The issue of cyber security has made its way onto boardroom agendas and even more so given the latest incident at Talk Talk. In an earlier article we explained why this was the case and why UK businesses cannot afford to ignore the risks of a security breach. This article suggests steps that businesses can take to address those risks. Adopting the suggestions below may help to avoid a security breach in the first place or, if that fails, lessen the damage – and potential liability – should a breach occur.
- make cyber security a board level responsibility. The board should take ownership of cyber security and ensure that adherence to standards protection against cyber risk is embedded throughout the corporate organisation
- create a "cybersecurity team". The team should comprise, at the very least, IT, legal and PR specialists and should report into senior management, preferably at board level, who in turn can keep the board updated. The duties, responsibilities and reporting lines of team members should be documented
- create an incident response plan. If you don’t have one now then you need one. Technology moves fast and may outstrip protective measures and people make mistakes. You need to know what you are going to do if the worst happens and a hacker outsmarts your protection. You won’t have time to think and need to have an incident response plan already in place which should outline how the business will respond to a suspected cyber event. The plan should allocate responsibilities to key personnel, including legal counsel and experienced PR management. Part of the job of the legal counsel will be to assess whether the company need to notify the breach to regulatory authorities (i.e. the ICO) and/or inform its customers. You should also have a business continuity plan. The business continuity plan should tackle how the business will carry on in the event of a security breach (e.g. off-site working), including how to access data and systems. This will involve the establishment and maintenance of a back-up system and consideration will need to be given to the management of data within that back-up system and to ensuring the segregation of the data stored within the back-up system from the business' day-to-day systems. Both plans should be kept under regular review
- undertake a risk assessment. The purpose of the risk assessment should be to identify what personal data is held, where it is held and what the threats to the security of that data are. The assessment should include identification of your own hardware, software, databases and servers and those of third-party data storage providers, including cloud providers
- review existing policies and procedures. If these are deficient (or don't exist at all) update (or draft) them. Once in place, they should be kept under regular review
- assess third-party risks. Restrict third-party access to the networks of the business and personal data. Formal policies and procedures should be implemented to address the sharing of personal data with other organisations. These should stipulate when information can be shared; the necessary security measures; who may authorise data sharing; and the maintenance of records
- enforce data retention limits. The Data Protection Act 1998 requires that personal data is not maintained for longer than is necessary. Existing retention schedules should be reviewed and amended, if necessary. Retention schedules should document responsibilities, disposal methods and justify the term of retention for particular types of document and any exceptions
- identify "sensitive personal data". Ideally, sensitive personal data should be segregated from regular data and subjected to enhanced security measures, such as password protection and/or encryption
- consider cyber insurance. There is no "standard" cyber insurance cover and careful consideration should be given to the type of cover that is relevant. Examples include system restoration costs; business interruption; defence and indemnity costs associated with litigation resulting from data subjects (e.g. aggrieved customers); regulatory investigation defence costs
- train staff. Staff should be appraised of the risks associated with, for example, using mobile devices, removing IT equipment from the business premises, phishing, downloading malware and viruses, etc. As technology develops so do the risks, so there should be periodic refresher training for staff as well as induction training for new starters
- review and enhance system security. Could more to be done to safeguard the perimeter? For example, the Information Commissioner has previously highlighted the benefits of encryption, and urged consideration of whether portable devices that store personal data, such as laptops, USB sticks and DVD/CD media should be encrypted. Individual rather than shared log-ons should be used and more complex passwords encouraged. Consider how to ensure that as few members of staff as possible are able to access personal data, particularly sensitive personal data.
There is no one-size-fits-all solution to safeguarding a business from a data security breach. However, the steps set out above are of general application and merit consideration.