In light of the seemingly never-ending reports of cyber attacks and data breaches what can the business community do to minimise the potential reputational and commercial impact if they fall victim to a cyber attack or data breach?
In addition there are the forthcoming EU General Data Protection regulations which have been criticised in some quarters for being overly burdensome.
In an attempt to identify some valuable guidance and to debunk some of the inevitable urban myths that surround this subject, Business News sat down with Keystone Law UK’s Jimmy Desai (data protection lawyer) and Jonathan Coad (media lawyer and reputation expert).
Both have experience of advising their clients on cyber-attacks and data breaches and dealing with the subsequent media coverage.
.jpeg?width=209&height=140&crop=209:145,smart&quality=75)
.JPG?width=209&height=140&crop=209:145,smart&quality=75)
.jpeg?width=209&height=140&crop=209:145,smart&quality=75)
And they have links with businesses in the Isle of Man.
what preventative
measures can you take to protect your business from a cyber-attack?
Jimmy Desai said: ’A lot of organisations think that cyber attacks are simply an IT problem and that better IT systems can fully protect them.
’However, in our experience this is not entirely true because we have found that although good IT systems are part of the solution, it is also essential for everyone in an organisation to be aware of cyber security.
’This includes training staff about how breaches typically occur and how they might fall prey to a cyber-attack because these breaches often start with staff being duped by hackers.’
Is there a compliance gap that is currently leaving data at risk from attack?
Mr Desai said: ’Each department of an organisation will often have ways of minimising risk but there are often gaps in policies, procedures and understanding due to the different areas failing to work together and act cohesively when it comes to cybersecurity.’
What should you do in the aftermath of an attack?
Mr Desai replied: ’In our experience, organisations are typically breached long before they are even aware.
’Starting to think about how to limit damage at that point is simply too late as, by that time, the organisation’s reputation is already being put at risk.
’It is far better to have a breach plan in place before any breach occurs.
’This will often involve all the relevant parties (e.g. IT specialists, HR, PR advisors, operations staff, insurers and lawyers) so that if a breach does occur then the impact can be mitigated by putting the plan into action.
’Many organisations quite rightly spend a lot of time and resources on trying to prevent a breach but, in our experience, they tend to spend much less time on planning for what will happen if a breach occurs.’
Are offshore businesses, or indeed any other types, particularly at risk?
Mr Desai: ’Because hackers have so many different motives it is difficult to identify specific businesses that are particularly at risk.
’Recently we have had SME clients who were breached and they had thought they were at minimal risk because they thought hackers would only attack big companies.
’However, smaller companies who have not implemented much (if any) cybersecurity procedures and processes may be easier targets and more vulnerable to attack.’
How should you deal with customers who might have been affected?
Mr Desai: ’Complying promptly with legal notification obligations is critical. From previous breach cases, customers have tended to be far more forgiving when they have promptly and clearly been updated on what is going on compared to when the communication with them has been delayed and haphazard. ’How you deal with customers should be addressed in your breach plan.’
How should an attack be communicated both
internally and
externally?
Jonathan Coad said: ’There is an inevitable reputation risk associated with a successful cyber-attack.
’Having a clear and effective PR and communications strategy is essential.
’Ideally there should be in place a contingency plan ready to put into practice.
’This should include having 24/7 access to both PR consultants who are expert in crisis PR (a distinct practice from other varieties of PR), and a good media lawyer who can tackle any media reporting which is misleading and damaging.’
Is seeking additional PR assistance from a third party always the route to take?
Mr Coad said: ’Dealing with the media in the midst of a crisis without the requisite expertise is not likely to go well.
’It is a particular skill. It is hard to over-estimate the value to you of your reputation, or the rapidity with which it can be lost.
Unless you have your own PR team which has in it tried and tested experts in crisis PR then it is essential to get external support when your brand and/or reputation is under threat.’
Just how worried should we be about the rise of hacks and their
longevity?
Mr Desai replied: ’Data breaches are on the rise worldwide and seem destined for further proliferation.
’We have also experienced a number of enquiries from parties, that have been breached, regarding the legal implications involved and what to do next from a legal standpoint in order to reduce damage.
Media lawyer and reputation expert Jonathan Coad has experience acting for clients in the Isle of Man who have suffered a breach
Keystone UK lawyer Jimmy Desai recently spoke at a data security seminar at the Manx Museum organised by Simply Secure
Comments
This article has no comments yet. Be the first to leave a comment.