With the recent news about the MOVEit hack affecting a range of high profile organisations including the BBC, British Airways (BA) and Boots, it’s clear that no one is safe from cyber attacks.  The head of the UK’s National Cyber Security Centre has previously warned that a major cyber-attack is a matter of “when, not if”.

But what if your organisation is the one affected? How can data breaches impact your business, your staff, your clients and ultimately, any individuals (data subjects) whose data is compromised? Perhaps more importantly, what preparations should you make to reduce the likelihood and impact of a cyber attack, and what should you do if (or perhaps when) you do fall victim?

What should you be trying to protect against?

There are many motivations behind cyber attacks – the most obvious is financial gain, however they may also be the result of pranks, activism, cyber theft and espionage.  The focus of a cyber attack is most likely to be personal data which can be exploited in some way, but corporate information, or information which could be used to perpetrate other cyber attacks (e.g. security information or information about your organisation which could be used in a subsequent phishing attack) may also be the target. 

Cyber attacks can be perpetrated by internal or external actors so both need to be considered.  They can be the result of failures within your own organisation, or failures within the organisations or services you engage to support your business activities. You therefore need to have confidence in both your own arrangements, and those of the organisations you work with and entrust with helping you to look after your data.

In the event of a cyber attack, it’s not just the direct impact of the data breach such as a loss of data or disruption to your services that you need to consider.  There’s the time, money and effort which may need to be directed to containing, investigating, responding to and recovering from the data breach.  If personal data has be compromised you will likely need to report this to the relevant data protection supervisory authority (in the UK the ICO) and depending on the nature of the incident, you may be liable for regulatory action or a monetary penalty – potentially up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  

Something which is rarely considered, but potentially even more costly than regulatory actions and fines is the risk of compensation claims from affected individuals.  You’ve no doubt seen adverts from personal injury lawyers encouraging people who have suffered a ‘slip, trip or fall anywhere’ to make a compensation claim on a ‘no win, no fee’ basis.  Data protection breaches are fast becoming the new focus of these types of compensation claims as affected individuals only need to allege that they have suffered some level of distress in order to be able to seek redress.  These types of claims are very difficult for organisations that have suffered a data breach to defend against and so for data breaches affecting large numbers of individuals, even if each individual claim was to be relatively modest in value, the costs associated with this could easily spiral.

Therefore (in order of priority), it’s best to focus on:

1. minimising the likelihood of a breach occurring in the first place
2. minimising the impact on any affected individuals should a breach occur
3. thinking about how you might respond to a data breach in a manner which minimises the impact on your business and the staff that will need to manage the response.

Minimising the likelihood of a data breach

Focussing on getting strong data security and protection foundations in place is a great way to reduce the likelihood of data breaches occurring.  Perpetrators will usually focus on ‘low hanging fruit’ and seek to exploit the most common vulnerabilities.  Taking simple steps such as those covered by the Cyber Essentials accreditation is a great starting point, however those wishing to go further may want to look at the ISO27001 Information Security standard.  Organisations working specifically with the NHS will also want to make sure they comply with the NHS Data Security and Protection Toolkit (DSPT) which focuses on controls to protect against data breaches.

Assigning clear responsibility within the organisation for information and cyber security is an excellent way to ensure that appropriate controls are implemented, are monitored for effectiveness over time and are enhanced where necessary. Sometimes this role is referred to as a ‘Senior Information Risk Owner (SIRO)’ to reflect the fact that the role is primarily intended to own and manage the ‘risks’.  They don’t necessarily need to be the person who designs and implements the controls which are then used to manage or mitigate the risks – this is likely to be something which others with more technical or operations knowledge will be better placed to do.  The role of the responsible individual isn’t therefore a technical one – it’s about ensuring appropriate controls are in place and effective.

The key controls organisations should focus on to minimise the likelihood of a data breach will depend on how you store and process data, however they are likely to include:

• Staff vetting
• Training
• Asset management
• Physical and environmental security
  • Security of premises
  • Secure storage of assets
  • Access control
• Cyber Security
  • Firewalls
  • Secure configuration
  • Access control
  • Password management
  • Malware protection
  • Security update management

It’s clear however that no matter what technical and organisational controls are in place, a data breach may still occur.

Minimising the impact on individuals

You can take steps to minimise the impact of data breaches on individuals both proactively and as part of any incident response.  The proactive measures you can take include:

• Minimising the data processed
• Applying additional security to high-risk information (e.g. encryption).

Applying these measures requires a thorough understanding of what data you process, why and how.  You can do this by preparing a Record of Processing Activities (RoPA) to record all of the ‘information assets’ you utilise within your organisation and document what they are used for and what data is processed within them.  This is also a key requirement under data protection law (Article 30 of the EU and UK GDPR).  

Once you understand the data you are processing you can look to ensure that only the minimum data necessary is being held or processed within each ‘information asset’.  By doing this, you can try and make sure that should a system or ‘information asset’ be compromised, the minimum possible amount of data will have been put at risk.

You can also look to apply additional security measures such as pseudonymisation or encryption to those information assets or data which is of particular value.  If your systems or information assets are compromised but you can be confident that no personal information can be accessed by the intruders (e.g. because it is encrypted) then the impact on individuals will be negligible. 

Minimising the impact on your organisation

You can also take measures to minimise the impact of data breaches on your organisation.  Ensuring prompt identification of data breaches can help you to get ahead of them so routine auditing and security alerts which can help you to detect suspicious activity with your systems or data breaches are essential.  

Having clear procedures for reporting and managing data breaches are also invaluable should you fall victim to a data breach.  You want to be able to focus your efforts on containing and responding to the incident, rather than having to work out what you should be doing whilst in the middle of an incident.  Having an incident reporting and management procedure in place as well as a business continuity and disaster recovery plan which have been thoroughly tested (perhaps as a tabletop exercise) will ensure you are prepared should the worst occur.

The final way you can minimise the impact on your organisation is to transfer the impact of the risk to others.  If you use third party suppliers to assist you in processing personal data you will want to ensure you have robust contracts in place which cover data protection and require your suppliers to indemnify you in the event of a data breach which is considered to be their responsibility.  Another way to transfer the risk is via insurance.  Although this won’t protect you against regulatory fines, it can help support you with the direct costs of responding to a data breach or cyber security incident as well as any claims made by data subjects whose data may have been compromised.

Do you need help protecting your business from the impact of a data breach? Book a no- obligation call below and speak to one of our Cyber Security Experts.