In 2019 it will become increasingly important for businesses to be able to demonstrate what safeguards and controls they have in place, and how they manage and protect data.– Unless a business can demonstrate this, then it may well find it is unable to win new business and equally as bad, may be removed from existing supply lists. Here are my essential tips for preparing for this new reality:
1. Make cyber security as important as other risksIn the same way that health and safety and financial risks are key business risks, SMEs need to carefully and continuously consider what the current cyber risks are. As cyber criminals are getting more sophisticated and ‘learn on the job,’ understanding cyber risks is as important as making sure there is enough money to pay staff.
The reality is that such attacks are now so prevalent it is more a question of when, rather than if, a business will be attacked.
2. Have a plan in placeAwareness is the first step, but this must be backed up by a plan which clearly outlines who will do what in the event of an attack. Planning for a cyberattack is a crucial part of any businesses’ disaster recovery plan. There is a need to act quickly and effectively and do everything possible to protect data and minimise any reputational damage.
3. Get some trainingResearch by the National Cyber Security Centre has revealed that only a third of boards have received training to deal with a cyberattack and as many as 10% still have no plan to respond to any such incident.
The right kind of staff training is key. A tick box approach is wholly inadequate.Your work force should be your first line of defence. No matter how much investment goes into IT infrastructure, it shouldn’t be forgotten that very often cyberattacks happen following innocent or deliberate breaches by individual employees of a company’s processes or procedures.
4. Think about your online profilePotential customers and banks already turn to credit reference agencies before entering into contracts. We will see the development of a similar type of rating for a businesses’ online presence, including a rating of how vulnerable and open to a cyberattacks the business is.
5. GDPR has not been and goneGDPR is very definitely legislation that needs to be kept front of mind. Under the GDPR rules individuals can bring a claim not simply for financial loss, but also for non-financial losses, such as distress and inconvenience. Where a data breach impacts thousands of individuals, this can mean the value of claims is very significant. Most recently a group action against British Airways was commenced for over £500 million, representing losses to over 400,000 individuals, so the numbers are big. You are not immune.
6. React immediately if the worst happensMost damage is done in the first 24 hours, so if your business suffers a cyberattack, act immediately. You will need to consider whether notification to the Information Commissioner’s Office is appropriate or necessary, also ensure you make immediate communication with your customers and contact your insurer to see what assistance they can provide. You should also consider what compensation can be offered to try and restore client relationships. For example, if a customer’s bank details have been leaked then a voucher can be provided to pay for monitoring by a credit agency.
Share this story