As a company director, how can I protect myself and my business from cyber crime?

  • Posted

Recent reports of high profile hacking cases show cyber-crime is a growing threat, so it is imperative that company directors put risk management strategies in place.

Following on the heels of the extramarital dating site hacking, businesses are being forced to look more carefully at their information risk management regime.

Information should be valued as an asset and processes should be assessed with the same rigour as legal, regulatory, financial or operational risk.

In the case of dating site Ashley Madison, it was reported that more than 2,500 customer records were released to the public by the hackers. The company faced a barrage of calls from customers, concerned that their personal details and credit card information had been compromised.

Whilst the true picture for the Internet daters continues to unfold, this is just a reflection of a fast-growing area of crime, as more and more criminals exploit the speed, convenience and anonymity of the internet.

For companies, cyber-criminals may attack the functioning of computer hardware or software, or try to commit financial crimes such as online fraud or penetrate online financial services or go 'phishing' for online confidential information. For company directors, the advice is to ensure the topic is at the top of the boardroom agenda.

As well as having to meet the requirements of the Data Protection Act and the Communications Act in the UK, also up and coming is the draft EU Data Protection Regulation and the Proposed EU Cybersecurity Directive. There are requirements under the Companies Act 2006 also, which place a duty on directors to keep themselves informed on relevant issues. They may be held to be negligent if they do not take appropriate professional or expert advice to tackle any identified threats.

The key component for businesses is to undertake a risk analysis, develop a cyber-security programme, set in place the right policies and take appropriate technological measures. Businesses should ask themselves what values there is in the information they hold electronically, whether this is intellectual property, customer information or client funds. A clear cyber-security strategy with policies in place and staff well informed, backed up by regular reviews and updating of technological practices, is essential.

IT system reviews can range from how networks are monitored for attacks and what firewalls and malware detection software is in place, through to how internal and external users are controlled and how access may be segregated or restricted. It can also include the most simple of things, such as who holds passwords and making sure spam mail isn't opened.

Through education of staff, with regular updates, is essential. As well as demonstrating that the company takes the matter seriously, staff are open in the front line, and if they are well informed of the risks, and encouraged to take responsibility, they can be more effective gatekeepers.