How confident are you that your business is prepared for a cyber-attack? With ransomware attacks on the rise, there is an ever increasing risk that your organisation will face an attack in the future. If you’re not adequately prepared, the potential cost to your business could be much more than you realise.
In straight-forward terms, a ransomware attack is where a hacker breaks into your IT network, encrypts all of your data – rendering your systems useless – and then demands money in exchange for the decryption key that will unlock your system.
In addition to the threat of ransomware, there is also the risk of hackers gaining access to your systems and helping themselves to data that they can then use for profit. Credit and debit card details are an obvious target, however, depending on what data your organisation holds, other more sensitive information could be at risk such as medical records and other items of people’s sensitive personal data.
Potential costs of a ransomware attack
You may be concerned about the potential costs involved in enhancing security and data protection for your business. You may think that the risk of a data breach is relatively low and that the cost of a ransomware attack is manageable compared to the potential cost of enhancing IT security. However, government statistics released last year found that nearly half of all UK businesses had suffered a cyber-breach or attack in the preceding 12 months. Furthermore, the potential cost of dealing with a serious data breach or ransomware attack may be much more than you realise and could far outweigh the cost of improving your defences and improving your data protection practises.
Firstly, there is the obvious cost of paying the ransom (should you decide to do so) and the loss of productivity whilst your business is unable to function normally. Secondly, there is the resource cost of investigating the breach, managing the consequences and safely bringing the incident to an end. When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it may be mandatory for you to report the breach to the Information Commissioner’s Office (ICO). There is the further cost of having to deal with a potential ICO investigation as well as a potential financial penalty if the ICO considers that you have failed to adequately protect people’s personal data. Under the GDPR, this financial penalty alone could be as much as 4% of your annual global turnover for the preceding financial year or £17 million – whichever is greater – depending on the seriousness of the breach. Then, there is the potential cost involved in upgrading, re-securing or replacing the affected IT. Again, depending on the circumstances, you may have to notify all of the individual customers who may have been affected by the data breach. This could result in complaints and adverse media coverage. You may decide to instruct lawyers to advise and assist you in handling complaints and to represent you in your subsequent correspondence with the ICO. If the reputation of your business is damaged, you could suffer a loss of business as well as a drop in share price. You may have to incur the expense of a public relations campaign to try and repair the damage.
Finally, in situations where individuals have suffered financial loss and/or distress as a result of their personal data being breached, there is the potential cost of dealing with litigation should someone decide to sue. If many individuals have been adversely affected, your business may face the prospect of group litigation where multiple claimants pursue claims for compensation. The cost of compensation in claims of this nature varies greatly depending on the losses being claimed by the claimants. On top of any damages that you may be ordered to pay by the courts, you also face having to pay the legal costs of the lawyers instructed by any successful claimants as well as your own legal costs. Depending on the circumstances, the overall cost could be astronomical.
How to prepare…
There are steps you can take to prepare for and minimise the risks of falling victim to a cyber-attack or any other form of data breach. Taking these important steps will help to reduce the risks and, hopefully, eliminate or significantly reduce the potential costs associated with a breach.
- Make sure you keep up to date with your software and app updates. These updates often contain vital security upgrades which help to keep devices secure
- Use strong passwords
- Conduct an audit of your organisation’s data processing activities in order to identify the data assets you hold, how, where and when you process data, whether you are processing data lawfully and any vulnerabilities in your systems
- Thoroughly test your IT and network systems to look for potential weaknesses. You may decide to use an external IT company to conduct penetration testing and provide you with a report
- Review your contracts and service agreements with your data processors to make sure that they are complying with data protection laws and to make sure you have a right of redress against them if they compromise your data
- Review your data protection policies and procedures as well as your systems for ensuring the security of your data – both off and online
- Train your staff regularly to ensure that they are aware of your organisation’s data protection policies, so that they know how to spot potential cyber and other threats and so that they know what to do if something goes wrong
- Consider appointing a data protection officer (which will be mandatory for some organisations under the GDPR) for your business
- Take adequate steps to prepare for the GDPR. If you are fully prepared, you will have already taken important steps to protect your business from a data breach. You will also have implemented an effective system for monitoring threats, reporting breaches and demonstrating compliance to the ICO – all of which will reduce the risk of a financial penalty if something goes wrong
- View compliance with data protection laws and taking steps to ensure that your business is as protected as possible as an opportunity to give yourself a competitive edge and market yourself as a business that can be trusted with the personal data of its customers
- Finally, ensure that you have good cyber insurance cover
Stephensons can assist you with all aspects of data privacy law. We can assist you with data protection officer services, data processing audits, drafting/amending contracts and agreements and policies, staff training, data breach management, handling complaints/ICO investigations and assisting you with any litigation arising from a data breach. Stephensons Risk Management can also assist you in finding the right insurance products at a competitive cost.
For advice and assistance call our specialist team on 0175 321 6399.