Cyber security - a plan of action for everyone by Kenny Mullen, Partner, Withers LLP on 12-Dec-2013

According to the 2013 Information Security Breaches survey commissioned by the UK Government, 93% of large organisations suffered a data security breach in 2012. However, for many small and medium-sized enterprises, high-level cyber threats from criminal gangs and terrorists can seem more like theoretical scenarios than a genuine business issue.

More fundamental questions are likely to arise says Kenny Mullen, Partner at Withers LLP. Is cyber security relevant to us? What should we be doing? And what is the cost?

'Cyber security' covers a number of areas. For many small and medium-sized businesses, the issue can be wrapped up as a mix of data protection, information management and IT security. In short, this means ensuring that your computer systems and the data that you hold on them are not exposed in a way that enables unauthorised third parties to readily compromise your network or that data can find its way into the wrong hands.

While your business may not be on the prime target list of the 'hactivist' gangs, criminal networks or hostile regimes, there can be a disgruntled former employee out there who is determined to cause trouble. Many of the security incidents we see happen through accident.

In this broader sense, cyber security presents a threat to enterprises of all sizes.

There is no one size fits all answer to the 'what should we do about cyber security?' question. There are, however, some basic issues to consider when preparing your plan of action:

1. Assess where you stand: Start by thinking about where your cyber security weak points could be. Think about the information you do not want to fall into third party hands and where it's held. Think about personal data relating to your staff and customers. What internal controls do you have in place to keep your systems secure (eg. staff policies)?


2. Get Employees on side: The main cyber security threat we see comes from well-intentioned people inside the organisation. The downloading of sensitive personal data on to memory sticks without encryption is likely to constitute a breach UK data protection law which, in serious cases, could result in financial penalties of up to £500,000. Employees should be made aware of their responsibilities to look after personal (and confidential) data, whether working on the system in the office or at home. There may also be technical ways to limit exposure.


3. Watch Your Contractors: Some of the worst data security breaches we have seen happened as a result of contractors not being properly supervised when engaged by a small or medium-sized business. Organisations are legally obliged to take sufficient 'technical and organisational' security measures in relation to personal data they hold. This also means ensuring that all contractors IT support providers, website hosts or mail handling providers are subject to proper screening. You are legally obliged to have a written contract in place with a contractor handling your personal data, under which they give proper warranties regarding their handling of such data on your behalf.


4. Prevention at the mundane level: The interconnected world presents huge advantages in terms of market reach. The downside of this is that even low level security lapses can lead to major security incidents. For example, sensitive data being inadvertently loaded on to a web server when a desktop computer was being fixed and being picked up by an internet search engine; memory sticks sent by post going missing; or even a misdirected e-mail with a confidential data file attached. The interconnectedness of computers, mobile devices and other equipment means that a small security leak can quickly turn into a flood. Simple precautions at the lowest level can be a major step forward in stopping things becoming more serious.


5. Not only an IT issue: There are basic IT issues that need to be addressed, such as maintaining up-to-date virus protection, firewalls and adopting industry standard encryption for sensitive personal data transferred or taken out of the business. However, the legal buck for cyber security stops with management. If cyber security is simply considered 'an IT problem', then it's unlikely to be taken very seriously by employees. Proper training, cyber security policies and having an incident management plan in case the worst-case scenario happens needs to involve everyone.

While the organised virtual criminal threat may seem remote, there are things that should and can be done in the real world to improve your situation.

return to BW briefs