InsightsInsight - Commercial Law, Data Protection and GDPR - POSTED: July 7 2017
Cyber-crime: are you prepared?
Three quarters of businesses in Kent have been subject to an attempted email fraud, cyber-attack or telephone fraud in the past six months.
- Share this article
- Print this article
This was the worrying headline finding of a survey conducted by Kreston Reeves, Brachers and Towergate Insurance Brokers amongst businesses in Kent. The survey also found that Kent businesses expect to see a marked increase in attempts over the next two years.
For most businesses, their biggest cyber threat is their own staff. Uncomfortable but true. According to the UK Government’s Cyber Security Breaches Survey 2017:
- 46% of all businesses identified one breach or attack in the last year;
- 72% of those were due to staff receiving fraudulent emails
The report noted that breaches were often linked to human factors but that:
- only 20% of those surveyed had provided cyber security training and
- only 33% have formal policies on this issue and only 69% have strong password security protocols.
Training and updating of policies and rules is key
You wouldn’t let a new employee operate a dangerous piece of industrial machinery without training and assessing their competence. You wouldn’t let them drive on company business without checking they were licenced to do so. You wouldn’t execute a contract without putting in place basic safeguards in respect of your own and your counterparty’s behaviour under that contract. A computer (in any form) is now one of the most serious threats (and vital tools) within a business. Basic cyber security and data protection risk awareness training (and updating of that training) is now a key business safeguard.
Putting aside the direct commercial impact of criminal ransomware or operational disruption and reputational damage, businesses will soon be faced with the new General Data Protection Regulation (GDPR) in 2018. This will create significantly increased financial penalties for businesses who do not have proper practices in place to protect personal data. The new penalties regime will enable fines to be levied of up 20 million Euros or 4% of global group turnover in serious cases. Lesser breaches of the GDPR may attract fines of up to €10 million or 2% of annual worldwide turnover.
Policies and Rules
Review your policies and your contracts – are they up to date? Does your current policy provide clear guidance on avoiding phishing attacks, spear phishing attacks, ransomware etc? Does it match your IT practices and does it clearly outline your rules and expectations?
Fundamental changes are due to be implemented through the GDPR that will substantially change the way in which personal data about your employees, your customers, your commercial counterparties, job applicants etc are dealt with. The changes are due in May 2018, so businesses need to start planning now for what is coming, including updating policies and procedures, amending (both employment and commercial) contracts and consent statements, and training relevant staff. Read more in our GDPR fact sheet.
Protective Action – including third party contracts
Make 2017 the year of cyber awareness and data review.
In addition to protecting your business through staff training and a review of your IT and data protection policies and procedures, it is essential to ensure that you minimise the risks when entering into commercial contracts with third parties. As well as potential liabilities under the GDPR and business and reputational damage, a failure to protect against a cyber-attack could result in liability towards third parties who suffer loss. Practical steps should include the following:
- Undertake due diligence on any party that will have access to your computer systems, your hardware and/or who may receive personal data and/or commercially sensitive information.
- Ensure that the other party is compliant with published cyber security standards (e.g. ISO 270001).
- Include a contractual right to audit the other party’s cyber standards.
- Include security and data protection policies in each contract that must be adhered to.
- Include contractual provisions requiring the parties to comply with all cyber security regulations (especially data protection) and (potentially uncapped) indemnities for breach.
- Include a right to vet individuals or sub-contractors and to remove any such persons you are concerned about.
- Include obligations to provide software free of flaws, malware etc. and to remedy any such problems.
- Specify in the contract a policy to follow in the event of a cyber-security breach.
The cyber threat is a difficult issue for all businesses, from small and owner-managed enterprises right up to multi-national corporations.
Brachers can help. We offer Data Protection Awareness Training programmes and training on what to expect from the new GDPR. These can be provided in house or by Webinar. In addition, we offer a review and update package for (employment and commercial) contracts, consent statements and data protection policies.
We can help you review your data protection and cyber compliance and put you in a stronger position for the future.
Can we help?
Take a look at our Commercial Law, Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you
Get in touch
Please fill out the below form or alternatively you can call us on 01622 690691