The GDPR – All You Need to Know
By now, most of us will be incredibly aware and informed of what a cyber-attack is and the devastating consequences it can have – and it’s likely you have come across the phrase “GDPR”.
Whether it is a suspicious looking message from HMRC or an email claiming to be from your bank, yet riddled with spelling errors, these are both examples of hackers attempting to scam you and infiltrate your IT system.
The majority of us are well-educated to a certain degree on cyber-security when it comes to things like not sharing your social media passwords, but when it comes to the workplace, you would expect IT security standards to be twice as strict.
Shockingly, this is quite far from the truth.
A survey carried out by law firm Blake Morgan has confirmed that an alarming 9 out of 10 employers are yet to make any updates to their data processing policies.
More than a third of the companies surveyed also admitted that they were not confident that they would be totally compliant by next May.
A cyber-breach can be fatal for small to medium-sized businesses, as the average cost of a cyber-attack is roughly £75,000, a price that may render some companies weak and useless.
This should be alarming to all employers, especially following the dramatic surge in hackers targeting large organisations.
Concerning Increase in Cyber-Attacks on Businesses
Over the last 12 months, it has been reported that 75% of SMEs have been victim to a breach – with only 25% of the affected companies managing to successfully recover.
Some of the most notable examples of a high-profile company being hacked include the recent infiltration of the NHS’s computer systems.
The global breach occurred in May this year and affected up to 48 NHS trusts.
A message requesting $300 in return for entry to the system appeared on the screens of around 40,000 computers, effectively holding their client and company data at ransom.
One of the world’s biggest accountancy firms, Deloitte, has also recently discovered they were the victim of a sophisticated cyber-attack which went on for many months.
All internal and external emails sent to and from the 244,000 staff members, many of which will contain sensitive customer information, had been accessed by cybercriminals.
Fortunately, only six clients were affected by the hack, but for a business so well-respected and wealthy to be infiltrated just goes to show that anyone could be a victim.
All affected NHS trusts are now back in operation, presumably with much more impenetrable computer systems than before, and it is highly likely that Deloitte will recover successfully from the breach; however, this may not be the same story for smaller-sized businesses.
How Would A Cyber-Attack Affect Your Company?
Hackers are becoming even shrewder today than they ever were before.
A common tactic of hackers is to exploit the vulnerabilities in outdated Windows systems, subsequently giving them access to whatever they wish to see.
This can have devastating effects on a company in any industry, and below we have compiled a list of what issues can arise following a cyber-attack:
- Financial loss. Criminals may gain access to your company’s bank details or your client’s bank details (in which case you would have to financially compensate them). Repairing and improving your company’s network is also very expensive.
- Damage to reputation. Customers may be reluctant to work with you after a cyber-attack as they will find it incredibly difficult to trust your company’s data system. Reputational damage may not just lead to a decrease in customers but also alienation from investors and partners.
- Legal implications. Under the current Data Protection Act, the maximum fine a company may face stands at £500,000, but this is due to change as of May 2018 when the new EU General Data Protection Regulation takes effect.
What Are The New GDPR Rules?
The GDPR has been designed to replace the significantly outdated Data Protection Act, with hopes that its sterner fines for non-compliance will force employers to rethink the strength of their networks. In the past, there has been a significant focus on user experience and scalability of sites and digital products – but under the GDPR, this will become less of a priority.
As of the 25th May 2018, all UK companies must have made the necessary changes to the way they process data and take greater care to protect the information of clients – and if they breach the new regulations they could potentially be subject to a fine of up to £17m.
In the situation that 4% of a company’s global turnover is more than £17m, they would be ordered to pay this amount instead – which could mean that some companies may face insolvency as a result of the GDPR penalties.
Obviously, this is a very limited timescale; therefore it would be highly beneficial to create email or letter templates which you would then send out to your customers in order to notify them of what has happened.
Whilst the maximum fine of £17m will be reserved for the more serious offences, the more minor breaches will mean your businesses face a slightly lesser (but still steep) fine of £8m or 2% of your company’s global turnover – whichever is higher.
The NCSC (National Cyber Security Centre) has created a joint industry/government initiative known as the Cyber-Security Information Partnership (CiSP), which will allow companies to register themselves as members in order to receive and share cyber-threat updates across all industries.
What to do in the Event of a Cyber-Attack?
The GDPR gives you very little time to react in the event of an attack, which means having a well-thought-out response plan is crucial.
The plan should include a strategy to be practised regularly so that you and all of your employees know exactly how to react, as well as contain information on how you plan to notify all affected customers and authorities.
A good Data Breach Response Plan should include steps similar to the following;
- Determining why the breach occurred is crucial so that you can prevent making the same mistake in the future.
- In order to try and regain the trust of your clients, it is important you inform them as quickly and as sincerely as possible, as well as assess how they will be reimbursed.
- Seek the help of PR executives to help recover the reputation of your brand.
- If you have cyber insurance, contact your insurers immediately after discovering the breach.
- Rebuild, repair and strengthen your company’s IT networks. Consider hiring an IT professional to evaluate your systems and give you advice.
Are There Any Exemptions?
As we inch closer to the day the GDPR becomes binding legislation, new information is being released on the subject almost daily.
Experts have recently explained that certain data processing situations will be exempt from the rules.
In the event that the GDPR affects one’s ability to carry out scientific or historical research, or to upkeep obligations of secrecy, the new rigorous data laws would not apply.
Situations involving one’s freedom of expression and archiving in the best interests of the public (investigative journalism) are also exempt.
Cyber Insurance Policies With Insure 24-7
We are proud to say that as part of our 365 Insurance for Business range, we are now offering businesses the chance to be covered from an even wider range of risks – including cyber and professional indemnity insurance just to name two.
Our cyber insurance policies have been designed to reimburse your company for all the possible costs which will arise following a cyber-attack (such as fines issued against you), as well as assist you with the urgent notification procedure and help you rebuild your businesses IT networks.
When you choose this kind of coverage with us, we will also go that extra mile to arrange for a thorough investigation of your systems which will be conducted by law and IT experts.
Do not hesitate to contact our brokers to receive a free quote today, or to simply enquire about our services.