Managing the cybersecurity threat
Data has been described by The Economist magazine as the most valuable resource on earth – even more so than oil. Ensuring that your data is protected is therefore an extremely important part of any organisation’s objectives. This is especially so for any business that handles sensitive, personal, health, or financial data. For a small company that does not have a lot of resources to invest in sophisticated IT infrastructure and cyber defences, this problem of how to protect data is a difficult one to solve.
Inefficient processing of data, that in itself leads to a higher risk of a breach is not only more costly, but may also lead to falling foul of prevailing data protection legislation – in the form of GDPR. This can result in fines being levied of up to 4% of turnover for such breaches. This unfortunate circumstance may be inadvertently caused by a lack of awareness and/or weaknesses in cyber security defences. This in turn, will result, in addition to these large fines, in possible class law suits from customers and irreversible loss of business reputation.
As a result of all of this, It is now becoming the norm – when trying to win business, to be asked for evidence of compliance with GDPR and proof of controls that are in place as your defence against cyber attacks. This request may be in the form of providing policies and procedures for GDPR or formal accreditation for Cyber Security – Cyber Essentials and Cyber Essentials Plus.
We have helped companies win bids for business, achieve cyber security accreditation whilst ensuring that they are GDPR compliant. We have industry qualified and accredited consultants.
How do you access your risk?
Cyber Security is undertaken by performing a risk assessment via a full audit with one of specialists
There are three main areas for this assessment:
Being the victim of a cyber-attack can result from weaknesses in any one of these three areas.
A cyber-attack is very serious for any organisation as it may well result in:
- Fines from the Information Commissioner’s Office (ICO)
- Potential class action from customers of any personal data lost
- A loss in brand prestige due to the adverse publicity and potential loss of business
We can provide the following services on a competitive basis:
- Data Protection & GDPR Advice
- Data Protection & GDPR Audits
- Cyber Security Audits & Advice
- Data Breach Management
- Subject Access Request Management Information Management Consultancy Cyber Essentials Accreditation
- ISO 27001 Accreditation
- Cyber Essentials and Cyber Essentials Plus accreditation
- Data Protection Officer (DPO) as a Service
- Data Protection and Cyber Security Training & Awareness – all staff levels
For a thorough insight into the impact of a cyber attack o your business and how you can prevent it please contact our certified advisory team on 01628 56 52 56.
A UK government backed certificate. This provides a level of assurance to all Stakeholders that there is an acceptable level of defences in place.
It is now mandatory for all central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services. This means that any potential external supplier to the public sector will be unable to do so without this certificate.
This is the most relevant for small companies that don’t process large volumes of sensitive data. Any company with a turnover of up to £20 million is entitled to free Cyber Insurance. This covers;
Liability: claims made against you arising out of media activities and privacy and security wrongful acts.
Event Management: costs, including emergency costs, following a data breach, including the costs of notifying data subjects. These might typically include payment for Legal, IT, Forensic & PR specialists.
Extortion Demands: ransoms and other cyber extortion.
Regulatory Investigations: defence costs & regulatory fines (where insurable by law).
Business Interruption: Loss of profit and / or operational expenses caused by a network compromise.
Loss of Electronic Data: costs of remedying the issue that allowed the loss or damage to your data and costs to replace, restore or update your data
Costs – external audit £300
A more advanced UK government backed certificate.
This can be achieved following the Cyber Essentials accreditation.
It involves a more detailed audit and is more difficult to achieve.
Costs – external audit £1600
An international standard of information security. This is the most detailed level and the organisation must have policies, procedures fully embedded. This is suitable for larger companies with complex data processing.
Costs – external audit £3,000
Consultancy to achieve certification – variable, depending on the size of the company.
A fantastic benefit with achieving Cyber Essentials accreditation is the free cyber insurance provided by AXA XL, a division of AXA.
WHY DO I NEED CYBER INSURANCE?
Being compliant to Cyber Essentials has been shown to significantly reduce the likelihood and severity of a data breach. The presence of cyber insurance will provide vital incident response services and cover your costs in your hour of need.
What is covered by the Insurance:
- Liability: claims made against you arising out of media activities and privacy and security wrongful acts.
