Cyber is a word you no doubt read every day, such is the concern around the ever-growing and evolving problem of cyber security.
The UK government’s annual Information Security Breaches Survey for 2016 states that 65% of large firms detected a cyber security breach or attack in the past year, with 25% of these experiencing a breach at least once a month.
The survey also found that while 69% of businesses say cyber security is a high priority for senior managers, only 51% of companies have taken recommended actions to identify cyber risk and even less have implemented cyber security policies or incident response plans.
While notification is not yet mandatory in the EU this is set to change with the upcoming General Data Protection Regulation (GDPR).
The GDPR comes into force across the EU from May 2018. Among other things, it will impose a 72-hour deadline for notifying a breach to the relevant authority and individuals where there is a high risk to their personal data. Businesses will be subject to fines of up to €20m or 4% of annual global turnover, whichever is higher, for infringements of some of the rules.
Given the near certainty of a cyber security breach or attack, and the potential financial and reputational implications, this is no longer an issue confined to the IT team; it is something that needs to be addressed at board level and requires full engagement of key decision-makers in the company.
Being prepared so that any breach can be dealt with quickly and effectively with minimal disruption is crucial to business.
Breach response is, by nature, time critical. It frequently crosses jurisdictions and industry sectors. The first hours immediately following a breach are the most important. Trying to determine the necessary steps to take once a breach has occurred potentially results in delays and the likelihood of greater loss.
Each organisation requires an incident response plan tailor-made to meet its individual needs and resources. Below is a non-exhaustive list of considerations companies should bear in mind:
Evaluate and prevent:
- Conduct an IT risk assessment using data and network mapping to determine what data, intangible assets and devices your business holds and their value. It is also important to gather threat intelligence on a regular basis. Any gaps in protection, IT or otherwise, should be remedied as necessary.
- If not already in place, consider the need for the development of internal cyber security policies and procedures addressing, among other things, key security controls, the process for reporting breaches, remote rules, controls around using personal devices and social media use.
Know your data protection and legal obligations.
- Engage with the board and seek authorisation for the development of cyber security protocols, necessary resourcing and a budget for implementation.
- Set up an incident response team (with backups) formed of members across the business functions. Ideally, the team would consist of members from risk management, IT, legal, PR, human resources and the board. Increasingly, companies are looking to specifically appoint a chief information security officer who will, as part of their responsibilities, act as the team leader in the event of a breach.
- Draft a clear data breach incident response plan that will be initiated when a breach occurs, whereby the pre-approved incident response team will be alerted and follow clear protocols to remedy the breach, minimise loss and preserve evidence.
- It is vital to scenario-test the incident response plan at the outset and at regular intervals, ideally by having security drills where the plan is put into action as if a breach was happening. Any flaws with the plan can then be identified and remedied.
- Distribute company policies on cyber security and response to all personnel.
- Regularly update all documents as necessary.
- Mandatory training of personnel should be given at regular intervals, updated to reflect changes in any company policies or the incident response plan.
- Clear employee reporting channels should be set up and communicated.
A data breach, whether from a cyber intrusion or the loss of a device, can be challenging for any business to deal with. However, in tandem with adequate IT security, the best defence is to be prepared so that the response can be quick and effective.
Contributed by Helen Bourne & Mark Williamson, Partners, Clyde & Co