Cyber crime and cyber attacks are words we regularly read or hear about in news reports. Yet, many businesses believe ‘it will never happen to us’. Recent statistics from the Government Security Breaches Survey found that nearly three-quarters (74%) of small organisations reported a security breach in the last 12 months.
Size doesn’t matter for hackers – small businesses are often ripe pickings, with lower defences than larger organisations and a valuable source of customer data and intellectual property.
The costs of a cyber attack can range from:
- Loss of revenue (the Government estimates loss of a third of total revenue)
- Loss of man-hours
- Reputational damage
- Loss of customer data, privacy and intellectual property
- Potential loss of customers
- The inability to continue to operate
- Declining share value (if your company is listed)
- Hefty fines if you are found guilty of data protection breach
How can we help your business?
At Hamlins, we believe cyber security is so much more than a technology issue. It needs to feature at a much higher level within your organisation, as part of the overall business strategy.
We can advise on steps to take to minimise the risk of cyber attacks through to how to contain a live cyber crisis.
Prevention and Detection of a Cyber Attack
- Identifying systems, approaches and cultures which can be adopted to proactively resist the ongoing threat of cyber attacks
- Identification of appropriate means to recognise and acknowledge security breaches and the likely consequences of such breaches
Read more about our key services:
The Hamlins Cyber Security Audit
Our team work with Company CEO’s and senior management and technical teams to review their current cyber security strategies and then provide a detailed report of recommendations.
Our review includes looking at businesses, processes and controls, operations, technology, business strategy, internal communications, risk management, staffing, training, insurance cover and regulatory compliance. We will also provide guidance on proactive steps to be taken to minimise the risk and impact of your business suffering a potential cyber attack, including:
- Business Continuity – examining disaster recovery systems, identifying what has been hacked, responses of your suppliers and contractors
- Business Critical Contracts – assessing what your key contracts say about data, security measures and cybersecurity and warranties
- Your Key Assets –reviewing assets and information key to your business which if compromised could severely damage your business, such as intellectual property and regulated data
- Data Protection and Privacy requirements –obliging suppliers to implement appropriate technological and organisational security measures against unauthorised or unlawful processing of data (such as by hackers)
- Incident Response and Recovery Strategy – working with you to formulate a clear process and systems for dealing with cyber and data attacks, ensuring everyone in your team knows their responsibilities and the process to follow if an attack takes place
- Liability – anticipating and mitigating liabilities such as data damage or loss, privacy infringements, denial of service and lost income.
- Remedies – identifying liquidated damages which could be payable for the duration systems are down
- Insurance – advising on appropriate options for insurance cover
- Replacement systems – identifying replacement, mirror or alternative platforms so that it can continue to operate should there be a future cyber attack.
- Staff training – maintaining crisis plans long after we’ve completed the Audit.
The Hamlins EU General Data Protection Regulation Compliance Check
Brexit may mean Brexit, but the forthcoming EU General Data Protection Regulations (the “Regulations”), which come into force in 2018, will still apply to all businesses operating in the UK.
Hamlins will review your business to determine compliance with the new Regulations, to avoid the risk of much heftier fines or even a criminal prosecution. We will ask questions such as:
- Does your business have the necessary systems and governance in place to meet the considerable new governance obligations required under the Regulations?
- What kind of Personal Data does your Company collect and process?
- If you rely upon the consent of customers to process their data, have you reviewed your existing practices to ensure they meet the new requirements of the Regulations?
- What are you doing to meet the new Privacy By Design requirements under the Regulations?
- What do your key contracts currently state about Data Protection and Privacy?
- If you use third parties to process your company’s data, does the contract place sufficient obligations on these parties to implement appropriate technological and organisational security measures against unauthorised or unlawful processing of data (such as by hackers)?
- Do you have a Data Breach Response Plan in place (the forthcoming Regulation requires any business owner with a data breach to notify the data protection authority without undue delay and within 24 hours)?
- Have you designated specific roles and responsibilities for employees and prepared notifications in case of a breach?
