Cyber security attacks are on the up, so we set out our top tips to help companies avoid cyber security attacks.
Risk assessment
Whether a large or small, every company should carry out a comprehensive assessment of its existing processes and procedures to identify what valuable assets (e.g. intellectual property, personal data and financial data) needs to be protected alongside the specific risks and the potential impact on the business if those assets were compromised. Companies also need to consider their supply chain because many cyber incidents involve third party contractors which means steps should be taken to ensure that the contractual responsibility for preventing and dealing with cyber incidents is clear.
Incident management strategy
When a cyber-incident occurs, time is of the essence and so it is important that companies know in advance what to do and who has responsibility for doing it. A key element of any incident management strategy is the establishment of an incident response team which should include representatives from all relevant groups ranging from HR and employee representatives to public relations and legal representatives.
Employee education and awareness
Comprehensive policies and procedure should be in place (such as information security policy). Companies should establish a staff training programme including regular refresher training for all employees that aims to increase the levels of security expertise and knowledge across the company. It is important employees at all levels are aware of their obligations and responsibilities.
Regulatory and compliance governance
Companies should assess their regulatory obligations as they may be subject to specific cyber security regulations.
Network and IT security
Companies should take appropriate steps to ensure that networks and infrastructure are protected against external and internal attacks. In addition, the Data Protection Commissioner has issued a Code of Practice for dealing with personal data and security breach. Companies should familiarise themselves with this Code of Practice and ensure that all policies and procedures are lined with it. Furthermore when the General Data Protection Regulation comes into force in 2018, it will make the reporting of breaches mandatory, with substantial penalties for non-compliance.