Businesses can be fined up to €20 million or 4% of their turnover (whichever is the higher figure) in the event of customers’ personal identifiable information being lost, stolen, or leaked. These regulations are among the world’s toughest data protection laws and since they took effect in 2018, over 900 fines have been issued across the European Economic Area (EEA) and specifically in the UK GDPR fines have ramped up significantly in recent months. The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion, which is 20 times greater than the totals for Q1 and Q2 2021 combined1.
As many businesses become more reliant on technology, the threat of a cyber-attack and subsequent data breach has become one of the most significant – and growing – risks they face, with cyber-attacks increasing year-on-year. Any business that electronically stores customer information is vulnerable to suffering a data breach, the impact of which can be significant from a business interruption, reputation and financial perspective. In this article our cyber experts outline steps that businesses should take to help protect client data being compromised.
Encryption converts data into a secret code before it is sent over the internet, so it is vital for businesses to turn on network and data encryption when storing and sharing data. This can be activated through router settings or by installing a virtual private network (VPN) software on computers and other devices.
Cybersecurity awareness training
Employees are arguably one of the most important lines of defence against cyber-attacks. Businesses should provide tools and training to employees to help them identify a potential cyber threat, and take the appropriate steps to mitigate it.
Employee security policies
Linked to the above, it is important that businesses have clear cybersecurity policies to guide employees on what is acceptable when sharing data, using computers and other devices, and accessing internet sites.
A business should keep a record of all the equipment and software it uses and should conduct on-going vulnerability scanning against its publicly facing assets, identifying potential vulnerabilities and exploits. A key step is removing sensitive information from any device and software that is no longer in use and disconnect these devices from its network. Older equipment could serve as an avenue for criminals to access data. A cyber risk management expert can support conducting vulnerability scanning.
Use multi-factor authentication
Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. It strengthens security by requiring users provide at least two pieces of evidence, or authentication factors, to prove their identity. By requiring multiple authentication factors, MFA provides a higher level of assurance about the user’s identity. Even if one of the factors has been compromised, the chances that all of the factors have been compromised are low.
Cyber insurance as a risk management tool
Although good cybersecurity practices are important for businesses to try and minimise the risk of an attack from happening, such as ensuring employees have strong passwords in place and are trained to be aware of the risk of cyber-attacks, checking firewalls, conducting regular software updates, and turning on multiple-factor authentication – businesses are potentially leaving themselves open to the threat of financial and reputational damage if they don’t have cyber insurance in place.
Cyber insurance cannot protect a business against cyber-crime completely, but it can it recover and respond to the immediate impact of an attack by working to quickly restore network systems and data, while minimising business interruption as much as possible, including covering loss of income during any periods of disruption.
Cyber insurance can be bought as a standalone policy or as part of a wider commercial insurance policy which will include cover for other risks to the business. In many cases, however, a standalone cyber policy may be the best solution to ensure comprehensive cover.
Policies vary but the majority of standalone cyber insurance policies include cover for cyber extortion, business interruption and crisis management costs. Through a specialist insurance broker, businesses can also access a range of support measures including help with developing cyber risk management procedures, legal advice and access to forensic IT consultants, who help to establish the existence, cause or scope of a security incident and to stop or limit the incident - enabling organisations to respond to an event quickly and effectively.