So what steps can you take to avoid such attack and how should you react if you are targeted?
Organisations must put in place appropriate technical and organisational measures to keep data and other confidential information secure. This is a legal requirement under data protection law.
Here are some top tips for implementation from VWV:
Keep your IT infrastructure secure. 'Stress test' it regularly, for example by carrying out penetration tests on the network
Back up your data. If you are the victim of a ransomware attack, chances are your data will be encrypted as a result. If you fail to restore that data, the Information Commissioner may well consider that you have not done enough to protect it and that you have therefore breached the Data Protection Act
Ensure that you apply security patches promptly.
Remote working and remote access are particular risk areas. Organisations should ensure that staff are provided with the tools to enable them to access records securely: consider at least two-factor authentication
Keep sensitive information secure. Set up access permissions to ensure that personal information about staff and clients can only be accessed on a 'need to know' basis
Train your staff on data protection and cyber security risks, and how to mitigate them. For example, staff should be trained to spot and deal with suspicious emails
Ensure your technology is up to date. Technology moves so fast that what was secure 12 months ago might now be inadequate
In addition to the loss of revenue prompted by a targeted attack (or in many cases, the complete shutdown of the business), failing to take those steps can result in a fine of up to £500,000, regulatory investigation and reputational damage.
VWV Partner Serena Tierney commented:
"There are no sectors or sizes of business that are immune from the risk of cyber-attack. Apart from the disruption to business, a cyber-attack can also lead to you breaching data protection law. For example, even if you have back-ups and can restore your data for your day-to-day purposes, if someone else has gained control of personal data in your files, this will be a breach. If they publish (or sell on) that data, you may be faced with substantial claims for damages as well as regulatory fines and reputational damage.
We are assisting clients from health, education and research sectors to manage their processing of personal data to minimise the risk of breaching the law. That includes crisis response planning since however good your technical and operation measures are, there will always be a risk that things go wrong. How you respond in those circumstances is key in minimising the risks and protecting those whose personal data the organisation holds."
So how should you react if you are the victim of a cyber-attack?
National law firm VWV has experienced solicitors based in London, Watford, Bristol and Birmingham who can provide specialist legal advice on all aspects of information law, data protection compliance and reputation management.