Protecting against cyber-attacks

Businesses handling significant or sensitive personal data are especially vulnerable to cyber security breaches.

The UK government’s 2024 Cyber Security Breaches Survey reveals that 50% of UK businesses experienced cyber-attacks in the previous 12 months. The most common type of attack being phishing (84% of businesses) followed by impersonating organisations (35% of businesses) and then viruses or malware (17% of businesses). This points to a rising trend of social engineering tactics being deployed by cybercriminals.

A notable example of this threat was the cyber-attack on the NHS and several of its key suppliers, which took place in June 2024. The attack targeted a critical third-party provider of pathology testing, affecting numerous NHS trusts across London, and when a ransom was not paid patient details were posted on the dark web. The cyber-attack was reportedly caused by a vulnerability in the supplier's cloud-based software, which had not been sufficiently patched against emerging threats.

Article 5(1)(f) of UK GDPR requires firms to process personal data securely, while Article 32 mandates the implementation of appropriate technical and organisational measures to safeguard data in accordance with the risk level. The NHS attack underscores that data security is only as robust as the weakest link in the supply chain. Firms that fail to assess and manage security risks at every level risk breaching their data protection obligations and could face significant penalties from the Information Commissioner’s Office (ICO) in the event of a breach.

Despite the aforementioned gloom, one encouraging trend from the 2024 survey is that 75% businesses report that senior management now consider cyber security a high priority.  Notably, the UK government’s survey found that one 1 in 10 businesses review the risks posed by their suppliers.

Key steps to enhance cyber resilience

To minimise the risk of cyber-attacks and data breaches, businesses should implement comprehensive cyber security strategies. Key actions include:

1. Regularly review and update information security frameworks: ensure your information security policies are up to date, with particular attention given to the protection of special category data, such as health records or financial information. Cybersecurity should be woven into every aspect of your firm’s operations.

2. Supply chain risk audits: implement thorough risk assessments for all third-party suppliers. Ensure there are clear contractual obligations in place that require suppliers to meet specific security standards, conduct regular security audits, and report any incidents promptly.

3. Invest in cyber insurance: cyber insurance can offer vital financial protection in the event of a data breach or cyber-attack.

4. Develop and test an incident response plan: regularly review and rehearse your cyber incident response plan. It should include detailed roles and responsibilities for every team member involved, clear procedures for involving legal, PR, and cyber security experts. This is especially useful for businesses with remote or distributed teams.

5. Employee training and awareness: ongoing training is critical for reducing human error, which remains the leading cause of data breaches. Staff should be educated on the latest threats, such as phishing and social engineering, and trained on how to handle sensitive data securely.

6. Implement multi-factor authentication (MFA): MFA is one of the simplest and most effective ways to protect systems from unauthorised access. Enforcing MFA across all systems, especially for accessing sensitive data, can significantly reduce the risk of credential theft.

7. Regular security audits and penetration testing: conduct regular security audits and penetration testing to identify vulnerabilities in your systems before cybercriminals do. Third-party experts can often uncover weaknesses that internal teams may overlook.

Legal considerations following a data breach

In addition to addressing the technical aspects of cyber security, organisations must remain vigilant about their legal obligations under data protection regulations, such as UK GDPR. Unless the breach is unlikely to result in a risk to individuals' rights and freedoms, a breach of personal data must be reported to the ICO within 72 hours. Businesses should also assess whether affected individuals need to be notified and take steps to rectify a breach.

Furthermore, businesses that fail to take adequate cyber security measures can face enforcement actions from the ICO, as well as reputational damage. The regulatory landscape is constantly evolving, with fines for non-compliance potentially rising as part of broader efforts to hold organisations accountable for data protection.

Engaging experts both before and after a cyber-attack can significantly mitigate the risk from cyber-attacks and ensure compliance with UK GDPR.

For advice on cyber security or data protection matters please contact Tom Llewellyn, Partner at Ashfords LLP.