Steps to prevent or recover from a cyber-attack

Cyber security dominated the headlines in October following the high-profile cyber-attack on telecommunications company TalkTalk. Yet this is just one example in a growing number of cases. Recent Office for National Statistics (ONS) figures show a huge increase in reported instances of cyber crime in the UK, estimating that 2.5 million incidents of crime fell under the Computer Misuse Act in the past year. If further evidence were needed, cyber risk is ranked as a tier-one threat by the UK National Security Strategy and is a key priority in the National Crime Agency’s current annual plan.

Most businesses hold information that is valuable to someone, somewhere. In almost every business that information is held, accessed and shared electronically. Any business that has an online footprint or computer network is at risk of those systems and networks being compromised by someone who wants to get their hands on that valuable data. That risk is only heightened by the increased use of cloud computing, smartphones and bring-your-own-device policies. As cyber criminals become more sophisticated, the reality is that no organisation or individual is safe.

Hackers are now targeting business information, which could include confidential data concerning property deals, planned M&A strategies, purchase bids and other financial arrangements. They are not just after the personal data held with banks or stored in sale and rental databases.

However, it is only as larger organisations continue to fall victim to large-scale cyber-attacks that the realisation begins to dawn: this is a threat to be taken very seriously. It may only be once a large company has been completely brought down by a cyber-attack that individuals will fully deploy the safeguards available to them and their business.

A crisis can feed paranoia and uncertainty for employees and customers alike. For a company that falls victim to a successful cyber-attack, there are immediate financial ramifications from the business lost while the systems are down, the valuable data that has been stolen or the queue of litigants seeking compensation. Additionally, there can be a broader impact on customer trust and confidence following an attack, which can lead to reputational damage that is more difficult to quantify. Yet basic alert mechanisms and security measures can help businesses to investigate a data breach quickly and accurately, before responding decisively to an incident if it does happen. There are simple things companies and individuals can do to protect their business before a data breach occurs and in the event that a breach takes place.

Before a data breach

1. Introduce the correct management structure and clearly define responsibilities. Create a crisis response team and train them regularly in how to respond to a breach.
2. Recognise and register legal rights: make sure you have identified and taken steps to protect valuable data.
3. Ensure compliance with regulatory obligations, including having adequate software and systems in place to protect your data.
4. Introduce watertight contractual arrangements, cyber-security policies and procedures; then raise awareness about them and train your staff in how to implement them.
5. Ensure your insurance policies give you the right cover. If you have concerns, it is within your rights to challenge your broker: this is still an emerging space.

After a data breach

1. Move quickly: you need to find out who is behind the breach, how they got in, what has been taken, when and why. The first hours are critical to ensure that any money or valuable information stolen can be recovered.
2. Contact your insurer and confirm your responsibilities in terms of appointing experts to contain, track and recover lost data.
3. Decide who you need to notify and what they need to know - the Information Commissioner and other bodies may be expecting your call.
4. Communicate with your customers, shareholders and staff: reputations take a long time to build and can be damaged in no time at all. Keeping customers informed will limit the fallout.
5. Take legal action to recover your data and prevent its misuse.

The cyber threat requires constant attention. The most valuable thing you can do is put this issue high on the agenda of your next board meeting. It is vital to foster a workplace culture that understands the risk and has the capabilities to manage it.

Hugo Plowman is a partner in Mishcon de Reya’s dispute resolution department, specialising in cyber crime