A joint report was published by the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) last month (Joint Report), identifying the growing cyber threat to UK businesses.
In summary, the threat of cyber-attacks is increasing: ransomware is the most commonly used mode of attack and it is becoming increasingly more sophisticated. However, social engineering and spear-fishing, more commonly referred to as ‘Friday afternoon fraud’, have become more commonplace, where hackers encourage employees to make monetary transfers to their bank accounts. A further trend identified is the growth of the attacks involving the Internet of Things; this is a result of the increase in use of internet connected devices, which often lack the same level of security as a computer.
The Joint Report has predicted we could see a future rise in attacks that tamper with, rather than steal, data. This can be very dangerous to businesses who are not even aware that changes have been made to their system. Hackers can gain control over firewall systems, which could have the effect of weakening the security systems, allowing the hacker to gain control over confidential information.
The Joint Report emphasises how the GDPR will bring about a significant change in the way data breaches are dealt with and reported. There will be a requirement for all businesses to notify the ICO of all data breaches without ‘undue’ delay; notification will be the first step towards a fine.
In terms of how businesses can reduce the risk involved with data security breaches, the Joint Report recommends more focus on developing cyber skills and improving awareness of cyber crime. Businesses are encouraged to develop a full-spectrum response plan to cyber threats, focusing on cyber security, providing appropriate staff training and communication within the organisation. It is also advised they discuss professional indemnity and cyber insurance policies with their broker to ensure they have adequate coverage.
Other regulatory guidance from professional bodies, such as the RICS and the SRA have published guidance on this area. RICS, for example warns that surveyors are as vulnerable to data breaches as other professionals; the code directs readers to the Government’s Cyber Essentials initiative, which sets out minimum steps a business should take to keep their data and systems secure.