The energy sector has become one of the top targets for cyber attackers, with a recent IBM security report identifying that 24% of all cyber attacks in the UK are made in the energy sector.

With their long supply chain, complex flows of data, wide geographical footprint, and links to critical infrastructure, energy businesses present a golden opportunity for cyber attackers looking to cause maximum disruption.

The consequences of a successful attack in the energy sector can be particularly devastating, and include:

• Widespread outages
• Operational interruption
• Financial damage (costs attributed to business interruption, expert IT support, legal costs, and security upgrades)
• Reputational damage
• Regulatory investigation and enforcement (from multiple regulators)
• Litigation risk (from aggrieved data subject and/or contracting parties)
• Increased burden of data subject requests
• Risk of burnout among staff managing the response

While it is now generally accepted that data breaches (either as a result of attack or human error) are inevitable, organisations must take “appropriate technical and organisational measures” to safeguard the personal data they hold.  What is appropriate will depend on the risk posed to data subjects, as well as the solutions which are available and the costs of implementing those solutions.

Some examples of basic technical security measures include multi-factor authentication, network segmentation, and activity monitoring and alerts. Consider seeking external support to validate your chosen security mechanisms, as internal IT teams may not always be best placed to provide the requisite level of independent, expert analysis.

To assist you we have some organisational top tips to build cyber resilience:

1. Conduct regular data mapping to understand what data you hold;
2. Delete data which is no longer required;
3. Risk assess your supply chain to ensure it meets the required level of security, and keep this under review;
4. Embed a culture of good data hygiene throughout all levels of the business;
5. Identify accountable individuals internally to monitor data protection compliance;
6. Report regularly to leadership on cyber risk, documenting key discussions and decisions;
7. Ensure all data-related policies are up to date, easily accessible and regularly discussed;
8. Implement a regular data protection training programme, tailored to relevant business areas and/or levels of accountability;
9. Prepare a cyber incident response plan and update it regularly (storing it somewhere you can find in the event of an attack);
10. Conduct regular “cyber drills” to test and develop your response plan.

At Burness Paull, we understand how challenging and disruptive data compromises can be to businesses and the consequences that can flow from them. Whatever the nature, size or stage of the issue, our expert cyber team can help clients to manage data breaches or cyber security attacks or better still, work with them on preventative strategies to mitigate the risk of them occurring.

Related News, Insights & Events