The massive cyber-attack witnessed earlier this month plunged NHS sites across the country into chaos with ransomware and brought back into sharp focus the vulnerability of all businesses to a cyber-attack and the resulting physical and reputational loss that can be suffered.   In targeting the NHS it is understood that a bitcoin virus pop-up message was introduced on to the network asking users to pay $300 to be able to access their PCs but other cyber-attacks can be more subtle. 

With most businesses now having a website, social media presence and using cloud services it is not surprising that the Cyber Security Breaches Survey (April 2017) revealed that virtually all UK businesses covered by the survey were exposed to cyber security risks whether that be via phishing emails, virus infections, hacking, ransomware or some other attack.  Furthermore, 61% of businesses surveyed confirmed that they hold personal data on customers electronically.  Consequently it is of no surprise that a recent survey revealed that 85% of the British population worry about cybercrime and according to research from the Federation of Small Businesses cyber-crime costs its members circa £785m per year.

Whilst large scale hacking is complex many online criminals are simply trying to make money as quickly and easily as possible.  By taking positive action to protect your business you can make your business a more difficult target.  See below our top 5 tips on recognising a hacking attempt and keeping your business safe without spending a fortune on cybercrime prevention.

Strengthen security - Implement a combination of security protection solutions such as anti-virus, anti-spam, firewalls etc and carry out regular security updates on all software and all devices.  Out of date software often creates vulnerabilities that criminals can exploit.

Be proactive not reactive - if your business holds a significant amount of customer data electronically, particularly where such data is sensitive and/or confidential in nature, you may wish to consider engaging an IT expert to test your systems and identify any security loopholes before obtaining advice on how these can be configured securely and the site strengthened.

3.     Create a culture of respect in which employees are encouraged to question the validity and source of an email that appears unexpectedly urgent or at odds with usual instructions even if at first blush it appears to be sent from an identified source.  Phishing emails requesting disclosure of confidential information often appear to have been sent from a senior member of staff.

4.     Be alert to the spy from within – firstly, eliminate excessive permissions and ensure that only those staff or contractors needing current access are given the permissions to data that they need.  As regards new staff, sophisticated hackers could look to infiltrate a business in order to obtain restricted information.  For businesses heavily reliant on contractors or temporary staff, who might not be put through a rigorous recruitment process, this poses an increased risk.  When recruiting new staff ensure that you follow up on references and check that the phone numbers and email addresses given match with those found independently.

5.     Act quickly – the first few hours following an attack are crucial.  If threats are received or those within an organisation are subject to blackmail attempts, these communications should be reported to the police.  Where client data has been compromised it is important that all necessary steps are taken to secure as much information as possible and expert assistance is engaged to assist with IT issues, the PR approach and to assess the legal position.  Consideration must also be given to the communications provided to customers about the attack which must be open and honest whilst seeking to preserve the reputation of the business. 

The Cyber Security Breaches Survey revealed that despite all of the above only 11% of businesses surveyed have a cyber-security incident management plan in place.  Erica Simpson is a Senior Consultant in the Dispute Resolution department at Ortolan Legal with experience of advising clients who have been subject to a cyber-attack.  

If you wish to benefit from Erica’s practical experience or for her to effect an introduction for your business to experts in IT and PR in this regard please contact her to discuss your requirements at esimpson@ortolan.com or T: 020 3743 0600.