3 minute read
How do you monitor your data protection compliance?
Easily track and evidence your training using eLearning Solutions at vwvplus.co.uk
Giving a top line analysis of the cyber security threat for businesses, he says: “It’s a perfect storm now and the new ways of working sparked change too quickly. Businesses prioritised remote working, but they didn’t prioritise the security around this. These are two different types of conversations.
“Many firms don’t have good cyber hygiene and they are playing catch-up. People think that because they have Microsoft 365, they will be protected, but this isn’t the case. When you have a cyber-attack, only 40% of firms can do a full restore.”
Mitchelson continues: “I have never known an organisation that hasn’t been able to find investment funding to get a response up and running on the back of a breach, so why don’t they invest to prevent it and save money? I still don’t think it gets the level of funding pre-attack because the conversation isn’t there at board level and the narrative needs to change.
“If you walked away with boxes of paperwork from the office, people would say something. But you can walk away with a pen drive these days, so that does make tackling it more difficult.”
Paul Croker, who set up and runs 18it agrees with Mitchelson, that it does all start with the people.
He says: “It does all come back to the people, when you talk about cyber resilience because we’re having tech conversations with non-technology people. The subject needs to have more buy-in from leadership teams and we need to ask the question – what is business management really interested in?”
SO, WHAT ABOUT REPUTATIONAL DAMAGE?
A time when you can get businesses to start listening is when they understand the scale of reputational damage a cyber breach might cause.
Chris Lennon elaborates on the difference a good and bad response can have: “You look at Talk Talk’s data breach and it resulted in £60m of shareholder value being lost. It wasn’t what happened but the PR response and how this was managed. They lost 650,000 odd records, whereas Carphone Warehouse lost 2.2 million records, but they didn’t have the interruption or negative press as they handled it better.
“Ultimately though, it is better to look at how you can stop it going wrong in the first place and mitigate reputational damage and loss of earnings going forward.”
On advice for businesses, Lennon also says: “Covering up rarely works. There are examples of businesses that have had breaches but fessed up and they have been open about what went wrong and their reputation was left intact. You need to have a process in place should it happen, and own up, talk to your customers, and manage the situation.”
Mitchelson adds: “The PR machine kicks in, doesn’t it? Companies try and play it down and say it was only a small attack, but it is not a small attack if you happened to be impacted. We need to move away from that world and to one where we share more because that is how you build trust.”
With employee retention such a big issue for businesses, Paul Croker says that businesses also need to think about staff welfare and what it might mean for an employee to be the one who causes a breach.
HOW SOPHISTICATED IS THE THREAT?
What may or may not surprise readers is how organised the cyber threat gangs are. Ryan Pullen explains: “The average cyber threat firm has 65 employees and small organisations simply don’t have the resources or financial ability to battle them.
“You can’t have a system where you say to an employee you have clicked on this, it went wrong and now you have to do some training, as that will seem like punishment. It needs to be more collaborative.”
Knowing what to do and having a plan in place if something does go wrong is important too but many businesses won’t even have a reaction strategy in place.
To find out what a good process looks like, Ben Holt, who is a lawyer at VWV, comments: “Firstly, you obviously need to stop the problem and work out what has happened. When assessing what has gone wrong, don’t mark your own homework. Get somebody external to do this. This will likely be a cyber security advisor.
“You then need to think about your public response but remember that putting something in a press release could kill your business, so don’t rush in. The response can be worse than the attack, so make sure it is measured and accurate.
“If the breach is criminal, then do get in touch with Action Fraud. It can take a long time for them to deal with the problem but call them and get on the list. You also need to report it to the ICO, but what you say is important and don’t give too much information at the early stages and be careful with language. Call it a data incident, rather than a breach.”
