The impact of a data breach on any organisation - but particularly one involved in the aerospace and defence sector - could be very significant, and ultimately result in contracts being cancelled.
The National Security Risk Assessment 2015 placed cyber threats as one of the tier one risks (meaning the highest priority based on high likelihood and/or high impact) in the next 5 years. The threats were assessed to come from terrorism, fraud and serious and organised crime, espionage and disruption of critical national infrastructure.
This article looks at some of the risks around information security, and the practical steps that can be taken to minimise the risks.
It is important to be familiar with how sensitive data might be obtained:
- Hacking and phishing
Accessing information by exploiting a vulnerability in an organisation's website, or installing malicious software on an organisation's computer systems (eg., through an email attachment, or through a phishing email) is all too common an occurrence. We have advised on claims involving intercepted emails, and the installation of malicious software via USB sticks, among others.
- Cloud computing
Cloud based services are increasingly being used for storing confidential data. There is nothing inherently wrong with this, but by doing so the data is being placed in the hands of a third party who is being trusted to keep it safe.
- Disposal of IT equipment
Cyber crime doesn't always mean high tech. The largest data protection fine to date (£325,000) was served on an NHS Trust which failed to ensure that the contents of computer hard drives were securely wiped before they were disposed of. The hard drives ended up for sale on a popular internet auction website.
- Unauthorised disclosure of personal information
Some security breaches have arisen from the deliberate actions of employees, for example, by selling financial information to fraudsters.
The Consequences of Getting it Wrong
Without adequate cyber safeguards, the most significant risk is likely to be the unknown intentions a hacker may have with access to confidential information. Other potential risks include:
- a fine of up to £500,000 where personal data is compromised (although with effect from 2018, the potential fine in the very worst scenarios could be the higher of 4% of the global turnover of a business or €20 million)
- regulatory investigation
- reputational damage to the organisation targeted.
IT Security - Our Top Tips
Organisations must put in place appropriate technical and organisational measures to keep data and other confidential information secure. Not only is this a requirement of the Data Protection Act, but failing to do this greatly increases the risks of individuals or contract counter parties being able to bring a claim against the organisation should something go wrong.
Regarding technical measures, you should consider:
- How secure is the IT infrastructure?
Is software kept up to date and is the IT infrastructure 'stress tested' for information security by, for example, carrying out penetration tests on the network? Websites are particularly vulnerable and have been used by attackers to gain access.
- Is your technology kept up to date?
Doing so is an express requirement of the Data Protection Act. Most organisations use encryption in one form or another - is it robust and up to date? Technology moves so fast that what was secure 12 months ago, might now be inadequate.
- Can you do any more to use available technology to minimise the risks?
This might include setting access permissions to ensure that certain sensitive information or personal information about staff can only be accessed on a 'need to know' basis.
- Homeworking and staff working 'on the go' (for example on the train)
These are particular risk areas. Organisations should ensure that staff are provided with the tools to enable them to access records securely.
You should consider whether appropriate organisational measures are in place:
- It is important to ensure that staff are trained on data protection and cyber security risks, and how to mitigate them. For example, staff should be trained to spot and deal with suspicious emails.
- Training should be backed up by robust policies and procedures which contain practical guidance for staff.
- However good your technical and operation measures are, there will always be a risk that things go wrong - how you respond in those circumstances is key in minimising the risks and protecting those whose personal data the organisation holds. Do you have a disaster recovery plan to promptly shut down any security breach, should something go wrong?
As the global economy improves and foreign market opportunities increase, so too do the cyber risks. By understanding those risks and taking appropriate steps to mitigate them, you will be going a long way towards protecting your organisation, and those whose data you hold, from the threat of cyber crime.
In the next Aerospace & Defence Law Brief, we will look at some of the contractual mechanisms which you might use to manage your risk in this area.
If you wish to discuss any of the issues raised in this article, please contact our Aerospace and Defence Specialists Ed Rimmell on 0117 925 2020 or Andrew Gallie on 0117 314 5623.