Business continuity is affected when hit by Denial-of-service attack (DDoS) and other cyber attacks against insecure internet-connected devices such as IoT(the internet of things) like cameras, webcams and digital video recorders, which become infected with malware.
Therefore, companies must think carefully about their Internet-exposed infrastructure and that of their vendors, everything from a customer online portal to their building’s heating, ventilation and air-conditioning system, and brace for heightened levels of disruption to operations if attacked.
We saw with the recent attack on the NHS, similar trend emerging with regard to ransomware, the malware that holds its victims’ data hostage through encryption until a ransom is paid in bitcoins.
Naturally, where records are the target, the criminals steal sensitive files and – rather than locking them down with encryption – use the information within them.
So, it is clear, directors must evaluate cyber-risk differently, and while most companies have a business continuity plan many have not stress-tested their plans against these evolving threats.
One method for doing so is to enlist employees or a cyber-security firm to attempt to execute attacks through so-called “red teaming,” which should help companies identify any shortcomings before an attack strikes. Certainly, such an effort will signal that the board and management are paying attention to these risks.
The board also should determine whether the company’s insurance covers these new risks.
Cyber insurance has traditionally focused on privacy breaches, but companies now increasingly seek policies that cover:
Therefore, the business should consider readjusting its insurance coverage accordingly.
Separately, there needs to be scrutiny of the company’s Cyber-risk and Incident Disclosures in readiness of the mandatory reporting of breaches under the EU General Data Protection Regulation (EUGDPR).
Companies also should expect that cybersecurity whistleblowers will become more prevalent and therefore, directors should first ensure that the company has afforded opportunities for whistleblowers to report internally, and that management has trained information technology managers about what could form the basis for cyber-security whistleblower complaints and how to properly receive and escalate any issues raised by internal reports to the appropriate level.
For more information or support, please contact the HPC team today:
T: 0844 800 5932
Follow us on Twitter for more Employment Law news and updates @HPC_HRservices