Paul Glass from law firm Taylor Wessing warns that all businesses need to ensure they have adequate cyber security protection in place
Ed Vaizey, the Minister for the Digital Economy, has once again highlighted the proportion of businesses which have fallen victim to cyber breaches in the last year (74 percent of small businesses and 90 percent of major business). Those proportions show no sign of decreasing. Some think this is in part due to the sophistication of attackers, but in reality a very significant proportion of breaches do not result from this and could be prevented.
Preparation is everything
In most of these breaches, the company will not yet know that their data has been compromised. When a breach does become apparent, being prepared in advance for how to respond is critical. Who will be responsible for investigating the breach and taking key decisions? This has to be someone senior within the business. How will you identify the extent of the breach, what data may have left the business, and how / what you will communicate to your customers? Could you have lost a business partner’s data, and what are your contractual obligations and liabilities if you have? Do you understand your regulatory obligations? What external assistance might you need (specialist IT function, legal advice) and who can provide it? Time spent in advance planning these issues and preparing an incident response plan is crucial.
Given the figures of how many businesses are compromised, every business should be taking time to prepare for how they will respond to a discovered breach. The reality is that if a substantial breach is discovered, a business will be firefighting on many fronts to deal with what could be a business critical issue. Getting the first 72-96 hours right is crucial.
An “it won’t happen to me” attitude is just sticking your head in the sand
Many businesses may be thinking ‘it won’t happen to me, I’m not prepared to incur the cost of this’. First, the figures on the proportions of businesses already breached show that it probably already has happened to you, and you don’t know it yet. Second, this could be a business critical issue, so not preparing is a false economy. Third, there are other benefits to this work. The exercise of preparing for information security breaches means that businesses need to understand what data it holds and where it actually sits and flows within the business (not just where the business thinks it is). This may identify opportunities for efficiencies and improvements to business processes. It will also involve the business identifying what IT equipment it owns, where it is and what the risks associated with that equipment are. The rise of BYOD, for example, requires robust controls to ensure security that actually reflects the reality of how employees operate, not what policies say employees should be doing. Understanding the extent of ‘shadow IT’ within your business and how to deal with it is a significant benefit. Finally, demonstrating that you have ensured to have the appropriate policies in place can be significant in dealing with regulators after a breach.
A significant number of information security breaches can be avoided by relatively basic information security good practice. The government has published a number of guides which are a good starting point for many businesses. The sheer number of businesses that the figures show may have already suffered a breach, most of which don’t know it yet, shows there’s a lot of work still to do for a very large number of businesses on information security.
How well do you know your data breaches? Try our quiz!