WannaCry: A warning for employers
The WannaCry ransomware attack that sabotaged the IT systems of over 200,000 companies, including parts of the NHS, Telefonica and FedEx, once again underlines the increasing importance of cybersecurity across all employment sectors.
The consequences of such attacks for companies can be devastating, leading to serious long-term economic and reputational harm.
Cybersecurity is no longer simply an IT or data protection issue, but something to be addressed throughout the entire business – from board level right through to temporary workers and contractors.
Cyber Security Breaches Survey 2017
The Department for Culture, Media & Sport published the Cyber Security Breaches Survey 2017 on 19 April. Of the 1,500 UK businesses surveyed, only:-
- 33% have a formal policy covering cybersecurity risks;
- 37% have rules around the encryption of personal data;
- 11% have a cybersecurity incident management plan; and
- 20% have had employees attend cybersecurity training within the last 12 months.
Aside from a lack of awareness of the risks posed by cybersecurity, the findings demonstrate that UK businesses have a lot to do before the General Data Protection Regulation (GDPR) comes into force in May 2018.
The GDPR imposes a number of new requirements in relation to data protection, including an increased emphasis on transparency and accountability, requiring organisations to demonstrate that they comply with the GDPR. For cybersecurity, this means having in place appropriate IT security, staff training and awareness and systems to ensure that security breaches are reported to regulators within 72 hours. The GDPR also provides regulators with enhanced powers, including much broader authority to issue fines.
My colleague Martin Sloan has written about why the GDPR means that cybersecurity should be a board level issue.
Brodies GDPR hub has more information on the GDPR and guidance on what businesses should be doing now to prepare.
Prevention is better than cure: mitigating risk
Human error is the biggest risk of all. It is therefore essential that employers keep their employment contracts and IT/data protection policies under strict review and communicate them clearly to employees.
Five key preventative measures:
- Adopt a holistic approach: make cybersecurity a key part of your company strategy at all levels.
- Know your data: identify the nature of data held; who can access it; where it is stored; the duration for which it should be kept; how it is protected; and how robust that protection is.
- Clearly drafted policies: introduce, review and update your policies on IT systems, appropriate IT use, handheld devices and social media.
- Train, train and train: once your policies are in place, train and educate your employees on a regular basis so that they know how to mitigate the risk of a cyber incident and what to do when they suspect one has taken place.
- Vigilance: update your security software; filter inbound and outbound communication; encrypt sensitive information; and adopt a good password policy.