Protecting personal data and preventing cyber attacks is mission critical.

25th April 2022Protecting personal data and preventing cyber attacks
Phishing cyber attack image credit Pixabay

Protecting personal data and preventing cyber attacks is mission-critical in our opinion.  The recent cyber-attack at retailer, The Works, highlights the fact that fines and sanctions by the data protection authorities are only the tip of the iceberg that is the nightmare that follows such an attack.

In fact, it is likely that they could turn out to be the least of their problems.

Just a few weeks ago, arts and crafts retailer, The Works had its systems hacked by a cyber-attack which resulted in disruption to both their online and offline business.

The Works publicly stated that:

“All debit and credit card payment data are processed securely  . . therefore there is no risk that this payment data has been accessed improperly” . .

However, despite this ‘reassurance’, the news of the cyber-attack spread across the national media and the reputational damage was reflected in its share price which fell more than 10% when the market opened.

So already we have reputational damage and financial damage to the share price.

Additionally, the Works and victims of a severe cyber-attack such as this would likely suffer huge disruption, vital time and resources being used up to deal with the breach, and astronomical legal costs.

Add to that potential Compensation claims, especially from class or representative actions, where data subjects join together to bring a single claim for all affected parties, and even potential loss of market share as a result of all of this disruption and reputational damage, it’s no wonder that companies can often struggle to overcome these situations.

Perhaps you remember what happened to telecoms provider TalkTalk? In October 2015 they were hit by a cyber-attack.  The ICO fined them £400k because the breach was caused by an oversight relating to an outdated software issue.  However, it is estimated that the overall cost to TalkTalk is likely to have been around £30million.

Data protection is now a board-level concern, and for those with shareholders, especially those floated on stock markets, hackers can use cyber-attacks to reduce share values and profit from the chaos. Boards and Senior Information Risk Owners (SIRO’s) no longer just need to be concerned about data theft or ransomware.  Criminals are nothing if not inventive.

This is why we believe that protecting the personal data within your business is mission critical.  Do you have the peace of mind that everyone in your organization knows how to handle personal data and is aware of their cyber security responsibilities?  If not, this would be a good time to issue some new guidance and update their training to ensure that you are cyber secure.

The Information Commissioners Office works alongside the Government’s National Cyber Security Centre (NSSC) and both are excellent places for further technical advice. In association with other global cyber security organisations earlier today the NSSC issued a heightened global threat warning.

Please do take a deep-dive into protecting personal data and preventing cyber attacks, but by way of a brief summary, here are some robust technical and organisational measures that you should be taking, especially with remote working now being the norm.

Technical Measures might include:-

  • Providing a secure ICT network (Anti-virus / firewalls)
  • Encrypted remote access (avoid public wifi and use a VPN)
  • Taking regular back-ups
  • Securely disposing of old computers and devices
  • Encrypting sensitive emails
  • Access Controls
  • Audit Trails
  • Pen Tests (this is penetration testing done by ethical hackers who put your organization under stress to see how it holds up)
  • Unusual activity monitoring
  • Secure websites against cyber and DDOS attacks

Organisational measures should include:-

  • Train staff in Data Protection and Information Security
  • Issue guidelines and policies especially for remote working (make sure staff digest and action them).
  • Ensure access is limited to information needed to perform task;
  • Don’t share passwords;
  • Encrypt personal information where possible;
  • Do not store on local devices or USB’s;
  • Educate teams on risks concerning email (autofill, CC, BCC, forwarding, attachments)
  • Avoid gossip and being overheard when discussing confidential matters (at home, on public transport)
  • Security of manual files (especially whilst out of office)
  • Transparency of processing (clear Privacy Notices)
  • Know what to do in the event of a breach
  • Maintain logs and records
  • Appoint a Data Protection Officer
  • Have a robust leavers process when an employee leaves ensuring all access is removed

If, however, you want some advice or training on how to manage your data protection specifically – please do get in touch with the specialists here at the Griffin House Consultancy – your best first point of call would be to book your complimentary half-hour consultation, which you can do by filling in a form >> here <<.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.