For small- and medium-sized businesses, "cyber resilience" has been moving up the agenda over recent years.

With so many businesses pivoting online as a result of the Covid-19 pandemic, cyber criminals have seized the opportunity to capitalise on increased online activity, particularly where targets are exposed by a lack of sophistication in their cyber resilience strategy.

Cyber attacks and breaches are ubiquitous, come in all shapes and sizes, and are not just a problem for the big market players.  In the last 12 months, 39% of UK businesses identified cyber breaches or attacks,[1] and in the period from March 2021 – March 2022, there were 2.7 million cyber-related frauds affecting individuals and businesses.[2] It comes as no surprise, then, that four out of five boards or senior management teams of UK businesses now rate cyber security as a “very high” or “fairly high” priority.[3]

Given the abundance of news stories warning of individual cyber attacks, not to mention the ongoing global threat of state-sponsored cyber terrorism, the issue of cyber security can feel overwhelming, particularly to SMEs.  We have set out below some of the key points to be aware of in terms of inside and outside cyber threats, and how businesses can build cyber resilience.

Why cyber security matters- the cost of data breaches and attacks

Cyber incidents can seriously disrupt business operations, with all the associated costs that entails. However, the damage can extend much further, depending on the nature of the breach. Frequently, cyber incidents will trigger the requirement to notify the regulator (the Information Commissioner’s Office in the UK).  The ICO has extensive enforcement powers, including the power to investigate the incident, issue public decision notices (which can be hugely damaging reputationally), and impose hefty fines (Interserve was handed a £4.4m. fine this year for failing to adequately protect staff personal data from hackers).

Added to that is the risk of civil action.  We have now seen the arrival of data privacy group actions in the UK, most notably the case brought against British Airways by at least 20,000 data subjects for damages resulting from a hacking incident in 2018. Contracting parties might also have a claim for breach of contract, as the requirement to maintain robust data privacy measures is often built into commercial contracts.

Two notable cyber attacks of 2022

Optionis Group

In January 2022, Optionis Group, the parent company of a number of professional service businesses, was targeted by cyber criminals in a suspected ransomware attack.  Having infiltrated Optionis Group, hackers were then able to target at least ten other companies within the group, including Parasol, a payroll provider used by contractors throughout the UK.  Personal information relating to tens of thousands of contractors was leaked to the dark web, and with Parasol and others being forced to take down their systems for multiple days, thousands of self-employed workers were left without wages.

This example serves to demonstrate the benefit to hackers of targeting organisations which are rich in personal data.  In this case it was a payroll company, but the health industry is also particularly attractive.  We can also see how hackers can increase the efficiency of their attacks by infiltrating large umbrella companies, thus facilitating access to a wider network.

Oktapus

This was a wide-scale ‘spearphishing’ campaign which targeted the accounts of certain Okta customers. Okta is a US-based software provider offering single sign-on services.  The attackers sent text messages or emails to users containing a link to a fraudulent Okta authentication page.  The users then entered their login / authentication credentials, which became compromised.  Okta has a huge client roster of over 15,000 companies, so the full extent of the incident is not yet clear, though Okta estimate that up to 366 of its clients (many of whom will have customers of their own) could have been affected.

This shows how cyber criminals can reach the largest volume of potential victims by effectively targeting one popular service provider.

The outside threat- check your supply chain

While SMEs might reasonably assume that they themselves will not be a target of cyber attacks, the weak link often sits somewhere down the supply chain, which can be long and complex (and could include organisations from hostile states). The UK’s National Cyber Security Centre (NCSC) reports that there has been a notable uptick in cyber attacks that resulted from supply chain vulnerabilities.[4] Concerningly, only 13% of UK businesses review the cyber risk posed by their immediate suppliers, and only 7% do the same for their wider supply chain.

The NCSC published updated guidance this year on how businesses can improve the cyber resilience of their supply chain. Key steps from that guidance include:

1. Identifying the individuals who will take ownership of supply chain cyber security
2. Identifying the critical assets which need most protection (this could be a customer database, website, or billing system for example)
3. Developing a consistent approach for evaluating and managing supplier risk, which includes:
   1. security profiles to be assigned to each supplier
   2. questions to determine the security profile of each supplier
   3. cyber security requirements for each profile
   4. management plan to track compliance
   5. cyber security clauses for insertion into supplier contracts
4. Training relevant members of the team on the above approach and how it should be implemented
5. Keeping cyber security at the fore throughout the life cycle of the contract
6. Monitoring supplier performance and report regularly to the board
7. Remediating older contracts to ensure that they meet the required cyber security standards
8. Continuing to evaluate practices and update in response to new information / guidance / threats

The inside threat- your systems and people

While the threat of outside cyber attack often dominates news reels, the reality is that most incidents involving personal data result from error or malice within an organisation.

There have been a few high-profile examples of data breaches committed by malicious insiders over recent years.  For example, the case of a software engineer who stole the personal information of more than 100 million Capital One customers, ultimately being found guilty of criminal charges.  Capital One was fined $80m by regulators for failing to properly safeguard customer data and paid $190m to settle the related class action.

Fortunately though, malicious insiders are in the minority and most “inside” data incidents result from error or poor data privacy hygiene.  According to statistics published by the ICO, 80% of all incidents reported over the past three years could be categorised as “non-cyber breaches”,[5] meaning a breach which does not have a clear online or technical element involving a third party with malicious intent. Emailing data to the wrong recipient was the most commonly reported cyber incident type, making up 15% of total incidents reported.[6] However this type of incident can still be extremely serious in nature.  For example, this year a consultancy firm employed by the NHS inadvertently sent millions of sensitive NHS patient letters to a member of its staff.

Some practical tips to reduce insider threat are:

1. Limit access to personal or commercially sensitive data to only those who require it (this goes for employees, contractors any other person with access to the network)
2. Manage access controls by employees, particularly during points at which employees change roles or leave the company
3. Monitor user activity and the movement of data (being mindful of GDPR obligations to employees)
4. Create clear policies on IT use (including, for example, the use of external devices) and data privacy, ensuring these policies are fully embedded in the company and regularly reviewed
5. Conduct regular data security training, potentially including desktop ‘crisis’ exercises
6. Implement technical solutions, such as data encryption, wherever possible

How we can help

With the largest data privacy team in Scotland, Burness Paull’s specialist lawyers provide a full range of legal services in relation to cyber security, from resilience building and compliance management to breach response and regulatory engagement.

Hear from our experts

Our team hosted a series of three informative webinars aimed at demystifying cyber security and giving organisations the knowledge needed to be prepared in the event of an attack. If you missed these sessions you can catch up below.

Cyber Security: What are the risks? Inside and outside threats

Cyber Security: Mitigate the risks - preparatory steps for companies to take now

Cyber Security: Manage the threat. Responding to a security threat

Related News, Insights & Events