• Careers
  • Contact Us

Is Your Company at Risk of a Cyber-Attack?

on Thursday, 18 May 2017.

WannaCry, the massive ransomware campaign that hit a number of organisations around the world last Friday has highlighted the increased cyber risks and data protection challenges that businesses are facing.

Data protection 750x450

In Britain, over 50% of all businesses experienced an attack in 2015. Whether you are a large multinational company, a higher education institution or an SME, cyber security breaches are a risk.

So what steps can you take to avoid such attack and how should you react if you are targeted?

Are You Doing Enough to Protect Your Organisation?

Organisations must put in place appropriate technical and organisational measures to keep data and other confidential information secure. This is a legal requirement under data protection law.

Here are some top tips for implementation from VWV:

  • Keep your IT infrastructure secure. 'Stress test' it regularly, for example by carrying out penetration tests on the network

  • Back up your data. If you are the victim of a ransomware attack, chances are your data will be encrypted as a result. If you fail to restore that data, the Information Commissioner may well consider that you have not done enough to protect it and that you have therefore breached the Data Protection Act

  • Ensure that you apply security patches promptly.

  • Remote working and remote access are particular risk areas. Organisations should ensure that staff are provided with the tools to enable them to access records securely: consider at least two-factor authentication

  • Keep sensitive information secure. Set up access permissions to ensure that personal information about staff and clients can only be accessed on a 'need to know' basis

  • Train your staff on data protection and cyber security risks, and how to mitigate them. For example, staff should be trained to spot and deal with suspicious emails

  • Ensure your technology is up to date. Technology moves so fast that what was secure 12 months ago might now be inadequate

The Consequences of Getting It Wrong

In addition to the loss of revenue prompted by a targeted attack (or in many cases, the complete shutdown of the business), failing to take those steps can result in a fine of up to £500,000, regulatory investigation and reputational damage.

VWV Partner Serena Tierney commented:

"There are no sectors or sizes of business that are immune from the risk of cyber-attack. Apart from the disruption to business, a cyber-attack can also lead to you breaching data protection law. For example, even if you have back-ups and can restore your data for your day-to-day purposes, if someone else has gained control of personal data in your files, this will be a breach. If they publish (or sell on) that data, you may be faced with substantial claims for damages as well as regulatory fines and reputational damage.

We are assisting clients from health, education and research sectors to manage their processing of personal data to minimise the risk of breaching the law. That includes crisis response planning since however good your technical and operation measures are, there will always be a risk that things go wrong. How you respond in those circumstances is key in minimising the risks and protecting those whose personal data the organisation holds."

5 Crisis Management Tips for Your Business

So how should you react if you are the victim of a cyber-attack?

  • Don’t panic!
    The first step to stop the situation getting any worse will involve liaising with your IT team on ways to stem the problem.

  • Co-ordinate the team and policies
    Make sure each team member has a specific role to play in responding to the crisis. That will allow you to ensure that enquiries are directed to the relevant individual in your organisation. Regulators will look to see that you have appropriate policies in place and that they have been followed. Sanctions are likely to follow if not.

  • Prepare a statement
    When you become aware of a potential issue, and if it has potential to attract the attention of the press, consider putting together a draft response/press statement.  

  • Beware of reporting obligations
    Be aware of any obligation to report incidents (and the timing of such reports) to regulatory bodies such as the Information Commissioners Office, the data subjects or your insurers.

  • Think very carefully before engaging with hackers. They are usually attention seeking and it may not be wise to engage.

National law firm VWV has experienced solicitors based in London, Watford, Bristol and Birmingham who can provide specialist legal advice on all aspects of information law, data protection compliance and reputation management.


For more information, please contact Serena Tierney in our Commercial Law team on 020 7665 0817.

Leave a comment

You are commenting as guest.