Cyber Risks

Cyber Risks – Understanding the Threat and What You Can Do To Protect Your Business

Is your business at risk?

As businesses become ever more reliant on technology and hold more data, the risks continue to grow. Your business could be vulnerable to a data breach or loss of vital business services if you:

  • Hold sensitive details such as names and addresses or banking information
  • Are reliant on computer systems to conduct your business
  • Have a website
  • Are subject to a payment card industry (PCI) merchant services agreement

According to the 2015 Information Security Breaches Survey, conducted on behalf of the UK Government, 74% of small businesses and 90% of large businesses in the UK had a security breach over the previous year. The average breach costing small businesses £75,000.

Developments in 2015

From malicious hackers to employee errors, cyber-attacks and data breaches were never far from the headlines in 2015.

January – The fallout from a Christmas hack of Sony’s PlayStation by a group called the Lizard Squad, putting internet platforms out of use, continues to reverberate into the New Year; completing a bad year for Sony following a loss of confidential data – including emails and film scripts – from Sony Pictures in November 2014.

February – A fine of £175,000, one of the biggest of the year in the UK, is imposed by the Information Commissioner’s Office (ICO) after a hack targeted online holiday insurance company staysure.co.uk, resulting in fraudsters accessing 5,000 customers’ credit card details.

This month also sees one of the biggest data breaches in history for the US’s second largest health insurer Anthem. Hackers gain access to a potential 80 million records including social security numbers and other personal information.

March – The ICO publishes new research that finds 77% of people are concerned about organisations not keeping their personal details secure.

May – The Ponemon Institute releases its annual Cost of Data Breach Study: Global Analysis, which finds that the average consolidated total cost of a data breach in the UK is £2.37 million (a 7% increase on 2013). The study also finds that the average cost incurred for each lost or stolen record increased from £95 to £104.

July – leaking employee data. A Morrison’s employee is jailed for eight years for releasing payroll data including salaries, bank details and National Insurance numbers for nearly 100,000 staff to newspapers and file sharing websites. The supermarket chain estimated that this breach cost more than £2m to put right, and saw them facing legal action from a number of the affected employees.

August – Up to 90,000 customers may have had their credit card data accessed by hackers reveals Carphone Warehouse. The total breach may have affected up to 2.4 million customers.

The website of the extramarital affair website Ashley Madison is hacked with email details of its 32m customers released by the hacking group. The ‘affair’ costs Ashley Madison’s CEO his job as well as significant reputational damage and speculation that the eventual cost to the business could exceed £1.2bn.

October – Talk Talk admits to falling victim to a sustained hacking attack on its website with the personal details of four million customers potentially vulnerable. With its share price initially hit by 10%, the business estimated the eventual cost of the attack would be around £35m.

December – An HIV clinic is fined by the ICO for accidentally revealing the names of patients in the ‘To’ field of an email bulletin. The fine is relatively modest at £250 because of the clinic’s unincorporated status, but the ICO emphasises that fines for such an offence would normally be far higher.

2016 - EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) has been agreed. Although it will take up to two years to be fully implemented across Europe’s member states, the new legislation will introduce fines of up to 4% of turnover or $20 million for data breaches, whichever is higher. A two percent figure will apply for more minor breaches. SMEs will however benefit from a number of opt out clauses including not having to appoint a data protection officer or undertake a Data Protection Impact Assessment and some existing red tape will be removed.

Key Risks

There are several key areas of risk to consider.

Costs your business may incur:

  1. Breach Costs – potentially considerable costs incurred post discovery of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying customers/regulators and offering support such as credit monitoring to affected individuals.
  2. Crisis Containment – Prompt, confident communication is critical to minimise the damage to a company’s reputation that could take some time to recover from.
  3. Business Interruption following a Cyber Loss – loss of income the business suffers if a hacker targets your systems and prevents the business from earning revenue; including where caused by damage to your reputation.
  4. Cyber Extortion – illegal threat & ransom demands for excluding you from your system.
  5. Hacker Damage – costs of repair, restoration or replacement if a Hacker causes damage to your website, programmes or electronic data.

  6. Cyber Crime – direct financial loss following an external hack into your company computer network – this could be theft of money, property or digital assets.

  7. Telephone Hacking – Unauthorised telephone calls made by an external hacker after breaching your computer network. Including traditional fixed line systems as well as online systems (Skype, VoiP etc).

Claims from other Parties against your business:

  1. Privacy Protection – costs to defend and settle claims made for failing to keep personal data secure including regulatory investigations and civil penalties levied by regulators.
  2. Media Liability – Accidental infringement of Intellectual Property rights or inadvertent Libel in an email or electronic communication.

For the full information bulletin, including basic protection measures, please click here...