Although it’s not possible to protect against every risk, every business can improve their cyber resilience and become a harder target to attackers.
We’ve created some Top 10 Tips of the key things you need to consider.
1. Carry out a risk assessment to identify key information assets to protect and identify possible attackers.
Every organisation should carry out a comprehensive risk assessment of its existing processes and procedures to identify what valuable assets, such as information and infrastructure, need to be protected; alongside the specific risks and potential effects on the business if these assets were compromised.
The assets of a business that may be at risk can include:
- Intellectual property.
- Personal data, including sensitive personal data.
- Financial data.
- Commercially sensitive information.
- Trade secrets – including customer lists and know how.
- Systems – email, networks, platforms and related IT infrastructure.
2. Consider whether external penetration testing or phishing simulations are appropriate methods for your business.
External penetration testing provides an independent check on the security of a business and a fresh pair of eyes. Penetration testers may adopt the methodology of hackers in order to identify weaknesses. The business can then adopt measures to improve their resilience in these areas. Like much of cyber-security, this should be seen as an iterative process.
Sometimes white-hat hackers (ethical hackers) can bring vulnerabilities to your attention.
Some white hat hackers may request a reward. Alternatively, some companies encourage the efforts of white-hat hackers by offering bug bounties.
3. Encourage your employees to be effective security guards.
Making sure your staff have good levels of cyber awareness, education and training and encourage a proactive culture.
- Employees can be your best security guard.
- Implement ‘champion’ programmes – volunteers in all teams throughout a business who champion cyber security and motivate others (share tips within and between teams, more approachable than IT, gamified training (e.g. write your own phishing email), bug bounties, gives IT and cyber teams eyes and ears in each team.
- Avoid a culture of fear (from punitive approach to mistakes).
- In practice, it may be more engaging to train employees about their own personal cyber security (credit cards, email and social media) – for example by talking about the odd blanket emails they receive from other Gmail accounts that have been compromised – rather than to focus on the workplace cyber security first.
- Promoting an incident-reporting culture to enable employees to report poor practices or incidents without fear of recrimination.
- Is there a culture where employees can raise issues before it is too late, and where those issues will be escalated appropriately within the business?
- Implementing effective security awareness campaigns.
4. Carry out due diligence on contractors and suppliers and have appropriate cyber warranties, indemnities and other contractual protections in place.
Many cyber incidents involve third-party contractors, so steps should be taken to ensure that the contractual responsibility for preventing and dealing with cyber incidents is clear such as through appropriate legal contracts with relevant warranties and indemnities. Cyber security of third parties should also be a factor considered during procurement and supplier due diligence.
Contractual mechanisms such as warranties and indemnities for providing compensation in a supply agreement, chain of supply agreements or acquisition agreement are a starting point, but are of limited value if the damage caused by a breach exceeds the value of a subcontractor’s assets or its insurance. Technical due diligence, penetration testing of suppliers and compliance with prescriptive policies or standards are additional elements of good cyber security. Network segmentation to limit what someone using the supplier’s credentials can access is also helpful if suppliers have access to business systems.
Ensuring all suppliers have robust policies and insurance in place is also a must.
5. Have an incident response plan in place and rehearse it.
Businesses should also have in place an incident response plan, setting out how their incident response team will respond to a data breach in terms of triage, containment, eradication, notification, reporting and recovery.
Typically, an incident response team is composed of representatives of all key stakeholder groups, board members, including a technical team (securing any breach and investigation), data protection manager/officer, HR, legal and PR, together with any external advisors. This team will then make key decisions, implement the plan and liaise with any regulators or the police.
6. Where relevant provide a preliminary notification to the Information Commissioner’s Office within an hour of an incident with a proviso that more detailed and verified information will be provided once available.
Notifying the ICO of a data breach is no longer optional since GDPR – there is now a presumption of notification. Usually, the best approach is to provide a brief, initial notification to the regulator with the proviso that you’ll provide further updates as you know more.
7. Be prepared to liaise with the Information Commissioner’s Office.
Where you have notified the ICO and are planning to issue a substantial report on the incident, then a large portion of this should be dedicated to detailing the measures taken to improve security both specifically to the incident and in general. In our experience this can lead to leniency from the ICO in terms of fines and sanctions (client being offered a voluntary audit).
Detailed reports following an incident would include:
- The background to the cyber-attack.
- Details of the organisation’s initial response.
- How it contained the effects of the breach.
- Communications with the data subjects.
- The effects of the cyber-attack.
- Impact to data subjects and what has been done to lessen this impact
- The failings in processes and systems that gave rise to it.
- What changes have been implemented in response e.g. technical improvements, internal policies and training.
8. Have a decision framework and methodology for notifying affected customers.
Your incident response team should decide whether any customers affected by the Incident should be notified under Article 34 GDPR. An Incident that results in a trivial personal data breach, only exposes properly encrypted personal data or where the containment measures have neutralised the risk may not require notification to the affected customers.
The notification should cover:
- The nature of the breach.
- Include a contact point for the data subjects.
- Describe the likely consequences of the personal data breach.
- Describe the measures being taken to mitigate the situation.
- Provide relevant practical advice e.g. on changing passwords or contacting banks or other service providers if passwords or credentials have been compromised in a way that could facilitate fraud.
9. Prepare a report detailing the cyber incident, outlining the changes made to systems and procedures in response.
After a cyber incident it’s important to reflect on the causes of the incident and attempt to use lessons learned to improve security going forward. Carry out a further risk assessment and document any additional protections required.
10. Implement improvements following an incident.
If you need further help with any of the areas covered in our Top 10 Tips, including carrying out a risk assessment, due diligence on third party-suppliers or contractors, drafting and negotiating security and data aspects of client and supplier contracts, or devising an incident response plan for your business, please get in touch with Rebecca Steer Rebecca.firstname.lastname@example.org or Nic Ruesink-Brown email@example.com