The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.
More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.
Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector.
The introduction of the new General Data Protection Regulation (GDPR), which comes into effect from 25 May 2018, is also prompting businesses to consider their security measures, particularly online and where electronic personal data are processed. As the government survey shows, companies handling personal data online are more likely to suffer breach, with the most attacks coming through fraudulent emails (convincing recipients to divulge passwords, reveal financial information or open suspicious attachments), viruses and malware. Security of personal data is a key feature of the GDPR, building on the existing data protection principles and security requirements in the Data Protection Act 1998 and it is worth noting the full requirements of Article 32 of the new regulation, which provides that:
“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia as appropriate:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience or processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuing the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.”
There are severe penalties for data protection breaches under the GDPR, including fines of up to €20 million or 4% of a company’s global annual turnover, whichever is higher, so there is a need to deal with cyber security, whatever the size and scope of the business. How to manage the threat must be an issue for boards and senior management, because there are clearly advantages of company and personal data being accessible online, in the cloud and on personal devices, at any time and from any location, but the disadvantages cannot be overlooked. Although cyber risks, including ransomware, hacking and malware attacks present a constant threat and are a growing concern for everyone, companies must do more to protect themselves.
The government’s recommended Cyber Essentials scheme includes a range of technical controls, which, if adopted by a company, can give them certification that they meet basic cyber security standards. These include:
- Boundary firewalls and internet gateways;
- Secure configuration;
- Access control;
- Malware protection; and
- Patch management.
Obtaining a Cyber Essentials certificate enables a company to show customers, investors, insurers and others that it is taking these essential precautions to protect against online threats. It is a minimum standard, however, and many companies will already meet these requirements, if they hold information security standards, such as ISO 27001. Unfortunately, hackers will still try to breach security and manipulate systems and people to gain access to valuable company information and personal data. Companies are therefore encouraged to invest in training for all staff, not just those in information security, as it is clear that the majority of breaches involve employees, with phishing, viruses and ransomware attacks, as well as technical security issues.
Finally, despite mixed responses from businesses who have taken them out, cyber insurance policies should be considered as part of any cyber security program. Companies should carefully examine the level of coverage available and ensure that they can meet the minimum standards applied by the policy for it to be effective, but investing in insurance cover is an appropriate response to the cyber security threat.