From the Top: Business Leadership and Cyber Security

Commercial and Data Protection Partner Hugh Goulbourne discusses the importance of cyber security within business leadership and how robust systems are required to mitigate potentially substantial losses.

Spending so much of our lives online brings with it immense benefits and considerable challenges.

In the last full year, the Information Commissioner's Office (ICO) documented 8,797 data security incidents (https://ico.org.uk/action-weve-taken/data-security-incident-trends/).

Whilst the majority of those were the result of human error - like the disclosure of personal information by e-mail, post or 'phone a growing proportion are due to cyber attacks.

Capita, a multi-national outsourcing giant which holds many public service contracts, fell victim to one such incident in March.

The hack has had significant and wide-ranging consequences for the pensions industry, the collection of BBC licence fees and the criminal records database as well as Capita itself.

It has admitted that the incident may end up costing it between £15 million and £20 million in specialist professional fees, remediation costs and improvements to its IT security infrastructure (https://www.theguardian.com/business/2023/jul/31/capita-boss-quits-as-fine-looms-for-huge-hack-of-confidential-data).

Sadly, Capita's experience is far from unique.

In recent days alone, details of a similar "complex cyber attack" potentially affecting tens of millions of people in the UK has been disclosed by the Electoral Commission (https://www.thetimes.co.uk/article/bbef1d46-35e9-11ee-8810-d3022cd752ba?shareToken=94dbde080795b7c5c2ef088e76d10f42).

The Government's most recent cyber security survey revealed that 39 per cent of businesses - large and small - had been targeted in the previous 12 months (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022).

Furthermore, that same study suggested that the true incidence would have been higher but for under-reporting by "less cyber mature" bodies.

More than the practicalities for public and private sector organisations taken offline - establishing who was responsible, the extent of a breach and putting it right - or the inconvenience for individuals who rely on them, those who store or process data now have a legal obligation to protect it.

A failure to do so effectively can have massive financial implications.

As well as damaging the reputation of brands with commercial partners and customers, it can result in large fines from regulators.

In October 2020 - two years after hackers compromised its systems and accessed the data of some 400,000 customers - the ICO ordered British Airways to pay £20 million (https://www.bbc.co.uk/news/technology-54568784).

There has already been much speculation that figure may be dwarfed by the size of sanctions likely in the Capita case.

The rise in enforced home-working and online shopping during the pandemic were partially to blame for a rise in hacks but experts have also attributed some of the increase to the continuing war in Ukraine (https://www.thalesgroup.com/en/worldwide/security/press_release/ukraine-whole-europecyber-conflict-reaches-turning-point).

Nevertheless, despite that backdrop, the ICO itself has warned that the greatest risk to organisations' digital security is not cyber warfare or crime gangs but complacency. (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/).

That should act as a reminder for company business owners and managers of the need to review procedures in order to ensure that they are as capable as possible of warding off a hack.

If defences are unfortunately breached, being able to demonstrate that all reasonable steps were taken to avert and respond to the release of confidential data - that you were not negligent - can be vital in mitigating huge penalties.

The key is having data protection by design and not by default.

By that, we mean putting robust policies and procedures in place before and not in response to a hack.

It is important to realise that responsibility for cyber security lies at the top of an organisation.

In that sense, it is no different from the other issues that they are forced to confront from time to time, like changing consumer trends or economic downturns.

Addressing the digital danger also requires identifying someone what action needs to be taken and who is in overall charge of the process.

To some individuals, adopting and constantly reviewing these strategies to be sure that they are compliant with relevant legislation can seem both effort and cost intensive.

Even so, the very existential threat posed by hackers should convince sceptics that preparation is better than reparation in terms of the expense of beefing up systems and fines as well as possible legal action by those whose information has been filched by hackers.

Previous clients have admitted that they found the language of data protection relatively opaque.

That is arguably all the more reason to seek the advice of specialists, who can explain what it all means for an individual business's set of circumstances and find the most appropriate solution in order to avoid being caught out.

As the law stands, a lack of understanding is not an excuse.

To find out more about how you can stay cyber safe, view Hugh’s ‘Reality Bytes’ webpage here

To discuss any of the above further, please feel free to contact Hugh: hughgoulbourne@bexleybeaumont.com  |  07748 803634