Latest
Our lawyers are experts in their fields. Through commentary and analysis, we give you insights into the pressures impacting business today.
VIEW ALLCompanies that suffer personal data breaches may face investigation by the Information Commissioner's Office (ICO), which can impose fines up to £17.5m or 4% of a company's annual global turnover, whichever is higher. In October 2022, the ICO fined British construction company, Interserve Group Limited, £4.4m for failing to prevent a cyber attack that enabled hackers to steal the personal and financial information of up to 113,000 employees.
According to the ICO, Interserve's own complacency was responsible for the breach, with outdated software systems and protocols as well as inadequate staff training and risk assessments all listed as contributing factors.
Upon issuing the fine, the UK Information Commissioner said that, "the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office." His statement is a warning shot to directors to prioritise cyber security and get their houses in order.
As economic distress and geopolitical unrest are likely to increase the threat posed by cyber breaches in 2023, directors should heed the Information Commissioner's warning and consider proactive measures to mitigate this risk.
Few major businesses will have escaped some form of cyber attack or data breach, which can precipitate the breakdown of trading relationships.
Following an increase in supply chain attacks, the National Cyber Security Centre issued fresh guidance in October 2022 to help organisations assess the cyber security of their supply chains. This builds on its previously published '10 Steps to Cyber Security', which includes measures on engagement and training, asset management, architecture and configuration, vulnerability management, data security, logging and monitoring, incident management and supply chain security. However, in response to the government's 2022 survey, only 49% of businesses said that they have implemented measures in at least 5 of these areas.
Supply chains offer additional vulnerabilities for cyber attackers to exploit and present an additional entry point for criminals to infiltrate an organisation. Yet, despite this risk, only 13% of businesses said they assessed the hazards posed by their immediate suppliers during the procurement process, and less than one in ten said they monitor the risks posed by their supply chain on an ongoing basis.
Businesses are only as secure as their weakest supplier and this is something directors must recognise if they are to ensure their organisation's continued resilience in 2023. Read more in our predictions for supply chains.
Whilst most businesses have some sort of digital footprint – through the use of network-connected devices, online ordering systems and payments, and storing customer data electronically – the Covid-19 pandemic facilitated a boom in IT solutions, which served to fast-track the uptake in digital technologies.
This was a priority for businesses determined to survive in the 'new normal'. Indeed, business continuity became the number one priority for many companies, with other interests – including cyber security – moving further down their commercial agenda.
Many businesses continue to deal with the impact of the pandemic with ongoing insurance claims, business restructuring and the withdrawal of government financial support remaining a focus for directors. As a result, many businesses have yet to properly assess their increased risk profile created by accelerated digital transformation. This includes risks within the company such as that posed by IT misuse by outgoing employees.
As well as an increased use of technology, digital transformation usually results in a larger supply chain – both of which increase the opportunities available to cyber criminals to mount an attack. Directors should prioritise the implementation of adequate security protocols to manage the risk and reduce exposure to cyber attacks.
Ongoing economic pressures will make 2023 a challenging year for many organisations. Whilst business continuity will remain at the top of many business agendas, the rising level of criminals looking to exploit vulnerabilities will increase the need for strong cybersecurity defences. Those companies that ensure cyber security is a priority at board level, prioritise training, regularly assess their risk profile and take a proactive approach to cyber defence, will be better placed to reduce data security breaches, intercept attacks, protect their corporate reputation and mitigate costly financial penalties.
Our lawyers are experts in their fields. Through commentary and analysis, we give you insights into the pressures impacting business today.
VIEW ALL