According to a UK Government survey, 46% of organisations have reported being subject to a cyber attack in the last year, a substantial increase on the previous year. For many organisations, that attack will have caused major disruption, and may lead to regulatory action, claims for compensation and long term reputational damage.
Cyber risk is not just an issue for technology businesses. A cyber attack can impact on any business in any sector, whether that is taking offline key IT systems, destroying or compromising important databases and files, or impacting on buildings, facilities, equipment or other infrastructure. Any one of these can have an impact on that organisation's ability to trade or operate. Threats may take the form of both pre-meditated or opportunist third party attacks and the acts of rogue employees.
In addition to looking at their internal cyber risk, organisations also need to understand the cyber risk and resilience of their key supply chains and look at both information security and their business continuity plans.
In many cases, taking action now can help to prevent a cyber attack or mitigate its impact. To mark Cyber Scotland Week, here are our top ten recommendations:
- Know your data and systems – what it is, where it is and who processes it. Who are your key suppliers? What measures have they taken?
- All data is important – don't just concentrate on, say, financial data to the exclusion of other data. Take a holistic, risk-based approach.
- Know your key vulnerabilities – understand where your organisation is most vulnerable. Different types of attacks will impact in different ways. Where weaknesses or vulnerabilities are identified, address them and don't put them off.
- Insurance – check what insurance coverage you have in place and whether it will respond. Knowing specific policy requirements and exclusions is essential. As claims rise, expect insurers to introduce new policy requirements – make sure you are aware of these and can comply with these. If you have an incident, ensure that you engage early with your insurer.
- Incident management team – establish an incident management team with a practical response plan to mitigate damage and minimise business disruption.
- Be prepared - speed of response is critical. Consider establishing a panel of external advisers in areas such as legal, IT forensics and reputation management so that they are on hand if needed. Know which regulatory bodies you may need to notify.
- Test and test and test again – test your disaster recovery and business continuity procedures and your incident management plan regularly, using different scenarios. Make sure you learn from your tests and implement changes. What could you do better the next time?
- Training is key – humans are often the weak link in information security, so workers must be trained on their security obligations and the warning signs of cybercrime.
- Ensure your policies are workable – internal policies are essential but the organisation needs to make sure that they translate into process and procedures that are adhered to in practice.
- Interaction with regulators – organisations may need to defend their position robustly, particularly if a significant fine or other regulatory action is a possibility, but co-operate with regulators wherever possible to mitigate the consequences of an attack.
Our Cyber Risk team brings together experts from across the firm, including Data Protection & ePrivacy, Reputation Management, Corporate Crime, Insurance, and Employment. If you would like to discuss your organisation's readiness for a cyber incident, or what we can do to help prepare for or respond to a cyber incident, please contact Martin Sloan or Grant Campbell.
Contributor
Partner