National Cyber Security Centre (NCSC)
In February 2017, the NCSC was launched to co-ordinate the UK Government’s response to cyber threats. Part of GCHQ, the NCSC provides support to infrastructure-critical businesses in the event of cyber incidents, as well as working with experts in a range of organisations to improve cyber resilience. The NCSC will also provide best practice guidance to businesses, based on its research and experience. In its first three months in existence it assisted on 188 serious attacks.
The EU Network and Information Security Directive requires certain providers of ‘critical infrastructure’ to take prescribed measures to prevent and minimise the effect of cyber breaches, and to notify the relevant authority of any breaches that take place. The UK Government has indicated that it will implement the Directive on time, regardless of Brexit, although no details of what the measures or who the relevant authority will be have yet been published. A public consultation is expected shortly, but no date has been announced. The sectors covered by the Directive are Energy, Water, Banking, Financial Markets Infrastructure, Transport, Healthcare and Digital Infrastructure. The Directive will also apply to providers of certain digital services, such as online marketplaces, search engines and cloud computing providers.
National governments have until May 2018 (the date that the EU General Data Protection Regulation [GDPR] also comes into force) to set out the minimum standards that the providers of “critical infrastructure” need to comply with, along with sanctions for breach. Those providers must then be identified by November 2018.
Vulnerabilities of connected devices
Although manufacturers are becoming more alert to the security risks posed by unprotected ‘connected devices’, the Internet of Things (IoT) raises a number of security issues, particularly where users have no ability to update software or incorporate protection into existing products. Security vulnerabilities create dangers to the users of those devices or permit IoT devices to be hijacked and used to mount large distributed denial-of-service attacks.
As the recent NHS attacks have demonstrated, ‘ransomware’ attacks, which involve locking down a computer or wider system then demanding a payment to restore access, are a growing threat for UK businesses. A recent survey commissioned by the Department of Culture, Media and Sport found that almost a fifth of companies had been the victims of such attacks. As with many cyber threats, ransomware often targets individual employees as the ‘weak link’ in an organisation’s cyber security system. It is no longer necessary for criminals to have the IT skills to carry out such attacks themselves, as ‘off-the-shelf’ ransomware can be readily obtained on the dark web.
Despite widely publicised risks and attacks, only 52% of 1,500 firms surveyed in a Government-backed report have implemented the five basic controls that the Government-endorsed Cyber Essentials scheme recommends to prevent 80% of cyber attacks. Even companies with such measures in place can fall victim to a major breach, of course, particularly as a result of the exploitation of its employees, whether maliciously or unwittingly. It is vital for companies to ensure they have a dedicated and stress-tested cyber incident response plan. Along with technical measures such as locating and isolating attack vectors and protecting high-value IP, the plan will need to provide for early-stage investigation, notification (taking into account future obligations under the GDPR and NIS Directive), PR management and any HR issues.
Specific cyber security insurance is becoming more common in the UK. The nature and extent of this insurance can vary widely, but with premiums in some other areas reducing, many businesses are now considering the addition of cyber security insurance. This is particularly important as industry surveys typically reveal a gap between the levels of cover that businesses think they have under non-specialist policies and the actual levels of cover under those policies for cyber breaches.
In focus: Personal liability
It is unlikely that individuals within a company that experiences a security incident will face any personal prosecution in relation to that data breach or cyber incident, unless they themselves caused the incident. However, given the reputational impact of these incidents, they are generally board-level issues and senior executives and board members can find themselves under intense pressure if they are responsible for failings that led to breaches or fail to respond appropriately. It is, therefore, vital that senior executives and board members understand their responsibilities and practise responding to data breach scenarios.
More often, individuals are the subject of offensive action by the company suffering the security incident. Where the perpetrator of an attack is unconnected to the company, this will mean co-operating with law enforcement authorities. This can reduce the level of a control that the company has over issues such as information flow, which may need to be borne in mind when considering notification to customers and supply-chain partners, and to reputation management.
When breaches involve employees or ex-employees, companies may need to consider taking action themselves against those individuals, such as obtaining injunctions to search properties and/or recover data or intellectual property. Where such action appears necessary, it is important to act quickly, before vital information or evidence can be released or deleted. The ability to react quickly following a breach will be a vital part of a well thought-out and comprehensive risk-mitigation strategy as discussed above.
Dates for the diary
9 May 2018 – Deadline for the NIS Directive to be implemented into national law.
25 May 2018 – GDPR comes into force.