As the volume of sensitive data that businesses store ever increases, the use of mobile devices continues to grow and cyber villains become ever more sophisticated, it is perhaps of no surprise that we hear about new instances of information theft and data loss on a daily basis.
It has been recently reported that the average cost per lost or stolen record is $154 and that over 90% of companies with more than 250 staff have experienced a security breach at some point.
These breaches can expose the company to real financial loss, risk of fines and serious brand and reputational damage. There is therefore certainly no room for complacency when it comes to the risks posed by data breaches and cyber attacks.
It is important to also note that it is not just criminals out to steal or disrupt business that pose a risk. Employees or business partners often compromise data by accident, through negligence or with malicious intent and business competitors, increasingly from the east, that wish to gain an economic advantage present a greater risk than ever.
Given the range of threats, coupled with the sanctions available to European regulators (fine levels being set to increase significantly under new EU laws), strategising to reduce the risk of breaches and implementing plans to deal with them once they occur should be prioritized at board level, regardless of a company’s size.
But what precisely should businesses be doing to reduce their risk profile in the pre and post incident environment?
What the law says
The UK Data Protection Act 1998 (DPA) requires a risk-based approach to security and requires organisations to take “appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
In other words, there is no one-sizefits- all solution as far as the DPA is concerned when it comes to data security and rather bespoke analysis and actions are required. The measures taken by an organisation will depend largely on the size and nature of a business, the amount of data it processes, and the sensitivity of that data.
Another key issue requiring bespoke analysis is in relation to breach notification and reporting when a breach occurs. There is currently no mandatory breach reporting under the DPA, although some bodies have instituted their own requirements (e.g. central government).
UK privacy watchdog the Information Commissioner’s Office (ICO) does currently encourage self-reporting of breaches (and also that affected data subjects are notified) in appropriate circumstances, but as things stand there is no strict legal obligation to do so. There are exceptions to this under different pieces of UK legislation – for example, providers of public communications services are required to notify the ICO where breaches occur.
This is set to change, however, following the introduction of the new EU-wide Data Protection Regulation – reports to be made to supervisory authorities within 24 hours have been proposed under this Regulation. Any company’s breach notification policy will therefore need to be prepared or updated with this regulation in mind.
Getting the basics right
So what can businesses do? Given the law, five levels and enforcement priorities are changing so fast, it is almost impossible for businesses to stay on top of it all and so it can be very helpful to bring in experienced outside legal expertise to help initially identify and fix any gaps.
Some best practice tips that will help reduce cyber security threats include: updated and enhanced training for staff; using reputable anti-virus software relevant to all business areas; downloading software updates as soon as they appear; using strong passwords; and deletion of suspicious emails.
CESG (the information security arm of GCHQ) also recommends that an ‘information risk management regime’ should be developed across an organisation, supported by the board and senior managers.
The company’s risk management policy should then be rolled out across the organisation to ensure that everybody within the organisation from the top down is aware of the organisation’s risk management boundaries.
CESG’s mantra reflects guidance on best practice emanating from the ICO, which also suggests that there are four key elements to implementing a cyber breach strategy.
First, designing and organising security (physical and technical) to fit the nature of the data and harm that may result from a breach. Then, setting out who in an organisation is responsible for compliance on a day-to-day level.
Third, implementing the right physical and technical security, backed with appropriate policies and procedures (covering details such as acceptable and secure use of systems, mobile use policies, access to removable media etc.) and well-trained staff.
And finally, being ready to quickly and effectively respond to any reports of a breach.
With all the best will in the world, implementing a comprehensive plan as outlined above only goes so far and cannot entirely eliminate the risks associated with a security breach.
Companies also need a robust plan to consult with and expert resources at the ready to call in should the worst happen.
Experience shows that even well-meaning and professional businesses are generally falling well short at this second hurdle.
A well-developed reactionary plan should ensure that sufficient steps are taken to immediately contain the breach and recover lost data, whilst at the same time providing for a risk assessment to be carried out to consider how serious the damage is or is likely to be.
Important decisions to grabble with in the post incident environment are whether or not to involve the ICO by making a self-report and whether to notify affected individuals.
Is the breach sufficiently serious?
Also, timing is crucial and detailed thought needs to be given as to when should such notifications be made? Self-reporting to the ICO will not always result in a lighter fine or the avoidance of a fine altogether, but it can help (the ICO has gone on record saying the same).
That said, a premature notification to the ICO and to individuals whom a company believes may be affected can also cause more harm than good.
There is, more often than not, considerable merit in not “jumping the gun” in terms of notifications to regulators and individuals until the key facts have been established and the extent of the issue is clear – at least under the current legal regime.
This is a critical phase and having the sounding board of pre-identified counsel who have been though it before can be invaluable.
Companies should also consider whether their insurance products cover against data breach costs, damage done, regulator fines levied and litigation initiated by individuals affected by a breach.
Whilst such products are becoming increasingly popular, the consensus is that they are still underused and can also be ineffective unless the cover is carefully matched to the business.
Identifying those responsible for the policy who can liaise with insurers following a breach is also an important exercise and can ease considerable headaches down the line.
Nothing to chance
Cyber breaches can have very real impact on a business’ reputation, brand and bottom line. The increasing fines and risk of legal suits as a result also mean it is prudent to do some key work in advance to prepare.
Clear procedures and policies should be put in place that deal with the pre and post cyber incident environment, which can help minimise exposure to a security breach. In addition, bespoke recommendations should be sought and made as to staff training, a robust insurance policy and defined roles within an organisation.
Given all of this work comes with a cost, board-level buy-in is undoubtedly important. Considering the increase in cyber incidents and increasingly serious consequences to a business, the need to do some work in advance to prepare for attacks should be viewed as an important and logical sell to the executive team.
When it comes to cyber security, nothing should be left to chance and companies should not be complacent.
Careful planning and preparations upfront, including accounting for the pending legal changes at an EU level, will not only limit damage should a breach occur but can also help avoid or minimise regulatory sanctions, be good for a company’s reputation and vastly improve consumer trust and confidence.