From the NHS to LinkedIn, there has been a growing number of high profile cyber attacks resulting in data security being compromised in recent years.
With the Information Commissioner’s ability to levy fines of up to £500,000 for breach of data protection laws (not to mention to financial impact of losing vital business data and the associated reputational damage), cyber security should be high on the agenda for every business which regularly deals with personal data.
Responding to the European Commission’s cyber security strategy, the government is in the process of developing an industry-led organisational standard on private sector cyber security. The government has launched an online consultation to invite comments from businesses on how the proposed standards might affect them. Businesses have until 14 October 2013 to respond.
On 23 April 2013, the government published guidance for small businesses on cyber security. The guidance outlines how small businesses can manage the risks of cyber attacks and recommends measures which they should take. The measures include:
- identifying the key business assets which need protection from a potential cyber attack. For example: customer databases, IT services (such as the ability to take payments via the business website), intellectual property or trade secrets (such as product designs or manufacturing processes) and sensitive personal data;
- reviewing the existing contractual commitments of the business. Under English law, contractual obligations cannot easily be avoided even though a cyber attack could result in severe disruption to the activities of a business. Understanding the impact that a cyber attack may have on the ability to fulfil ongoing contractual obligations, and keeping that impact in mind when negotiating new contracts and renewing existing arrangements, can help manage future liabilities;
- training employees and producing a policy on keeping the business systems and data secure (including home and mobile working policies);
- introducing a reporting process to encourage open disclosure where a cyber security breach may have taken place and detailing the business's recovery procedures;
- creating hard copies, backing up important business records regularly and archiving them in a secure, off-site location;
- installing anti-virus solutions and restricting employee access to inappropriate websites to reduce the risk of being exposed to malware (malicious software); and
- undertaking regular reviews of the cyber security strategy to identify any improvements which might be made to it, in particular in light of technological advances and updated government guidance.