The IoD’s Information and Advisory Service (IAS) recommends a way to take control and limit the damage to your business if an attack hits home
According to the government’s latest annual Cyber Security Breaches Survey, 43 per cent of British SMEs fell victim to a cyber attack in 2017. Most of the respondents would have had in place at least some of the standard protections – from anti-virus software to awareness training – yet only 13 per cent had a procedure ready for when these failed to prevent a security breach.
The government’s National Cyber Security Centre (NCSC) estimates the average direct cost of a breach to a small firm to be £1,400, but the longer-term cost of the reputational harm caused could far exceed that, especially if the response is botched. It’s therefore crucial to know what to do if you find that your firm’s IT defences have been penetrated. The following procedure should keep the damage to a minimum.
Lock down your systems
As soon as you become aware of a breach, you will need to secure the network. You’ll probably have to take your systems offline temporarily, which will restrict the hacker’s access to your data but disrupt your own operations too.
Activate your response team
Not all breaches will warrant a full investigation, so your IT experts will first need to assess the damage. The NCSC recommends that you have a trained response team – including representatives from IT, HR and the board (and, if necessary, a legal adviser) – ready to convene if the incident is found to be serious enough. You could instead outsource this function to an external certified cyber security incident response provider. Visit crest-approved.org for a list of vendors accredited by the Council of Registered Ethical Security Testers.
Report the incident
If the security of any personal data held by your firm has been compromised and individuals’ rights are likely to be at risk as a result, the General Data Protection Regulation obliges you to notify the Information Commissioner’s Office (ICO) within 72 hours of the discovery. Cases of online fraud or extortion should be reported to Action Fraud or the police.
What other information you communicate and to whom will depend on any number of factors, but communicate you must. Be prepared for a stream of enquiries from concerned stakeholders, including clients, suppliers, regulators and even law enforcement agencies. It’s important to stay on top of these and respond as quickly and candidly as possible, because prevarication will only make matters worse. Last year the ICO fined Uber £385,000 under the Data Protection Act 1998 for a 2016 breach and cover-up. The firm admitted that it had paid US hackers $100,000 to destroy stolen data on more than 50 million users and keep quiet about it.
Review, learn and refine
Before you return to business as usual, you’ll need to conduct a thorough audit of your cyber security strategy. The NCSC’s 10 Steps to Cyber Security guide is a good starting point for SMEs, as is the government-backed Cyber Essentials certification scheme, which will help to reassure customers and other interested parties that your organisation is serious about cyber security.
How the IAS can help you
• The Business Information Service (BIS) is accessible by email (firstname.lastname@example.org) or phone: 020 7451 3100
• The Directors’ Advisory Service (DAS) can give guidance by appointment, either face to face at 116 Pall Mall or over the phone: 020 7451 3188
• The legal helpline can answer quick queries about a vast range of issues: 0870 241 3478*
• The tax helpline can give callers advice on both commercial and personal tax matters: 01455 639110†
IoD members are entitled to 25 enquiries a year to the BIS; four sessions with a DAS adviser; and 25 calls to both the legal and tax helplines. For further details, visit iod.com/information or email email@example.com
* Quote your membership number
† Quote your membership number and reference number 33337
Become a member of the IoD
The IoD has a range of memberships for directors, founders and co-founders, providing all the resources and facilities needed to enhance your business. To find out more about membership offerings and to join today, visit iod.com/membership
*Featured image: Ally Sheedy and Matthew Broderick as teenage hackers in the 1983 film WarGames, Entertainment Pictures/Alamy