Cyber Crime: Is Your Business Secure?
Following last year’s headline-grabbing Talk Talk data breach and with many commentators predicting that cyber crime is set to overtake physical crime in the UK in 2016, the issue of cyber security needs to be high on the agenda of all organisations, regardless of size.
New European legislation, in the form of the Network and Information Security Directive, is intended to enhance data security throughout member states as well as fostering co-operation between EU nations and generally improving information security, not just against network breaches by cyber criminals, but also against technical failures and natural disasters.
On 14 January this year, the EU’s Internal Market Committee voted to support the proposed directive and it is expected to be formally agreed and published in the Official Journal of the European Union over the next few months. Member states will then be expected to have incorporated the directive into their national legislation within 21 months. Assuming that Britain remains in the EU, we should expect to see the new directive come into force by mid-2018 – by which time, all organisations will be expected to be fully compliant.
In the meantime, there are some proactive (and preventative) steps that organisations can take to mitigate their vulnerability to a cyber attack and its potential consequences:
Every business, large or small, is vulnerable to cyber crime and therefore a comprehensive assessment of existing processes and procedures should be carried out in order to identify exactly what valuable assets (such as information and infrastructure) need to be protected and to highlight the specific risks and impact on the business should those assets be compromised.
In the event of a cyber attack, the time it takes a business to react will be crucial. It is therefore imperative that your business knows what to do and who has responsibility for doing it. Therefore it is advisable to establish a dedicated incident response team and ensure that specialist incident management training is made available to those responsible at its inception and on an ongoing basis.
Unfortunately many data security breaches occur as a result of employee action (or inaction) and therefore user education and awareness is crucial. According to a 2015 Information Security Breaches Survey commissioned by the government, three-quarters of large organisations suffered a staff-related information security breach in 2014/15, with almost one third of small businesses experiencing a similar occurrence – with inadvertent human error the most common culprit.
It is important that organisations understand that cyber security is not merely an IT matter – it applies to everyone, from board level to front line staff.
Regulatory & Compliance
Until the new Cyber Security Bill is enacted, organisations should continue to pay particular attention to current data protection legislation. It is likely that it will become mandatory for organisations across all sectors to inform the authorities of any security breaches involving personal data. You will also need to provide information of the facts surrounding the breach, its effects and any remedial actions you have taken as a result of the breach.
Network & IT Security
Nowadays it goes without saying that all organisations should be taking appropriate steps to ensure that networks and infrastructure are protected against external (and internal) attacks.
Effective network and IT protection can have a dual role in respect of detecting signs of an imminent or ongoing cyber attack potentially taking place. Therefore, you should also consider implementing a procedure for the rapid escalation of information on any cyber security attack to your incident response team.
Our Commercial Team can help you check your current processes and advise using current legislation how to best handle data collection and processing in your business.
your business matters