Please note: Our website no longer fully supports IE11, as such you may encounter issues using our website, please try an alternative browser such as Google Chrome, Mozilla Firefox, Microsoft Edge (Windows) or Safari (Mac).
Cyber security: eight ‘top tips’
Cyber security is becoming more and more important given the increase in volume and sophistication of cyber attacks and events in recent years. Cyber criminals are amazingly good at disguising themselves and convincing an unsuspecting user of IT systems or an email recipient to click on links or otherwise inadvertently allow unauthorised access to their IT systems.
Top Tips to protect your business
You will need to work with your IT provider/department to get as many technical measures in place to keep your IT systems as secure as possible (firewalls, anti-malware software, etc), as well as train staff about what they need to do to watch out for and to recognise cyber criminal activity.
Here are our Top Tips to getting your systems in a stronger position against cyber attacks:
Audit your IT systems and identify areas of vulnerability to put further protective (technical and organisational) measures in place, including up-to-date firewalls, etc, and keep all other applications up-to-date with latest updates and security fixes.
- Ensure third party data processors (who may process any personal data you pass to them for certain specified activities) have appropriate data processing provisions in place, including a breach escalation process in the event of a problem that causes vulnerabilities to the data they process on your behalf.
- Have a Cyber Security Policy and Data Breach Policy in place to explain to the business what cyber security is, what measures are being put in place to keep systems secure, and how to manage a data breach if one occurs. These should include an escalation procedure, together with documented process/template responses.
- Train your staff to reduce human error – training will help them identify phishing emails or other attempts to gain access to your IT systems, and help to create a ‘human firewall’ to supplement the technical systems in place.
- Ensure there is a policy for using secure passwords, with different passwords for different parts of your IT systems (making sure that particularly sensitive information is only accessed by authorised individuals with additional strong passwords to allow access).
- If you have a Bring Your Own Device Policy, make sure that people using their own devices to access your systems are required to have the necessary security in place on those devices, including appropriate security updates and ideally a two authentication process for accessing business systems from that device.
- Consider encryption of certain sensitive data, if appropriate.
- Talk to your insurers to get the right cyber security policy/cover (see further below).
What you need to do if a cyber incident occurs:
- ACT QUICKLY TO PREVENT FURTHER DAMAGE!
- Work on communications internally and to third parties to explain what has happened and what you are doing to contain the incident and reduce damage. Consider whether there is any personal data at risk; if so, do you need to notify the Information Commissioners Office (ICO)and/or data subjects?
- Learn from experience and update your policies and procedures, together with providing any additional training, if needed.
What insurance do you have in place?
Getting a suitable cyber insurance policy in place will be key to give you support in the event of a cyber incident. Insurers can help with payments for PR campaigns or other communications to deal with the fallout, and to cover various legal expenses.
Cyber cover can also sometimes cover payments of compensation to data subjects in the event of a data breach, but policies do vary; not all of them will cover compensation or any fines that might be payable to the ICO, or other contractual damages that might be due so review the policy very carefully to confirm that it gives the type and level of cover you need.
Where can I get help?
We are on hand to help you put robust policies and procedures in place, and to provide training and advice on data protection matters for your staff so they do their bit in keeping your systems secure. We can help review or establish cyber or IT policies within your business, which should become part of your internal framework for normal business operations. And we can inform and train staff about how to help prevent a cyber attack, and what to do if something goes wrong.
If there has been a cyber incident, then working with your insurers and lawyers to make sure that all appropriate notices are sent and people are informed will be important, as well as trying to contain any damage.
We are operating a Cyber Security Helpline for ABTA Members and we would be happy to talk to you and help support your business get its procedures in place, or if something goes wrong.
Debbie Venn, Partner, DMH Stallard LLP. June 2021