The ransomware attack, that affected the NHS and other organisations across the globe, is a salutary lesson to all of us; individuals, businesses (large and small), and charities.
How would you cope if your organisation was a victim of a cyber attack? What can you do to limit the chance of being affected?
In recognition of the particular challenges faced by small businesses, the Federation of Small Businesses (FSB) released a statement on 16 May 2017, stating:
"Cyber crime is one of the fastest growing risks to small businesses, and one of the fastest growing areas of crime globally. Attackers are becoming more effective, while victims are becoming less able to discover attacks".
A recently published FSB report, ‘Cyber resilience: how to protect small firms in the digital economy’, warns of a staggering seven million cyber crimes that are committed against smaller businesses in the UK every day; equating to a daily total of 19,000 attacks! A small business experiencing a cyber attack will suffer a cost of £3,000 over a period of 2-3 days—the average period it can take for a small business to recover from such an attack.
The statement recognises that charities, in particular, are operating in an environment where resources are limited. This is supported by the National Cyber Security Centre (NCSC), which has acknowledged that small businesses are at a greater risk of a cyber attack, as they have fewer resources to keep their systems up-to-date. They are increasingly operating in a time where they are, quite rightly, focused on the day-to-day responsibilities. This may translate to back-ups not being undertaken quite as regularly as they ought to be, and being more likely to be on-site, as opposed to off-site (managed, dedicated servers and/or the Cloud).
The Charities Commission has provided some advice, which all charities and businesses can take on board, to protect against cyber attacks similar to those we witnessed in May 2017. They suggest that you should:
- Install system updates on all devices, as soon as they become available;
- Install anti-virus software on all devices and keep them updated;
- Create regular backups of your important and business-critical files to a device that is not left connected to your network, as any malware infection could be spread to that too; and
- Not meet any stated demands and pay a ransom—this may be requested via Bitcoins (a form of digital or ‘crypto’ currency).
This is, indeed, good advice. But how do organisations practically translate this into actions?
With existing contracts, it's advisable to:
- Review contracts for provisions relating to maintenance, bug fixes (patches), and back-ups;
- Check how often your supplier is obliged to undertake back-ups, and whether this falls in line with your own business continuity policy. The speed at which you are able to restore data is critical to your swift recovery, should you encounter an attack;
- Back up at least once every 24 hours, and store back-up data off-site to enable easy and quick retrieval, if it becomes necessary;
- Understand the format in which the back-up is held;
- Check whether you are you receiving and applying patches and fixes in accordance with the obligations in the contract. If not, explore the latest versions and updates, and install as soon as possible;
- When purchasing software and hardware (particularly from separate suppliers), ensure it is the highest specification of hardware so it can run the software in accordance with the software requirements;
- Consider variations to contract(s) where the provisions relating to cyber security are inadequate and/or providing no protection at all; and
- Check that you have cyber cover in your insurance policy. Review the conditions (maintaining and updating firewalls and anti-virus software regularly, or as often as the policy states). Check the levels of cover and the extent to which loss of data is covered. If cyber insurance is not a risk in the policy, consider purchasing it.
Procuring new contracts
When you're procuring new contracts, it's advisable to:
- Take legal advice from a solicitor who has experience of IT contracts prior to signing contracts;
- Ensure when purchasing software that the supplier is aware of (a) the hardware requirements and (b) the hardware that you will be running the software on. Look for indemnities and or termination provisions where software transpires to be wholly unusable, with respect to security, through no fault of your own;
- When new software and hardware is purchased, ensure up-to-date, fully protective anti-virus software is installed;
- Review your 'bring-your-own-device' policy, to minimise any compromise to your security measures, owing to a virus permitted entry to your servers from a device or machine known to the network;
- Consider the acquisition of a recognised security standard, such as ISO27001; and
- Check cyber cover is included in your insurance and the conditions under which risk is provided. Re-negotiate the terms of proposed contracts if required, to align with the cover you are able to acquire in any policy. Check any conditions relating to anti-virus software and firewalls, and ensure that you are able to comply with these; otherwise attempt re-negotiation.
What else should you do?
- You need to act swiftly and appropriately. Whilst your machines and network(s) may not be recording ransomware, there is a small possibility that this virus could be lurking on your servers and/or network, sleeping, prior to activating a further attack;
- Limit administrator rights to avoid downloading of indiscriminate programs onto the network, which could contain viruses. Only a couple of IT personnel should have these;
- Conduct regular data cleanses on your systems; and
- Think about initiating a pop-up message every day, as staff sign on, which reminds them of the dangers of cyber-crime and to remain vigilant. You could even run a quiz to improve staff knowledge around this issue. Responses will prove an ideal tool for monitoring where staff have gaps in their understanding of the issues around cyber crime; these can be plugged with appropriate training.
Businesses are encouraged to consult and engage with their IT departments, to ensure the safety measures are delivered appropriately.
To find out more about how we can support you with IT and the law, both preventative and reactive, please contact Jay Airey.