The recent global cyber-attack wreaked havoc at dozens of NHS trusts and hit thousands of computers in over 150 countries.
The NHS trusts that were affected have been criticised for not adding the patch despite warnings from NHS Digital a month ago that they were vulnerable to a possible attack. Security experts say that computers were vulnerable to the bug and IT experts have advised that unless IT departments patch the virus and back up their files they too could be hit by the attacks.
What is clear from this attack is that cyber attacks are on the rise and no one can escape the risk.
UK businesses are reportedly being forced to shut down after being held hostage by ransomware. One report from computer security firm Malwarebytes confirms that nearly 40% of all businesses experienced an attack in the last year , according to research.
Small businesses are targets because SMEs tend to be less careful about cyber security. Small businesses tend to underestimate their risk level and think their servers are not worth stealing. Therefore it is important for SMEs to know the importance of cyber security. Prevention is better than finding the solution after a cyber-attack. Cyber security solutions are cheaper compared to the recovery process after the attack. It is important or business owners to assume that they can be a victim of a breach, and that’s why they need to be preparing all the time.
Key things we advise clients would be
1. Clear email, download and monitoring policies in place. Once your staff have downloaded something it’s too late. These are usually contained in the staff handbook and make it clear on what they should not do; and when to report an issue
2. In staff or contractors contracts you may want to include authority for you to monitor their emails or internet use to permit you to undertaken spot checks or IT checks on what they are downloading to prevent personal use causing you costs if this led to a virus or cypher attack
3. Confidential of client’s names – you can use titles on your IT systems that anonymize the person but you note in a secure place their real identity . In any event you need to make sure your data protection policy is up to date to cover these issues
4. Does your insurance adequately cover you for the IT rectifications , losses and reputational damage and limitation
5. Have you protected yourself against failure to deliver , for example, with adequate force major terms in all your contracts and terms
What is a ransomware attack and how does it look like?
The attack usually infects a host computer and encrypts files that it can locate on the hard drive. Some attacks can also scan the local network for files in other locations that they will then encrypt.
The most common way a cyberattack affects an organisation is through an attachment to an email. This email may request the recipient to act quickly and pay a sum of money by opening an attachment. Once the attachment is opened, this will expose any vulnerability in the operating systems and software. This may start the encryption process. Some variants also scan the local network for files in other locations that they will then encrypt. A ransom demand is issued to be paid in in the digital currency Bitcoin. The sum must be paid to gain access to the “decryption” key to enable access to the information stored on the attacked files. There is no guarantee that they key will be released on payment.
What about data protection?
The Data Protection Act requires all data controllers to take appropriate technical and security measures to keep personal data secure against loss or destruction.
The Information Commissioner’s Office (ICO) is the UK’s independent body to uphold information rights (www.ico.org.uk).
If the personal data which you are responsible for has been encrypted as a result of a cyberattack and you are unable to restore that data then there is a risk that the ICO could take the view that you have not taken appropriate measures to keep that data secure and have breached the Data Protection Act . If there is a back-up from which you can restore a working copy of the data, then a permanent loss of data would not be considered to have happened. However, the ICO would usually still consider the circumstances of the case to determine whether or not there were appropriate measures in place that could have prevented the attack from succeeding.
How do I prevent an attack?
- Always have basic technical cyber protection against malware. Make sure it is up to date
- Have security patches on all devices
- Protect back- ups from encryption – online and off site backup
- Give regular training sessions to your staff so that they can recognise a cyber attack if it gets past your anti malware protection.
- Separate and segment your network so that the damage can be limited if you are attacked
- Remove unnecessary user accounts and restrict privileges to only what is necessary
- Disable or remove software to reduce the number of access routes of entry for an attacker.
How do I recover data?
- Ensure there is an effective back-up policy and process in place and that this is functional. Take advice from IT professionals to ensure the back-up will not be encrypted in the event of an attack.
- Test your back-ups regularly and make sure you can recover from a ransomware attack.
- Once you have removed the ransomware, ensure that you carry out a full security scan of your systems and network – if attackers can get the ransomware onto your systems, they may have gained other access that you have not detected.
Do I need to report the data breach?
Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, the ICO takes the view that all serious breaches should be reported to the ICO. It is good practice to train staff and report any breaches of the DPA promptly. You can access details of how to report here https://ico.org.uk/for-organisations/report-a-breach/
However, if you are a telecom or internet provider that allows members of the public to send electronic messages there is a strict requirement to report the breach to the ICO under the Privacy and Electronic Communications Regulations (PECR).
Register with the ICO
The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. This covers most organisations in the UK. Once registered, you are able to confirm that you are registered with the ICO on your website.
Have Cyber and IT policies in place internally
It is crucial to train staff regularly and have policies in place guiding staff on what a cyber attack looks like and how to handle one. We can assist you in drafting these.
Have a Data Protection Policy in place
This is essential where your organisation handles personal data. A policy informing customers or users of how their data is handled, where it is stored and what happens if the company suffers a cyber attack ought to be available. We can assist you in drafting this policy.
If you need any further advice please contact our commercial team on 02074260382 or firstname.lastname@example.org