- Have you appointed a Data Protection Officer?
- Have you conducted a Data Protection Impact Assessment where appropriate?
Live Cyber Crises and Attacks
The cost of a cyber attack can be significant for an organisation, not only in terms of the financial impact but the huge reputational damage it can cause. The Sony 2014 hack caused financial losses of $35 billion for the business– and Sony’s reputation still remains tarnished even today.
The Hamlins team can help during a cyber attack by:
- Advising on the recovery of information and data
- Identifying and prosecuting hackers
- Managing risks and liabilities whist the business is subject to the cyber attack
- Providing advice on formal negotiation to the ICO, regulatory authorities and commercial partners
- Making notifications to insurers
- Controlling litigation resulting from data breaches
- Collating evidence to support and defend any claim or act brought
The Hamlins team can also manage reputational issues during and after the cyber crisis by:
- Stopping negative information spreading virally over the internet including social media platforms
- Working with internal media communications and external PRs to act immediately to respond to an attack and how it is then portrayed in the media
- Issuing warning notices to major distributors of news including newswires and press regulators to shape how a story of a cyberattack develops
- Influencing the conversation on social media
For further information on how we can assist you with reputational issues please see our Reputation Management service.
The Cyber Security Team at Hamlins have helped a range of business to minimise their risks of being attacked through to containing a live crisis.
Read the examples below to see how we have helped:
A property SME get back on track after a series of phishing attacks using our Cyber Security Audit
The CEO of a growing property business with a turnover of approximately £15-20m contacted Hamlins’ Cyber Security team as the company had been subjected to a growing number of phishing attacks within a spate of 3 months. It was estimated that up to 100 man hours had been lost; including the time of senior management and executives, the Customer Relations team, IT support and software developers. Various aspects of the software licensed via a web exchange had to be removed and replaced, which meant a limited/reduced customer experience for a period of a few weeks.
Crucially, time had to be invested following the attacks to retain customers and reassure their customers the new software systems were robust. The CEO was concerned about the likelihood of future attacks occurring and wanted to ensure appropriate cyber security strategies, policies and contracts were in place.
How Hamlins helped
We undertook a comprehensive Cyber Security Audit which reviewed different areas of the business such as technology, business strategy, internal communications, contractual risk management, staffing, training and regulatory compliance. We also designed and developed a tailored crisis management strategy so the firm was fully prepared should a cyber breach ever occur again. Given the budgetary constraints of this small business, our team focused on the business critical risk areas of the business to ensure these were suitably robust and would not impact on the future operation and revenues of the business.
Our Audit revealed that the firm was not fully compliant with the current and future requirements of Data Protection regulations and could be at risk of hefty fines and/ or third party claims should another attack ever occur. Other contracts and policies were also open to interpretation or worse, not in place. Our team drafted and amended all necessary legal documents to resolve the issues.
Following the completion of the Audit and the implementation of the new cyber strategy, the business has not fallen victim to any further cyber attacks. The cyber security strategy is now not only understood but championed throughout the business – minimising the likelihood of any future cyber breaches.
A high street retailer get back to business quickly after a cyber attack
A national retailer contacted Hamlins following a cyber-attack on the company’s website and internal IT system, reducing its ability to sell products and to maintain relationships with suppliers. The “spear phishing attack” was restricting almost every employee within the business from carrying out their job. The attack was set to damage revenue, commercial relationships and the goodwill and reputation associated with this client’s brand. Repelling the attack and restoring the systems was therefore time critical.
How Hamlins Helped
Because Hamlins had already worked with this client to establish a proactive crisis management solution for cyber security attacks, it meant we didn’t lose valuable time and could act decisively. We had prepared appropriate alternative “mirror” technology solutions, which were quickly available to clients both via third party providers and also remote accessed IT Solutions. In addition to putting these new systems in place, Hamlins oversaw the vital communications that would inform and reassure the client’s business partners, customers and regulators. We managed contact with the client’s third party suppliers to provide notification of the cyber-attack and mitigate any potential damage caused. We also notified the industry regulator, the Information Commissioners Office, of the data breach.
