Cyber security breaches are continually hitting national and international headlines and the need to be proactive to safeguard your business against such risks is increasingly important. Ranked by the UK Government's UK National Security Strategy as a "tier one" threat to organisations, cyber security breaches are increasingly a priority on business' agenda. Ivan Waide, Partner and Head of the IP & Technology team in A&L Goodbody's Belfast office, examines some of the issues.
A Rise in Risk
The advance of technology has allowed organisations to evolve the way they do business, by developing new and innovative products and services. However, this new digital age brings with it unfamiliar and complex security concerns. It is estimated that 90% of large organisations and 74% of small organisations have suffered some kind of cyber security breach. However, due to the newness of cyber risk, there remains uncertainty and many organisations are unaware of how to adequately protect their businesses from cyber attacks. Not all cyber security breaches are malicious, with an estimated 50% of the worst breaches being caused by human error. Accordingly, organisations need to ensure security investments promote an awareness of cyber security, as well as preventing attacks.
Consequences of a Breach
The cost to organisations dealing with a successful cyber attack can be significant. The UK Government has estimated that in 2015 it would cost a large organisation around £1.5m-£3m to rectify the effects of a breach. Alongside the potential monetary cost of a successful cyber attack, an organisation also risks business interruption, damage to both customer and market reputation, litigation or regulatory action, and loss of confidential information and intellectual property.
Whilst is it impossible to guarantee protection, there are several measures which organisations can put in place to help make their business more cyber secure:
Businesses processing personal data are legally required to have "appropriate security measures" in place. Applicable industry technical standards should be considered. Senior management should be familiar with these security measures.
Businesses should know where their confidential information (including all personal data) is held, and by whom. If sensitive information is held this should be categorised separately.
Employees should have access to guidance, in the form of a written cyber policy, on keeping data safe and what to do in the event of a cyber-attack. Training on security issues should be provided to all employees.
Businesses need to ensure that policies for mobile devices enhance, and not hinder, the safety of company data.
Ensure that general governance arrangements have explicit data security elements — e.g. reporting by IT department to an audit and risk committee. Cyber security should be a fixed agenda item with a Board sponsor.
Consider contracts with suppliers that handle your data (e.g. couriers and records management companies), and ensure that they are aware of your security requirements. Regular audit or reporting should occur. Retain the right to step in and to manage communications if necessary.
Clarify the responsibilities for running an investigation within the business. Everyone should know their role in the event of a cyber attack. Remember that involving legal advisors can ensure legal privilege over the internal investigation.
It is important to keep a written record of your preparedness. This will be important for any subsequent regulatory investigations or disputes.
Simple cyber security measures, such as adopting an efficient cyber security policy, and educating staff on their responsibilities, makes good business sense. It will not only ensure you comply with your data security legal obligations, but that your assets, reputation and customers are better protected too.