A Thinking Business Publication
In the fast-paced digital world, the risks associated with data breaches and cyber-attacks weigh heavily on the minds of all business leaders.
The UK government estimates as many as 2.39 million instances of cybercrime have impacted UK businesses in the past 12 months. High-profile attacks continue to hit the headlines. In the Summer, Boots, British Airways and the BBC were hit with an ultimatum from a Russian-speaking cybercrime group to begin ransom negotiations after it stole personal details of more than 100,000 of their staff. Similar attacks are happening every day in small and medium-sized businesses around the country.
“There is a lot for businesses to deal with at the moment,” says Elizabeth Mulley, managing associate in Trowers & Hamlins’ dispute resolution team. “Along with geopolitical unrest, energy prices fluctuating and high inflation and interest rates, there is also an increased dependence now on technology. Businesses are sometimes making large investments in new technology and new communication platforms in a rush, and that can leave them vulnerable. When there is so much to focus on in the day-to-day operations, the risk is that they leave the back door open to hackers and cyber criminals.”
The conflicts going on around the world have demonstrably increased the risks of cyber-attacks and put companies under even more pressure to prioritise cyber security. While many have focused their efforts on responding to breaches once they happen, there is a lot that companies can do to mitigate risks and address vulnerabilities to prevent becoming a target for cyber criminals but also to minimise loss and impact suffered if they are exploited.
A solid cyber strategy encompasses not just investment in technical skills and capabilities, but also in governance and compliance. That is why Trowers has launched CyberSecure 360 with cyber security company, CyberQ Group – together our goal is to help clients comprehensively manage cyber risk by combining technical and legal expertise. CyberSecure 360 offers a range a bespoke services that span the entire cyber risk management spectrum, including pre-breach preparedness and post-attack assistance.
“This is about raising awareness and getting ahead of issues,” says Stuart Hadley, global group COO at CyberQ Group. “Rather than simply being reactive, companies need to raise the level of C-suite and employee understanding of these issues, putting cyber security at the top of the priority list. This is a whole business problem. We often see it sat within IT as their responsibility, but in fact it cuts across everything; it is to do with supply chains, attracting new customers, company insurance, M&A due diligence and much more. Addressing cyber security is a key element of building resilience in any business and just leaving it to IT is a bad plan.”
He adds: “There also needs to be a shift in culture away from the view that ‘it won’t happen to us’. Even if you are a small business, you will be a target for hackers trying to get at bigger businesses. As attackers get more sophisticated, they are doing more reconnaissance and being more strategic in who they target and why.”
While it might be the big hacks on multi-billion pound companies that hit the headlines, these attacks are happening in small businesses, charities and schools all the time, so it is not a question of if but rather when your company might be in the firing line. Still, by developing your cyber readiness and building defences in advance, enduring an attack can be much less costly and disruptive than it might otherwise have been.
“The first step for any company is looking at and considering your security threats,” says Mulley. “You need to understand your vulnerabilities, the risks those represent and the likelihood that they can be exploited. Then you can assess your internal and external safeguards already in place and see where the gaps lie, before moving on to plugging those gaps and building up resilience.”
Hadley adds: “Doing that gap analysis helps people spot risk priorities and allocate resources effectively to the areas of most concern. And it is important to consider what the impact will be if a breach does happen. The perception is that cybersecurity is expensive but it’s not when you put it into the context of the threat to the company. For most people, investing in a vulnerability assessment and then the right policies and procedures can put them in a much better position to recover quickly from any incident.”
Helen Briant is a partner in the Trowers disputes team. She says: “The thing companies underestimate is the potential damage to their reputation of an attack. You can figure out in pounds and pence what might be the impact of your output being disrupted for a week, but if your customers walk away because they have lost faith in you, that will take a lot longer to recover from.”
Hadley says that clients may be faced with paying a £500,000 ransom and be tempted to hand over money to get systems back up and running, but that is rarely the best way forward. In all likelihood, hackers will leave something in systems to allow them to come back for more, so again the impact is more far-reaching than might be immediately evident.
Having completed a thorough cyber risk assessment, the next step is for companies to build a practical cyber risk management strategy. “That is about setting clear objectives around what you aim to achieve and then setting the wheels in motion,” says Hadley. “We are trying to get companies to bring in cybersecurity support every time they start a new project, on day one, because too often people get halfway through something and then realise they forgot about this.”
Mulley says a good cyber risk management strategy is revisited and monitored frequently, to make sure it stays a priority and keeps up with evolving risks. It will bring together legal and technical skills to encompass everything from risk assessment and gap analysis through to legal compliance, policies and procedures, awareness training, cyber insurance and investment in technology where appropriate.
A comprehensive strategy will also set out a clear incident response plan, including a communication plan for employees, customers and stakeholders in the event of an incident and a strategy for ensuring regulatory bodies are informed within the 72-hour reporting window.
She adds: “There is no one-size-fits-all approach to this. There has to be time put into tailoring the strategy to meet the needs of your organisation and your industry, because every business will have different vulnerabilities.”
The government’s National Cyber Strategy is focused on helping companies build a more cyber resilient future and is starting to bring out frameworks and guidance for businesses to follow, though there are currently no legal requirements. “We think that’s coming,” says Hadley. “There has been talk about the UK government introducing standards that organisations must comply with – for now, it is just asking companies the difficult questions.”
The key takeaway is that cybersecurity needs to be embedded into the fabric of a business, as everyone’s problem. Hadley says: “It doesn’t matter who you are, what kind of business you are, where you are or what size you are, everyone is prone to being attacked. There are lots of people surveying the internet looking for holes, just like thieves walking the streets looking for car windows left open.”
We have launched CyberSecure 360 to help our clients enhance their cyber resilience and ensure that they have the necessary safeguards in place to counter evolving cyber threats should an incident occur.