Installing the replacement business service meant that the client’s website and internal system “downtime” was minimised to a few hours. Crucially the relationships with suppliers and the loss of revenue were minimised and the client was able to protect the ongoing goodwill and reputation of its brand. The regulator saw no need for imposing any penalties nor undertaking extensive investigations into the client’s response to the crisis.
An interactive entertainment company stay on top of their game for EU Data Protection Regulations
Hamlins was asked to advise a leading games and interactive entertainment company on its use of data globally.
How Hamlins helped
Hamlins provided and conducted a Cyber Security and Data Protection Compliance Audit of the digital platform. The process involved Hamlins team members attending the offices of the company and speaking with the Board and Senior Management to get under the bonnet of the company’s data use and existing data structures, training and processes.
Hamlins produced a detailed report highlighting those areas of potential concern, and the practical and legal steps required to ensure compliance with the new Regulations. The Audit also identified potential weaknesses of the business, made recommendations in terms of data and privacy strategy and the data culture of the business; and brought the company into compliance with the Regulations concerning the collection of children’s personal data. Changes were implemented to ensure customer consent and data notices were fit for purpose with the new Data Protection Regulations.
A video games company return to ‘business as usual’ after being hacked
A video games company approached Hamlins for advice, following a successful hack of its IT Systems and customer databases.
How Hamlins Helped
Hamlins worked closely with senior management and technology providers to identify the causes of the cyber-attack, analysing the extent to which the attack had penetrated the business and compromised intellectual property and confidential information. After reviewing the extent to which sensitive information and personal data had been stolen by the attackers, Hamlins worked closely with external agencies to ensure the company could return to business as usual as quickly as possible. This included contact with technology consultants to stop the attack, remove all damage to the company’s systems; liaising with the Information Commissioner and advising the company on how to minimise the risk of potential fines being imposed upon the company; advising the business on its external messaging and customer contact and working hand in hand with external brand and PR agencies, the Company was well prepared when the attack hit, to communicate a clear message to customers and keep them up to date.
Due to the expedient and commercial advice and steps Hamlins provided to help prepare the company before the attack, including advising the business on its Data Protection Strategy and preparing a written Disaster Recovery Policy, the Information Commissioner found the company had done everything within its powers to reasonably safeguard personal data. As a result, no fine was imposed on the company.
A TV broadcaster after TV programme content was stolen and released
Our Partner Julian Ward was asked to advise a TV broadcaster, following the successful hack of a major entertainment programme, resulting in the premature disclosure of TV programme content prior to official commercial release.
How we Helped
Julian advised the broadcasters’ senior management of the key steps to be taken immediately following the hack, including locking down any further use of third party entities to distribute the programme content and putting in place steps to ensure removal of content from the internet via various “take down” measures. Julian reviewed the existing contractual arrangements with third party providers, to assess the extent to which contractual remedies and indemnification could be relied upon. Julian advised the broadcaster on the practical steps required to prevent the recurrence of incident. This included the use of digital watermarking of content to ensure a clear pathway for monitoring content could be provided in the future.
By working closely with the IT teams and management, Julian was able to review the processes in place and update and amend existing processes to help minimise against future attacks.
Reducing and dealing with the impact of cyber breaches requires a holistic offering.
Our team of leading legal and reputational experts work alongside some of the best technology and communications professionals in the field to ensure all the dots are joined up and managed effectively.
Matthew Pryke – Commercial Technology Partner
Matthew advises CEOs and senior management how to create the best legal, technological and security governance strategies for the business. Matthew has worked as a CEO and understands the commercial and budgetary pressures businesses face when implementing strategic projects. Contact Matthew.
Christopher Hutchings – Reputation Management Partner
Christopher is a leading expert in reputation management and has helped businesses resolve problems that threaten the reputation of the business or the privacy and integrity of those behind it. He has considerable experience in handling unprecedented crisis situations and working to pressurised timescales. Contact Christopher.