Irish organisations are failing on basics of cybersecurity
28 May 2015 | 0
Irish organisations are leaving themselves open to the possibility of litigation, fines and the loss of intellectual property and commercially sensitive information due to a lack of or inadequate measures to deal with cyberattacks.
According to research from the law firm A&L Goodbody, carried out by Red C, only 27% of 200 companies surveyed said that they were fully prepared to deal with a cyberattack. With regard to the basic measures to deal with a cyberattack, the survey found that nearly two thirds (65%) said that they had no written cybersecurity policies, 59% had not provided training to employees on what to do in the event of an attack, and nearly half (49%) had not allocated responsibility for response to any one employee or team.
“An ‘IT security policy’ is only one aspect of a company’s ‘cybersecurity policy’”
“As cyberrisk becomes more sophisticated, and more prevalent,” said John Whelan, partner and head, International Technology Practice, A&L Goodbody, “ businesses are exposed to increasing risk to their reputation and their bottom line. Boards and senior management must have policies in place to protect their business should a cyber incident occur. An important part of this is ensuring that the basic legal requirements are met, and the survey shows that while many businesses are aware of their exposure they are not fully prepared for it.”
However, Whelan said that cybersecurity goes beyond what might be regarded as pure information security.
“An ‘IT security policy’ is only one aspect of a company’s ‘cybersecurity policy’”, said Whelan. “This is an important distinction for companies to consider, and in fact was the driver for us carrying out this survey. Many companies used to consider just the IT security aspects of their cyberpolicy — this has changed.
“There are now increasing and evolving areas of law covering the obligations on companies in respect of their wider approach to cyber security. It goes beyond pure IT security into how the companies legally prepare for a cyberattack and their legal obligations in the aftermath of an attack. Cybersecurity has very quickly moved from being a technical problem to a serious business issue that legally requires engagement at board level.”
Highlighting the need for companies to deal with cyber security issues from the top down, the survey also found that one in four (25%) company boards had not been briefed on their business’ legal obligations and the mechanisms that were in place, if any, to deal with a cyberattack.
The survey also found that of the 27% who said they were fully prepared to deal with an attack and, when prompted, nearly two thirds (63%) admitted a lack of awareness of their legal obligations as their biggest challenge.
The survey also highlighted the risk that companies are exposing to which they are exposed by failing to heed the cyberrisk policies of third party service providers who have access to their data. Half of companies surveyed confirmed that their data is stored by a third party off-site, but within this group, 44% admitted to not knowing their supplier’s cybersecurity policy in the case of an attack.
Despite the general awareness of organisations of the potential impact to their business and reputation, with two thirds agreeing such, more than a quarter (28%) of boards had not considered the possibility of cyberattack.
“In addition to the operational and business risk, there is material legal risk with consequences in terms of possible legal and regulatory action, and potential harm to market reputation,” said Whelan.
When asked why so many organisations are failing on the basics, Whelan said it is a new area for most businesses, on top of other challenges that they may be dealing with.
“The laws are also emerging over the last couple of years and it’s probably a case that companies are very aware of the issues, but because these issues are relatively new they may be falling short with regard to preparedness. However, we expect this to change in the near future as companies and their advisors become more aware of the legal obligations in this area,” said Whelan.
In relation to the lack of awareness of legal obligations, Whelan said that this may be down to it being a new area of law.
“The legal obligations on companies and their directors in relation to cybersecurity have only emerged relatively recently,” said Whelan. “In addition, there are quite a number of obligations coming down the tracks under data protection legislation, companies legislation and other areas of law, and we’re only now starting to get decisions from the courts. So the lack of awareness of legal obligations is probably because they are relatively new and in a state of change.”