Recent high-profile news of cyber-attacks on celebrities, the news that Apple’s iCloud service in China was hacked in October of last year, and the continuing furore surrounding the recent cyber attack on Sony have thrust the issue of cyber attacks into the spotlight once again.
Significant questions are now being asked regarding the implications of cyber-attacks and how to deal with these attacks should they happen to our businesses.
These attacks don’t just happen to the biggest companies. According to the 2014 Information Security Breaches Survey conducted by PWC on behalf of the Department for Business, Innovation & Skills, 55% of large organisations were attacked by ‘unauthorised outsiders’ in the previous year, together with 33% of small businesses. Whilst most data hacks won’t have the same impact as the emails and other sensitive information leaked from Sony, many businesses will be taking the opportunity to carry out an audit of their existing data protection systems this New Year.
What is a cyber attack?
A cyber attack in its basic form is an attack by one computer on another, carried out by computer hackers. Once a hacker has access to a computer, they can access any data that is saved on it. If information held by a business or organisation is highly sensitive data and is released or stolen, this can be incredibly damaging to a business – especially those that process large volumes of sensitive data on behalf of their staff, customers or clients.
There can be a range of financial implications for an organisation which finds itself in this situation such as loss of revenue, loss of time in dealing with the attack, the cost of notifying customers or clients, compensation for loss of sensitive data, reputational damage and the cost of third party fees such as lawyers’ fees for advising on data protection and the surrounding fall-out. The Information Security Breaches Survey reports that the total cost to businesses dealing with information security breach incidents nearly doubled in 2013 compared with 2012, to £600,000-£1,150,000 for large organisations and £65,000-£115,000 for small businesses.
There may also be regulatory fines or penalties levied on an organisation. Currently, the maximum penalty that can be levied by the Information Commissioner, the UK authority tasked with upholding and enforcing data protection legislation is £500,000 however a business might be fined up to €100 million or 5% of an organisation’s annual worldwide turnover, whichever is higher in the event that it is found guilty of negligent of protecting its data, if proposed new EU legislation comes into force.
How do I protect my business from the risk of cyber attacks?
Clearly, given the huge potential implications that may result from cyber attacks, it is important for an organisation to take steps to prevent such attacks and to have a plan of action should one occur.
These short tips provide a good starting point:-
- Be proactive. Educate your workforce on the risks associated with cyber attacks. Once your workforce is educated on the matter they will be able to spot any potential threats or attacks.
- Arrange specific insurance to protect against cyber attacks. You may think that this is already covered under your standard business insurance however these types of policies will normally exclude economic loss and even policies that do insure against theft will not usually cover third party property such as customer/client data.
- Identify key threats. Mobile phones and remotely accessed laptops are becoming more widely used. Make sure these are protected from an attack.
- Use smarter passwords. Passwords should be highly complex, a mix of upper case, lower case and numerical symbols. It is recommended they be at least eight characters long but in order to make them even safer, make them 15 characters long. What is your organisation’s policy on passwords?
- Keep your antivirus software up to date. Make sure you keep abreast of updates – otherwise your software may not work as well as you think.
- Know where your cloud-based data is stored. How is it being kept secure? What is the provider’s liability for protecting your data?
- Have procedures and policies in place to deal with any attack. Think about damage limitation. Is there a need to inform customers/clients or even issue a press release? Planning in advance is critical. Consider tightening up your security software so that the same thing doesn’t happen again.
Cyber attacks are clearly an important area which should be considered given the risks to your business. To discuss protecting your business against potential cyber attacks, or data protection in general then please contact Lisa Kitson.