The realisation that data protection and privacy processes and policies are fundamental elements of a well-run company coincided with an increase in the number and size of the fines that regulators imposed. As a result, it was those companies who handled a significant amount of potentially sensitive personal data, such as banks and telecoms operators, who led the way in changing how UK companies protect important data.
However, whilst the Financial Conduct Authority can impose fines running into millions of pounds on the organisations that it regulates in the banking sector, the Information Commissioner (ICO) currently can only impose fines up to a maximum of £500,000. That is expected to change when the new General Data Protection Regulation comes into force (probably in late 2015). Under the new regime, data protection authorities will be able to issue fines of up to two per cent of a company’s worldwide gross revenue if that company is found to be in breach of its data protection obligations.
As a direct result, as companies become aware of the potential for financial losses, they will try to shore up their defences by implementing and maintaining sufficient cyber security measures. And since the cost of cybercrime to the UK is currently estimated to be between £18bn and £27bn, there are obvious arguments for significant investment in cyber security.
What is interesting about the analysts’ predictions for 2014, however, is that so many of them continue to focus purely on the network security element of the risk, that is to say, on the technologies that can be used to counter the threats of the botnets, DDOS attacks and other malware used by hackers.
It is certainly correct that 2014 will see the growth of security-as-a-service and proactive protection, however, companies that limit their analysis to technological protection will leave themselves exposed because they are failing to understand the need to view cyber security holistically. It is possible to have the most secure IT network in the world, but if the culture of a company does not support and encourage cyber security, then the company will remain at risk of a severe cyber breach.
The easiest way for a hacker to access a network is often not through the traditional “full frontal” technological attack, but through more sophisticated methods. In particular by identifying and exploiting publicly available information to access networks via a company’s employees. Every company has a potential cyber weak spot in its staff, which is exacerbated if the organisation fails to implement appropriate internal processes to ensure appropriate employee behaviour. Poor password selection and lack of understanding of potential risks are two common causes of cyber breaches, which can be significantly mitigated through proper user education and awareness training.
To put this into perspective, in April 2013, for the first time, the National Fraud Intelligence Bureau issued statistics showing a breakdown of fraud in the UK. This included an interesting breakdown of computer fraud, which suggests that traditional malware and social media/email hacking remain significantly higher risks that the often more newsworthy DDOS or server hackings.
Type of Attack and number of attacks:
- Computer virusmalwarespyware -3,910;
- Denial of service attack – 99;
- Denial of service attack extortion – 28;
- Hacking; server – 96;
- Hacking; personal – 739;
- Hacking; social media and email – 565;
- Hacking; PBX/dial through – 89; and
- Hacking extortion – 692.
For individuals, the obvious risks are identity theft and password loss. Unfortunately, many people use the same password for their work stations as they do for their private use (and it is simply astonishing how many people still use easy-to-guess and thus eminently hackable passwords such as “qwerty”, “12345” or even “password” or “password1”), thus providing hackers with a simple route into many corporate networks.
The major risks for organisations will vary, depending on the business sector in which it operates. For example, one of the major risks for hospitals will be the confidentiality of patient records, whereas a technology company will be more concerned with protecting its intellectual property. However, the simple formula is that the more staff (without adequate training) that have access to the core network, the higher the risk of a security breach.
In addition to the risk of potential fines from regulators and loss of data, another serious risk for companies that is often not understood is the potential for a claim for breach of contract in respect of contracts not obviously affected by a cyber breach. Cyber-attacks can cause significant disruption to a business and it is important to consider how any disruption may affect an organisation’s contracts. Depending on the wording of the force majeure clause in a contract (assuming there is a force majeure clause at all), a cyber-attack may not actually be deemed to be a force majeure event, in which case a party that has suffered a cyber breach may find itself unable to perform its contractual obligations but unable to claim any right to a suspension of that obligation.
This is because English law does not have a recognised concept of, or definition of, a force majeure event. Its meaning will therefore depend on the precise words used and those words often vary from contract to contract. As a result, companies should be considering their contracts both from a supplier and customer perspective in order to determine what contractual exposure they might have in the event of a force majeure event.
Companies need to educate themselves and their staff to identify the risks they are facing, decide what assets they most want to protect and determine their individual risk appetite. The cloud and mobile working are not going to go away but they may well change how companies use their IT networks, for example by implementing policies that determine what data may be stored in the cloud, or what information may be accessed by which employees within the company.
Rhys Williams is a partner in the Commercial Technology team at Taylor Vinters LLP.
Share this story