Avoid a net loss – be prepared for cyber criminals
Anew study by Nominet reveals that more than three quarters (76 per cent) of C-suite executives say that a cyber security breach is inevitable, while an alarming 90 per cent feel they lack at least one resource required to defend against such an attack.
The survey found UK and US boardroom executives believe they are disadvantaged by a lack of advanced technology (59 per cent), budget (44 per cent) or staff (41 per cent) to fend off ever increasing cyber breaches. It also highlighted confusion over who in an organisation should respond to a breach and a reluctance by senior management to accept advice.
The Nominet findings follow the recently published Cyber Security Breaches Survey (CSBS) by the UK government, which underlines that businesses would be well
advised to assume they are more likely to fall victim to a cyber attack than not.
It found 32 per cent of businesses admitted they had suffered from cyber crime in 2018, but from our own experience we believe the figure to be significantly higher. The most common breaches included phishing attacks, impersonating an organisation in emails or online, and viruses, spyware and ransomware attacks.
CSBS notes that attacks which penetrate organisations’ defences and cause the most disruption now have a more severe financial impact. Encouragingly it states that businesses and charities see cyber security as a higher priority than in previous years, acknowledging “that attacks can no longer be prevented with common sense alone, and require action”.
While large blue chip corporations are more at risk from nation-state sponsored attacks which can potentially cripple an organisation, send share prices into a tailspin and undermine public confidence, smaller businesses are not risk-free and may find vital cashflow interrupted through invoice hijacking, invoice fraud and redirection of client payments.
An effective breach response process is even more critical following GDPR which introduced a new regulatory landscape, including mandatory reporting obligations (within 72 hours), significant financial penalties (up to the higher of €20 million or 4 per cent of global turnover) and potential liability for data processors.
Recent cases Pinsent Masons has acted on include advising a global technology provider and its insurers following a targeted cyber attack by an unknown third party attacker, believed to be state-sponsored.
This involved advising on legal requirements to notify the Information Commissioner’s Office (ICO), customers and various third parties, together with coordinating advice from multiple jurisdictions, in particularly unusual circumstances. We also advised a household name which suffered a significant data breach in which certain data was compromised following an attack on its IT systems. We engaged various IT forensics firms and advised in relation to regulatory investigations led by the ICO, and the Financial Conduct Authority, together with a criminal investigation brought by the Met Police’s cyber crimes unit.
Pinsent Masons has developed a proprietary cyber readiness product which enables organisations to rehearse a realistic breach scenario in the form of a cyber simulation exercise. The cyber workshop tests an organisation’s preparedness and level of cyber maturity by benchmarking it against the market. Feedback is provided and a board report is subsequently produced which identifies areas for further development. From a regulatory perspective, this may provide useful evidence of cyber risk management and good practice.
Businesses which have carried out a full cyber risk assessment and put in place (and rehearse) an emergency response procedure are best placed to withstand, or at least minimise, potential damage from determined and increasingly sophisticated cyber criminals. David Mcilwaine, partner and cyber crime specialist at Pinsent Masons.
Businesses should assume they are more likely to fall victim to an attack
than not