This article has been submitted by CyberLaw
With an ever-increasing number of individuals and business connecting multiple devices to the internet, cybercrime risks are growing – preventing these attacks is becoming increasingly problematic can never be guaranteed but a more proactive approach by businesses is essential.
Cyber fraud budgets are increasing
According to the Hiscox Cyber Readiness Report 2017, more than half of firms (57%) surveyed in the UK, Germany and US have experienced an attack in the past year and two in five (42%) have had to deal with two or more.
Research published by Beaming in March 2017 also discovered that more than half UK businesses fell victim to some form of cyber intrusion in 2016 at a cost of over £29 billion.
The financial implications of a cyber-attack can be significant for a firm through loss clients, reputational damage and a fall in company value, but there are other risks which are often ignored.
Company directors may face claims against them personally if their business suffers a cyber-attack and the board is shown to have failed to put in place adequate measures to minimise the risk of such an attack and to deal with the fall out of a cyber security breach.
With the General Data Protection Regulation (GDPR) coming into force in May 2018, companies will be required to implement more stringent information security measures to ensure the safety of individuals’ data, such as employees. Firms will be required to report personal data breaches caused by such actions as cyber-attacks within 72 hours.
The role of the directors
Directors have ultimate responsibility for managing cyber risk. Day-to-day management of the risk can be delegated, but the Board must proactively oversee this. Responsibility therefore starts and ends with them. This is enshrined in the Companies Act, 2006.
A cyber Incident Response Plan is essential to manage the response to a cyber-attack, covering the financial, reputational and legal risk.
The role of HR
The internal workforce is responsible for a significant proportion of IT breaches. Hackers often prey on the weak by targeting frustrated or complacent employees or employees can be the subject of social engineering that can lure them into handing over valuable data.
HR departments therefore have a key role to play from the outset in the fight against cybercrime, particularly preventing data breaches and a more proactive approach is essential.
A cyber security and prevention program and a clear and well communicated staff policy aimed at educating employees should be put in place. It is important that any policy sets out the consequences of non-compliance, including potential for disciplinary action if there is a breach.
This should be accompanied by a training awareness session for all positions taking a boardroom to basement approach. Training should be given at the outset of employment as part of induction programs. It should educate and raise awareness among employees and include things like how to identify and deal with suspicious circumstances, emails and a list of the dos and don’ts in terms of using IT and receiving data. Training can also be interactive, such as using phishing exercises to engage employees, and should continue regularly, either informally or formally, acting as refreshers for employees.
Culturally, HR needs to support anyone that’s been impacted by a data breach with clear communication and an action plan which is aligned with wider company obligations.
Protecting your company from cyber security threats with the world-leading specialists at CyberLaw
CyberLaw's world-class team of cyber security experts and legal practitioners offer unparalleled advice, consultancy and legal representation in the field of cyber security.
Our Cyber specialists have vast experience within the following services:
- Cyber Security Audits;
- Security Improvement Programs;
- Case Support;
- Forensic Investigation
Should you or the business which you are representing require further assistance on any of the services listed above then please do not hesitate to get in touch by calling us on 02920 484 550. Alternatively please click here to access our website.