The value of cyber risk assessments and how to reinforce your soft underbelly: your employees

Headlines revealing the latest cyber-attack have cropped up with concerning regularity in 2017.

It will therefore come as little surprise to learn that the latest institutions to be found wanting in the cybersecurity department are universities, as reported recently in The Times. Following a Freedom of Information request, the paper discovered that the number of attacks experienced by leading universities has almost doubled in the past two years, with advances in military and energy technology being particularly targeted.

The director of cybersecurity research at the University of Warwick was reported as saying that lax cybersecurity was a problem at many universities. Another security expert claimed this was due to their use of open networks, insufficient investment in both software and staff to monitor security, and the difficulty of managing a range of different networks.

While universities are an obvious target for cyber-attacks (many of which appear to be sponsored by nation states) due to their rich seam of research data and inadequate defences, every business should be aware of the damage cybercriminals can inflict by disrupting their operations.

The ransomware attack on a range of organisations (including the NHS) demonstrated this only too clearly earlier this year.

Protecting your networks from cyber-attacks

Cybercriminals are always looking for the chink in the armour so every business must take cybersecurity seriously to avoid becoming a victim.

The first step is to carry out a risk assessment to establish what personal data and other confidential data the company holds and how it is used, transmitted and stored. Once you have identified any weak spots where cybercrime poses a particular risk, the next step is to implement security measures to protect your networks from cyber-attacks.

Employees are a weak spot

It is right to acknowledge that one of your major weak spots is likely to be your employees. You need to put clear procedures in place, encapsulated in a company policy, to deal with the risk of cybercrime. And all staff should be trained on what steps they can/should take to prevent it.

You can insist that any memory sticks, tablets or mobile phones used by employees outside the workplace must be scanned before using them on company network systems. Indeed, you might even consider whether every employee should have permission to use portable media.

Companies should bear in mind the reputational damage it might suffer if found to be excessively monitoring employees

You can consider taking out insurance or engaging a third party to manage your cybersecurity where the risk of attack is high or the implications particularly severe.

Employees’ use of social media can also compromise your cybersecurity unless you have a clear social media policy that sets out limits to social media use in the workplace. This is particularly relevant where employees work with, or have access to, sensitive information.

Individuals’ right to privacy versus security

Naturally, there are implications for companies which need to monitor and store employee information or data. Any such monitoring must be proportionate and carried out in accordance with the Data Protection Act 1998.

Individuals’ rights regarding their data will be further strengthened by the introduction of the General Data Protection Regulation (GDPR) in May 2018.

The Employment Practices Code contains further guidance for businesses on monitoring employees at work.

You need to inform employees that they may be monitored and it may be necessary to seek employees’ express consent in cases where employee communications are being intercepted. Failure to do so could mean a business facing a claim for damages from the sender, recipient or intended recipient of the communication.

Employees also have a right to privacy under the Human Rights Act 1998. An employee can bring a claim for unfair dismissal where they believe their dismissal was based on evidence gathered about them through their employer’s monitoring equipment that interfered with their right to privacy.

Companies should also bear in mind the unquantifiable reputational damage that it might suffer if it is found to be excessively monitoring its employees.

All businesses can be badly affected

The bottom line, as university cybersecurity chiefs will attest, is to:

• Carry out a risk assessment
• Invest in security measures to keep your networks safe
• Train your staff to understand the risks to the business from cybercriminals
• Put clear policies in place so everyone knows what they can and cannot do in relation to portable devices and social media use

Although cybercrime poses a particularly virulent threat to high-tech research, development and manufacturing organisations, everyone needs to be aware that a cyber-attack can have very serious financial implications for any business.