In the wake of the GDPR coming into force we have seen a heightened awareness of cyber risk. We are seeing the news carry stories around the latest high-profile “hack”, a word rarely mentioned in the business news until recently. Now, however, cybercrime has moved up the risk agenda of businesses all over the world, who could find themselves targeted by a malicious actor, every computing milli-second of every working day. It’s a term that covers a multitude of evils, from the compromise of customer data to bullying and harassment. This article focuses on cyberattacks that seek to damage or drain a business of financial or information assets.
Every business has viewed the stark statistics of the rising cost of cybercrime and how it impacts a business through loss of trade, damage to its reputation, third party claims, regulatory fines and reducing the value of its balance sheet. This can be at times to the extent of sending it to the wall, in the event that it can’t recover or faces potentially expensive regulatory interventions or monetary penalties from the ICO or other regulators such as the Financial Conduct Authority.
In this nascent area, banks and insurers (where relevant policies have been obtained) may refuse to reimburse or compensate businesses that have not taken sufficient steps to prevent an attack or deal with the aftermath, where in essence they “should have known better”.
Similarly, regulators won’t be keen to show clemency where a business has failed to meet its minimum obligations imposed by the GDPR to ensure the integrity, confidentiality and availability of the personal data it holds or where the business is a serial offender.
Directors and senior managers of businesses should be aware of the threat of cybercrime and must, through the GDPR’s “Accountability Principle”, ensure that they have proper systems in place to minimise its risk and effect, and be able to swiftly deal with the repercussions. Furthermore, they must reduce the possibility of further damage if an attack is successful. Whilst IT upgrades approved by management and tested against the “state of the art” can go some way towards reducing the threat and reducing regulatory risk, it’s almost invariably the case that the staff in organisations can be the most vulnerable to cybercrime techniques such as impersonation, ransomware, phishing, vishing and the increasingly-prevalent threat of social engineering using their online and social media profiles to gain access to their employer. Knowledge at the top does not always fully filter down the organisational chart, and the ICO’s own research suggests that cybersecurity investment is often deferred, and awareness of the risk worryingly and stubbornly low.
Cyber vulnerability in organisations can be caused by a number of factors. Staff may be unwilling to stand up to what purports to be a challenging email from their absent boss, demanding an urgent transfer of money. They may simply be working complacently on auto pilot, clicking on a link or opening an attachment that, with greater vigilance (and a well-implemented Data Protection and IT Systems Policy), would have been reported to IT before any damage was done. They may be susceptible to trust being built based upon the seeming familiarity with their worldview and interests or other virtues signalled online. They may just be frantically busy. Or, possibly worst of all, they may be frustrated or disengaged from the business or, in extreme circumstances, actively working with outsiders to facilitate a cybercrime attack whilst appearing to be an unwitting victim. The recent Morrisons data breach judgment demonstrates just how much damage a disenfranchised member of staff can cause to its business and its stakeholders, and how hard it can be to mitigate that loss and any civil claims that may follow a serious breach, as well as intervention by the ICO and subsequent reputational damage, as was the case in the wake of the Talk Talk hack a few years ago.
It should be stressed that most staff will probably not fit this profile, but even a small percentage of vulnerable or disaffected staff in a business, whatever the underlying reason, presents a serious risk. Equally, anyone, no matter how dependable, can have an off-day (or perhaps more accurately, an off moment). Employees carry the highest risk to a business of a cybercrime attack, but could with the right training be its first line of defence.
Written policies or procedures can go some way to dealing with this risk, but this may not be enough on its own to manage the threat. Instilling the right culture of awareness, built on regular training, review and stress-testing of cybersecurity strategy, is key. Managers should encourage staff to ask questions and follow up if their concerns are not fully satisfied following receipt of a suspicious e-mail or message. In a busy organisation, that can be easier to postulate than to implement. Training, within the spirit of this culture, will also complement these measures; using real life case studies (even those relating to, hopefully, near misses within the business) will often stir the mind more than death by PowerPoint.
With this type of detailed interaction with staff, businesses should be making their businesses safer from the threat of cybercrime. Not immune, but safer. BLM’s cyber liability team has significant experience in dealing with the deterrence and management of cybercrime, and we’d be delighted for an opportunity to get to know more about your own challenges in the “always-on” environment.
Authored by partners Stuart Evans and Steve Kuncewicz.