- Event Management: costs, including emergency costs, following a data breach, including the costs of notifying data subjects. These might typically include payment for Legal, IT, Forensic & PR specialists.
- Extortion Demands: ransoms and other cyber extortion.
- Regulatory Investigations: defence costs & regulatory fines (where insurable by law).
- Business Interruption: Loss of profit and / or operational expenses caused by a network compromise.
Loss of Electronic Data: costs of remedying the issue that allowed the loss or damage to your data and costs to replace, restore or update your data.
[To the limit of the policy liability]
WHO IS THE INSURER?
The insurance is provided by AXA XL, a division of AXA. In the event of a claim they will appoint their specialist consultants to assist and advise you and your IT team.
Recent cyber attack on the US Law Firm to the stars that has been attacked by Ramsomware: https://www.infosecurity-magazine.com/news/law-firm-to-the-stars-confirms/ the hackers are now demanding $US42 million to release their data and systems and have even encrypted their back-ups so they can’t use the backups or get operating systems back on.
Also the middle company of the National Grid here in the UK (ELEXON)
“The company that facilitates payments on the U.K. electricity market, tracking the trade between those who produce electricity and ELEXON those who supply it and resolving the differences, has fallen victim to a cyber-attack. Elexon is at the center of the balancing and settlement system, working with Great Britain’s National Grid Electricity System Operator (ESO) to keep the lights on. The lights didn’t go off across the U.K. as a result of this cyber-attack, but internal IT systems and laptops at Elexon went dark.”
The data from the security companies and the number of recent ransomware incidents show a dramatic escalation for a type of attack that, just a few years ago, was mostly directed at individuals, who had to pay only a few hundred pounds to get their files back. Now, this type of attack can see ramsomware demands of hundreds of thousands even to millions As in: Travelex UK – the hackers demanded £4.6 million Due to this – The hack has affected major banks including Lloyds, Barclays and Royal Bank of Scotland, all of which rely on Travelex for their foreign currency for their travel money service. This service is currently suspended.) ) to have their systems and data released and that’s because these larger organizations have far better security to protect data than most SME’s, so imagine.
It isn’t a matter of “if” or “when”, but as your company is being hacked, how can organizations respond to and manage the cyberthreats landscape. As Brian Krebs, one of the world’s leading cybersecurity journalists, said at our recent event “everything gets hacked!”, with businesses and IT professionals needing to start accepting the “depressing reality”. The proliferation of data breaches continues to surge. According to Cybersecurity Ventures, a data breach occurs every 14 seconds, down from every 40 seconds in 2016 and by 2021 will occur every 11 seconds.
With the current pandemic, the problems have not gone away for many organizations and IT departments, rather the contrary, they have escalated. No organization is exempt from the threat. Not even the World Health Organization (WHO). According to Flavio Aggio, Chief Information Security Officer, reports that cyberattacks on it (the WHO) have doubled in recent weeks including an attempt to steal passwords belonging to WHO agency staff.
Moreover, cybercriminals are taking advantage of the opportunity to scam, hack and cause chaos across the digital landscape. There has never been a time like the present for organizations to analyse their information resilience across areas such as cybersecurity, information management and privacy, security awareness programmes and compliance with regulatory requirement.
So, what should organizations do if they have a data breach?
Here are six important stages of a data security or data privacy breach. This will help enable incident response teams to proactively detect, manage and provide remediation to enhance their state of information resilience.
- Preparing for a data breach: Have you put the right governance structure in place, with the correct resources and tool sets?
- Identifying a data breach: Can your team respond to security alerts and determine if there has been a potential incident and ultimately a data breach?
- Containing and eradicating a breach: Are there plans in place with the right resources to stop a data breach?
- Recovering from a breach: How quickly can you restore operations to business-as-usual?
- Post incident review: Are you systematically reviewing and identifying improvements from each incident?
- Lessons learnt from a breach: Are you successfully implementing lessons learnt across the business?
Our team of trusted advisors can support your organization’s capabilities to respond to breaches at any time and find out now how we can help keep your organization secure, safe and sustainable during these vulnerable times.
More reasons to choose JVR Consultancy for Compliance & Risk Management