Last month we hosted our annual ‘Intellectual Values’ seminar in London which this year focused on the ‘connected world’. Sarah Turner, an IP partner in our Tech Hub, gave a talk on the steps companies can take to improve their cybersecurity. The potential damage resulting from a cybersecurity attack is ever increasing as the world becomes more and more connected. Sarah encouraged companies to respond now to the threat by taking the following ten steps:
Step one: Acceptance
Delay is the enemy of protection. Nobody is safe as rogue players target all types of business for their money, personal data and intellectual property. Accept that you will experience a cybersecurity incident at some point and start to put appropriate policies and measures in place now. Luckily, most cyber attacks are relatively basic and it is reasonably easy to put good, simple protections in place.
Step two: Understand your vulnerabilities
You should consider whether any of your businesses are operating in particularly vulnerable sectors (such as healthcare or financial services) or jurisdictions and what assets the “bad actors” are likely to be targeting. Competitors, suppliers, cyber criminals, nation states and politically active hackers may all pose a threat. Unfortunately, most cyber attacks will involve a company insider in some way. Their actions are not always malicious (an employee may unwittingly click on a link in a phishing email thereby permitting access to the business’ networks) but the importance of the human factor within the business cannot be ignored when considering cybersecurity.
Step three: Prioritise
Cybersecurity is not just an IT issue. Cyber risk should be a board priority and boards should be provided with a complete picture of their company’s cybersecurity status. You need to identify, and review periodically, the critical data within your business and how that data is stored so that you can prioritise protecting those assets.
Step four: Assess the impact of loss on your business
Once you have identified what is most worthy of protection, you should analyse the type and extent of any potential loss you may suffer as a consequence of a cyber attack against that asset. Losses may include the costs of rectifying the breach, lost profits, disruption to business, a dip in share price, regulatory fines and/or reputational damage.
Step five: Adopt a holistic approach to security
Consider what steps you have taken to keep your critical assets secure across the whole of your business (not just with respect to your IT systems). Review your IT and physical security measures to ensure you have all the appropriate protections and policies in place. Most importantly, ensure that your employees are appropriately (and regularly) educated on cybersecurity and understand their own personal responsibilities. Make sure that you have appropriate policies and procedures in place for storing, segmenting, encrypting and transferring valuable data and make sure, as far as possible, that they are followed by everyone in the business.
Step six: Get the basics right
The majority of attacks exploit basic weaknesses in IT systems that are easily fixed. Ensure that your software is up-to-date and patches to known vulnerabilities are deployed in a timely fashion, use anti-virus software and firewalls, and ensure that only authorised devices and software are used in the business. Reduce the risk of data loss (and business disruption) by making regular back-ups.
Step seven: Better network security and monitoring
Ensure your employees are only awarded the data access rights and system privileges that are necessary for them to perform their role. Grants of anything other than basic user rights should be carefully controlled and managed.
Step eight: The importance of education
The human factor is often the weakest link when it comes to the security of your data. Ensure your employees and workers are educated about the importance of security and best practice, and are trained to spot the warning signs. You can read more about how to manage workforce cyber risk and the approach taken cross border to workplace monitoring in Hogan Lovells ‘ White Paper here.
Step nine: Plan, plan, plan (and practise)
Develop a cybersecurity incident response plan and keep it under review. Consider a ”fire drill” to understand how your plan works in practice and to identify areas where it could be improved. Hogan Lovells has published an online tool called Ready Set Respond to help companies formulate their incident response plans. We also work with our clients to fine tune those plans and respond effectively in the event of an incident.
Step ten: Keep an eye on the horizon
Keep abreast of legal and regulatory developments. The UK government has confirmed that the GDPR and the NIS Directive, both of which go live in the UK in May 2018, will continue to apply post-Brexit. Boards should be aware now of how GDPR requirements and the NIS Directive will impact upon their organisation, as these requirements could have a knock-on impact for a company’s cybersecurity services and cyber investment decisions.
Hogan Lovells recently launched GDPRnow, the first app ever aimed at generating a GDPR compliance action plan specific to an individual company’s activities. You can read more about GDPRnow and download the app here.
There is also lots of useful information publicly available to benchmark what your company is doing against others. Since 2013, the Government has undertaken a regular survey of the UK’s top 350 companies, to understand how they are managing their cyber risks.
Cybersecurity will continue to be an important issue, even more so when potential fines for GDPR and NIS breaches will rise to a possible maximum of 4% of global group turnover. Take steps now to ensure that your house is in order so that the first big fine won’t be yours!
You can watch a recording of Sarah’s talk at the seminar, here.