A Government survey recently revealed that only 19% of businesses have a formal incident response plan to activate in the event of a cyber-attack, despite figures indicating that 39% of UK businesses have identified a cyber-attack in the past 12 months.
A cyber-attack can not only wreak havoc with a business’ day to day function, but there is also the additional stress of reputational damage, hefty fines and even litigation if valuable customer data is compromised.
Commercial & Technology Partner Declan Goodwin of Acuity Law says: “Timing is critical when it comes to dealing with a cyber-attack. How you deal with the crisis in the first few minutes, hours and day can have a lasting impact on reputation, and even land you in hot water legally and financially.
“Every business, no matter its size, should have an incident management policy in place outlining the resources needed to deal with a cyber-attack, namely your IT function, your legal team and a PR expert, depending on the seriousness of the attack and if a data breach is involved.”
The Information Commissioner’s Office (the ICO), the independent authority responsible for regulating data protection in the UK, has imposed a significant number of fines on companies in recent years for failing to protect customer information.
British Airways (BA) was fined £20 million by the ICO in October 2020 for failing to protect the personal and financial details of more than 400,000 of its customers. In the same month, the ICO fined Marriot International Inc. £18.4 million for failing to keep millions of customers’ personal data secure.
Declan added: “However, it is not just substantial regulatory fines that companies need to be aware of; data breaches can also result in reputational damage and the threat of expensive civil litigation, as we saw recently with BA. It is therefore vital that (among other things) data controllers and processors assess whether they are doing enough to prevent cyber-attacks and protect their customers’ personal data.”
Of the UK businesses which identified a cyber-attack, the most common threat was phishing attempts (83%). Cyber security experts PureCyber know all too well how commonplace these are and warn businesses about the rise of a type of phishing attack called social engineering, where hackers utilise information posted on social media platforms to make their phishing emails more convincing.
PureCyber CEO Damon Rands said: “It’s all too easy to be caught up in the excitement and start posting about your holidays on social media, whether it’s your hotel details, airport, boarding pass or poolside snaps. Unfortunately, a delayed flight could be the least of your worries. All it takes is a threat actor (cyber-criminal) to view your social posts to discover that you’re away from your home or office and to use this to their advantage.
“We recently assisted in a case where a CEO posted a photo of their boarding pass on social media which contained details including time of the flight. An attacker used this to send a perfectly timed email to the finance team, requesting an urgent payment of £25,000 to a supplier, all while the CEO was in the air and uncontactable.
“The attacker was relying on the staff member who had recently joined the company not being able to reach the CEO to check the details, causing panic about the short deadline in which to send the money. The transaction went through, with the new clerk only suspecting something was wrong when the attacker requested a second transfer.
“Many people share with their friends and loved ones that they are having a fantastic and much-needed break from the office or workplace. Our advice, however, is to save holiday snaps and tales for when you’re back, which helps protect both your workplace and home.”
Writing in his recent Western Mail column Lloyd Powell, Head of ACCA Cymru, says, “It simply doesn’t pay to ignore cyber crime.
“ACCA works closely with partners like the National Cyber Security Centre and PureCyber to make accountants aware of the steps needed to protect their systems and to educate staff and clients on the importance of vigilance. We know cyber criminals target accountancy practices at particularly busy times of the year, such as month or year end.
“Wales has a thriving cybersecurity cluster, with firms such as PureCyber and Awen Collective collaborating with universities and colleges to develop skilled graduates to support sector growth, with support from the Welsh and UK governments. Cyber security is key to this.”
Cardiff Capital Region (CCR) recently appointed PwC to run its £50m Innovation Investment Fund (IIF) to support job creation, upskilling, social inclusion and wider environmental goals. The fund will prioritise firms in key growth areas – including cybersecurity – as well as the creative industries, fintech, medtech and compound semiconductor production.
Declan Goodwin added: “We can’t stress enough the importance of planning for the event of a cyber-attack, as no business is immune.
“With a proper incident management policy, businesses can be confident that if there is an attack, they have the right IT, legal and reputational experts on hand to minimise impact and damage.”
For more information on Acuity Law’s offering, visit https://acuitylaw.com/
For expert cyber security advice from PureCyber, visit https://purecyber.com/