System risk: the digital threat

Cyber-security has been front and centre of national and international media in recent months. From the US and French elections, through to the recent worldwide Ransomware attacks, it seems there is no limit to the hackers’ ambitions.

And the damage is far-reaching. According to the BCC, one in five UK businesses has been hacked in the last year. The biggest Ransomware attacks in history last weekend affected over 300,000 computers. Most notably in the UK, the NHS saw at least 16 trusts exposed, causing problems including cancelled appointments and surgeries for patients all over the country.

The immediate damage is perhaps obvious. But, it is just the tip of the iceberg. Data breaches and hacking can have a long-lasting reputational effect that can impact the bottom line for years to come. In 2015, Talk Talk suffered a major hacking attack that halved its profits that year. Its customer numbers have still not recovered, losing 230,000 since the attack.

Of course, the recent spate of attacks should not be the only reason cyber-security is front of mind for all businesses. On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force. This is a piece of European legislation that will include new accountability obligations for companies, which simply put makes companies liable for significant fines in the event of these breaches: up to €20m or ‘4% of total worldwide annual turnover of the preceding financial year, whichever is higher.’ That’s a huge amount for a small or medium sized business to be paying out.

But it isn’t all doom and gloom. There are measures that every company could, and should take, both to prevent these attacks from occurring, and to plan for the fallout should the unexpected occur. In the first instance, prevention is better than cure. The NHS trusts affected were using an outdated Windows XP system that made them more vulnerable to attack. System due diligence is vital and should be completed regularly. But this procedure cannot be held solely with your IT department. Someone at board level needs responsibility to oversee the process including consulting with a cyber security expert to enforce safeguarding.

Testing is key. Testing IT systems regularly, but also having, and testing your crisis communications response plan. This begins with identification of the core team of people that will be involved in developing, then cascading, the crisis response internally to colleagues as well as externally, to affected customers, stakeholders and government (where appropriate). The team should be made up of those; from board members, to IT, to legal and communications experts, representing a working group able to make fast decisions about what can be communicated, when.

A detailed plan must be prepared with a timeline and communications materials that can be used in the event of an attack. It will include nomination of a spokesperson who in turn should have specific media training on how to speak about a cyber security breach with journalists. This should be refreshed on a regular basis.

Once in place, all of those plans need trialling and refreshing at least once a year. Speed and effectiveness is key to mitigating the reputational impact of any crisis. The sooner you address the problem, the more likely you are to reduce the damage: to your customers, to your reputation, and to your bottom line.

For more information on the GDPR, please visit http://www.eugdpr.org/.

To discuss crisis response planning, please do get in touch with us at jpreston@teamspirit.uk.com or 0207 360 7878.

Or for more on our data proposition, please drop an email to dmccaan@teamspirit.uk.com.