Cyber Security

When a cyber breach occurs, the first question that will likely be asked is ‘Did you take reasonable steps to protect the data that you held?’ Not having taken reasonable steps will likely result in a claim by third parties who have suffered loss or damage as a consequence of the breach, and potentially regulatory action and fines.

Cyber threats are increasing exponentially and becoming more sophisticated, resulting in a growing risk of sensitive information (whether personal or business) being disclosed.

For victims of cyber-crimes, cyber security breaches can have major financial, business, and reputational impacts that can cause long lasting damage.

The cyber landscape is an uncertain area that is constantly evolving. The only certainty is that cyber-attacks will continue, and the IT systems of the unwary and/or unprepared will likely be found wanting when tested.

Prevention is the best strategy to address cyber risk. However, given the growing sophistication of cyber attackers, it is also essential to prepare for the worst-case scenario.

The key takeaway message is that there are no shortcuts to achieving effective cyber security. Achieving a sufficient level of security requires genuine engagement with the issue. Reliance on dated systems, and a ‘she’ll be right’ attitude will only result in disaster.

So, what does ‘best practice’ in terms of cyber security entail?

The starting point is ensuring that:

• appropriate IT systems and procedures are in place to provide the greatest extent of protection that is practicable; and
• staff are appropriately trained and provided with adequate IT support (especially if operating remotely) to ensure that they are aware of emerging types of phishing scams and other cyber risks. This is critical as staff are often perceived as the ‘weak link’ in any cyber security system, with the majority of cyberattacks exploiting some form of human vulnerability. For example, ransomware typically gains access to systems through ‘phishing’ emails, when staff click on a link to a fraudulent website. Staff must be trained and regularly tested, so that they can recognise ‘phishing’ or ‘trojan’ attacks.

Ultimately, creating an organisation wide culture of cyber security awareness is the best defence against cybercrime. At a bare minimum this involves:

• cybersecurity processes that are well documented in plain English, embedded with staff, and regularly updated
• regular audits of cyber security systems to ensure that they remain ‘fit for purpose’
• good IT ‘hygiene’, doing the basics (such as prompt installation of patches) regularly and well
• strong password policies
• multi-factor authentication to provide an additional step of verification and thereby greater security
• a comprehensive cyber breach response plan, which addresses notification obligations, containment, and mitigation measures. This will ensure that you respond to any cyber incident as swiftly and effectively as possible.

There is no shortcut to achieving effective cyber security. The key is not to become complacent. All systems, processes, and procedures should be regularly reviewed, rigorously tested, and when necessary, updated.

It is also important to consider the security of third-party suppliers. Cyber attackers can gain access to an organisation’s cyber system by exploiting vulnerabilities in third-party suppliers’ IT systems. You therefore need to ensure that your suppliers’ cyber security systems and policies are satisfactory.

If your suppliers have access to either your premises or your IT system, you will need to ensure that they comply with your cyber security policies and procedures.

Your contract with third party suppliers should clearly define their responsibility for cyber security, spelling out specifically what is required rather than simply requiring compliance with some vague general standard of care. Suppliers’ IT systems should comply with your security standard as a bare minimum requirement. Compliance should be verified via testing and audits, so as to ensure that cyber security is foremost in the minds of your suppliers.

Deal with it. Take prompt steps with appropriate IT assistance to mitigate any loss, immediately notify insurers, and seek legal advice.

This publication is intended as a general overview and discussion of the content dealt with. It should not be used in any specific situation, in which case you should seek specific legal advice.