The vast increase in remote working since Covid-19 struck has elevated the risk of data breaches occurring. We found in our client survey for 2021 that 95% of the organisations we asked had introduced, or planned to introduce, new technologies,[1] which, although very positive from many angles, does potentially open the door to greater numbers of cybersecurity incidents. According to IBM, 2021 saw the highest average cost of data breaches in the last 17 years. It was USD 3.86 million in 2020 and rose up to USD 4.24 million in 2021. And, as mentioned above, the research highlights the role played by remote working: the average cost of breaches in which remote work was a factor was USD 1.07 million higher than ones where it was not.[2] Similarly, in our own survey, we discovered that 1 in 10 of the clients we asked had experienced a cybersecurity incident as a result of increased technology use to support remote working.[3]
A data breach may not only expose confidential information, but may also result in a legislative breach, possibly with costly penalties attached, along with the risk of loss of customer trust, reputational damage, and, ultimately, a long-term financial impact.
So what should businesses do to ensure cyber resilience? Here are our thoughts:
It seems, surprisingly, or perhaps not, that humans beings are the number one cause of cyber breaches – and therefore, training staff on how to avoid them is a top priority.
Looking at the available research, we found that Verizon reported that 85% of breaches involved a human element.[4] Similarly, according to the Egress Insider Data Breach Survey 2021, 74% of organisations that experienced insider data breaches suffered data breaches because their employees broke security rules; and 84% experienced them as a result of human error.[5] We therefore recommend conducting at least yearly training programmes to raise employee awareness of cyber security issues. The aim should be to create a ‘security culture’, remind employees of security principles and policies, and explain the types of attack that they could face. On this last point particularly, it’s worth being aware that the strategies used by hackers change all the time and so regular training is vital.
Remember that hackers, ultimately, are trying to make money from you. So make sure that you include in your training all those who pay out money for the company. This can include making them aware that alarm bells should ring if a supplier suddenly asks them to pay into a new account, for example.
New technology is brought in by employers all the time and it’s important to make sure that employees are properly trained in its use at the time it’s introduced and are kept up to date. It is also important to be aware that remote workers not only tend to work from home but might work in other settings too – and some of those may be insecure. It’s worth reminding employees to avoid using public wi-fi, for instance, when accessing confidential company information and to be aware of whether outsiders can see their computer screen as they work.
Although new technology may bring with it an increased risk of data breaches, technology can also offer solutions.
There are many tools that you can use to help protect your company data, including Data Loss Prevention (DLP) tools, anti-virus tools, secure VPNs and password management systems. Don’t forget that remote working means that computers holding proprietary company information are out of the office, increasing the risk of data loss, for example, if devices are lost or stolen. Your employees might also try to access the company network from unknown devices. Use strong password protection and authentication protocols, track your devices and login locations and install data-wiping software on company devices along with ‘find my device’ software, in case they are stolen. Make sure your IT people keep up with what’s out there in terms of data security software on a regular basis, as the tools get more sophisticated all the time.
You need to ensure you have the capacity to continue operating even whilst under attack or if the tools your employees depend on temporarily go down. This means having a technical ‘Plan B’: for instance, a secondary communication channel in place that you can use if your usual one collapses. This is especially important if you have remote workers who are not connected simply by virtue of being in the same physical space. Even something as simple as being connected on a separate messaging platform will, in the first instance, enable you to tell everyone what’s happening, reassure them that you are on it and keep them informed.
You should also make sure that your system is recoverable, as some types of attack cause permanent loss of data. Secure cloud storage and back-ups using Data Loss Prevention tools could save the day and ensure the continuity of your operations.
In the heat of the moment, getting your workforce up and running and recovering any lost data is what’s most important, but looking ahead, durability is where it’s at. Your IT staff should ensure do routine maintenance and checks and your employees generally need to be conscious of and informed about cyber security risks, with regular training and internal awareness comms.
We recommend you enlist the help of your IT people to do a risk assessment of how likely cyber breaches may be and the steps that can be taken to mitigate them. If you don’t have one already, you should then focus on putting an IT security policy in place setting out the steps employees should take in the event of a breach. It should clarify what employees are forbidden from doing and what they are allowed to do. For example, can employees use company computers for private use? Be clear that using company computers and networks to visit pornographic, politically extremist, criminal, or discriminatory websites is prohibited. You can also consider asking employees to request permission from the system administrator to install and run their own software on computers that are connected to the company network.
Specialist cyber security insurance policies are available on the market and your general insurance policy could also be adapted to include cyber security cover. Check your existing insurance policies first and work out what you need. As always with insurance policies, be careful about what is excluded and any caps on the compensation you can claim. Look particularly at what they say about network interruption (e.g. how long the network needs to be down before the insurance kicks in), data breaches, cloud service failure, network loss, other losses and outages, cybertheft, cyberterrorism (including what is excluded, for example, acts of war etc), phone or online hacking, manipulation of computer hardware and software and extortion. The insurance should also provide legal protection and defence costs in litigation (e.g. arising from claims made against you about alleged data privacy law breaches or breaches of copyright or other intellectual property rights), along with reputational protection.
The insurance company should provide you with details of a first response adviser whom you can go to if you experience an event you need help with, such as a cyber security breach, extortion or legal action of some kind.
[1] Ius Laboris, The Word- Forces For Change, 2021, https://iuslaboris.com/wp-content/uploads/2021/02/Ius_Laboris_The_Word_2021.pdf
[2] IBM, How much does a data breach cost?, https://www.ibm.com/security/data-breach
[3] Ius Laboris, The Word- Forces For Change, 2021 https://iuslaboris.com/wp-content/uploads/2021/02/Ius_Laboris_The_Word_2021.pdf
[4] Verizon, 2021 Data Breach Investigations Report, https://www.verizon.com/business/resources/reports/dbir/
[5] Egress, Insider Data Breach Survey 2021, https://www.egress.com/only-human/report
