevent its use by others.
Disruption to your business may directly impact your clients, leading to litigation, and decisions need to be taken with that in mind. A cyber incident may need to be reported to contractual counterparties and, if personal data was unlawfully accessed or lost, you will likely need to report the incident to relevant data regulators, including the Information Commissioner. Framing those communications in the right way will help prevent issues going forwards.
Above all else, a proactive, pragmatic and protective approach is best, both regarding planning for an incident, and in responding should one occur.