[BreachExchange] Cyber-attacks: the risks to businesses

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 12 18:33:58 EDT 2017


https://www.lawcareers.net/Information/CommercialQuestion/Travers-
Smith-LLP-Cyber-attacks-the-risks-to-businesses

Question

What are the implications of cyber-attacks for businesses and what can they
do to prepare?

Answer

The increasing frequency with which reports of cyber-attacks and data
breaches are appearing in the news has put the issue of cyber security at
the forefront of many businesses' minds. Almost all businesses will be in
possession of data which could potentially be vulnerable to cyber-attacks.
Customer personal data is especially vulnerable to exploitation by hackers,
whether through data breaches or by locking businesses out of the data
using methods such as ransomware. In light of this increasing threat, what
risks do cyber-attacks pose to businesses, and what steps can be taken to
mitigate these risks?

Financial costs

Suffering a data breach could financially impact a business in a number of
ways. First, if the breach involves the loss or theft of personal data, the
business could be subject to a fine by data protection authorities. In the
United Kingdom, we have seen the Information Commissioner's Office (ICO)
become increasingly bullish in their penalisation of businesses suffering
data breaches. In October 2015 the regulator levied a fine of £400,000 on
TalkTalk for security failings that allowed an attacker to access customer
data, including bank account details. The company was fined again in August
2017 for risking the security of customer data it shared with an IT
services company without adequate security measures. While the maximum fine
the ICO can levy is limited to £500,000, the stakes will be raised by the
introduction of the General Data Protection Regulation (GDPR) from May
2018. Under the new rules, the level of potential fines will increase
substantially, to a maximum of the higher of 4% of a business' worldwide
annual turnover or €20,000,000.

Another potential cost to a business, particularly in cases of customer
personal data being stolen, is damages. Under the current data protection
regime in the United Kingdom, any individual who suffers 'damage' as a
result of any breach of the rules by a data controller, is entitled to
compensation. The meaning of damage in this context has been much discussed
by the courts and while very few claims for compensation have been brought
by individuals, there are examples where they have been successful. For
example, in 2016 a former police officer was granted £9,000 in damages
after her personal information was improperly accessed by police forces.

Given the greater profile that data protection will be given following the
implementation of the GDPR, we anticipate that the number of compensation
claims brought by individuals affected by data breaches will increase. As
such, the adverse effects of a cyber-attack on an organisation storing
personal data will likely only increase in the future.

The financial implications of a cyber-attack may also extend beyond any
compensation or penalties imposed. If an organisation's business practices
or IT systems left the data particularly vulnerable to theft, an overhaul
of how that organisation deals with the data it stores may be necessary.
This may require consultation with external experts, and significant
upgrades to its systems, all of which could be very costly.

Reputational damage

For some businesses, especially those which are consumer-facing, the damage
that a highly publicised data breach could do to their reputation may
impact them far more than any financial ramifications. During Verizon's
takeover of Yahoo, Verizon publicly acknowledged that the Yahoo data breach
could have caused them to walk away from the deal altogether.

Similarly, following its announcement that personal information of up to
143 million of its customers may have been compromised, Equifax is not only
facing several high value law suits, but has also suffered extensive
negative publicity. The credit agency was strongly criticised for its
response to the attack. Three senior executives, including its chief
executive, have left the company as a result.

The threat of cyber-attacks will also be a real concern to law firms. As
businesses, they will process a large amount of data, including
confidential information relating to their clients. At the time of the NHS
ransomware attack, the ex-deputy director of the UK government National
Security Secretariat highlighted law firms as potential targets. In June
this year, a well-known commercial law firm was hit by a ransomware attack,
temporarily knocking out its IT systems. Therefore, as well as advising
clients on their own responsibilities as controllers of personal data, law
firms must also ensure that their businesses operate stringent and secure
data protection practices.

Confidential knowhow and trade secrets

Of course, personal data of customers is not the only category of data that
could be in a business' possession. Businesses will possess a large amount
of data that they wish to keep confidential. This could be the customers or
suppliers they have contracts with, the expertise they have developed
internally or trade secrets integral to their business. Although an extreme
example, the formula for Coca-Cola syrup is supposedly only in written form
and known only to a handful of people, rendering it far less vulnerable to
cyber-security issues and helping the company retain its advantage over
competitors.

Mitigating against the risks

There are a number of preventative steps that businesses can take to reduce
the risks posed by cyber-attacks. First, businesses should only ask for
personal data that they need. Collecting unnecessary data creates
unnecessary risk in the event of a breach, not to mention that such
collection in itself would be a breach of data protection legislation.
Similarly, businesses should also periodically review the data they
possess, and have effective mechanisms for deleting data that they no
longer need to retain. The less personal data an organisation possesses,
the less the impact of any breach of that data will be, both to the
organisation and the subject of the data.

Second, businesses should maintain adequate and up-to-date IT systems and
practices which are regularly tested to assess their vulnerability to
cyber-attacks. They should also carry out due diligence on any third party
IT providers that process personal data on behalf of the business (eg,
those that rely heavily on the Cloud for data storage) to ensure that they
are also compliant with applicable legislation.

It is also a good idea to have a data incident response plan in place, so
that if a business does suffer a cyber-attack, it can invoke the plan,
respond and address the ramifications quickly and efficiently.

Insurance against the financial risks posed by cyber-attacks is also
becoming increasingly common. As always, businesses should always review
the small print of any such insurance policy to ensure that it gives the
business adequate protection.

Summary

Cyber-attacks will only become more prevalent as businesses increasingly
rely on technology driven processes and digital storage, and as personal
data is exploited in ever more sophisticated ways. As such, and given the
immense damage that a cyber-attack can do, it is imperative that businesses
start to treat cyber-security seriously and as a board room issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171012/7208c622/attachment.html>


More information about the BreachExchange mailing list