Douglas McLachlan
- Partner
Insights | Corporate Law
Why you need a cyber and data security plan, and how to start it
11 April 2024
It’s difficult to miss that there have been several high-profile data breaches recently.
Many were caused by cyber-attacks. Some of these organisations have even set up 24-hour helplines to explain how to pay the ransom!
The 2021 attack on the UK Electoral Commission demonstrated that this is affecting us all. The intruders remained undetected in the Electoral Commission’s computer systems for some time. It was likely caused by hostile Nation State actors, affected millions of UK registered voters and the intention may have been to interfere in the UK democratic process.
And then there are – usually accidental – personal data breaches.
The MoD was fined £350,000 by the Information Commissioner for a personal data breach where an official sent an email disclosing 253 email addresses of Afghans being evacuated after the Fall of Kabul. The email used “To” rather than “BCC”.
This simple mistake risked lives. Although few personal data breaches carry such grave consequences, everyone can sympathise with the over-pressured official making this simple (and usually innocuous) slip up.
Will we see more and more of these massive cyber and data breaches?
Perhaps… but that doesn’t mean it should be your organisation’s data.
Senior leadership must prioritise data security. Some organisations must, by law, have a Data Protection Officer (DPO) appointed at Board level to oversee data security and compliance. For others, it’s just good practice.
Think what could have been avoided if the MoD’s system asked the sender to double check the send list, or didn’t allow so many to be sent together.
Prepare for when (not if) you suffer a data breach
Data breaches don’t always involve technology. 75% of incidents reported in the UK in Q4 2022 were non-cyber. 19% related to emails being sent to the wrong person, while others were as simple as a briefcase being left on a train.
Employees must be trained to identify a data breach and shouldn’t fear reporting them.
You need a rapid response team, with the DPO leading in assessing and responding to data breaches, following a pre-prepared “playbook” and knowing which specialists to call in.
The number of reported cyber incidents is rising. AI will supercharge phishing attacks, where fraudsters try to gain private information or clicks on unsafe links by sending ever more convincing emails.
How do I prepare my business to handle a data breach?
Fortunately, there’s a burgeoning cyber security ecosystem in Scotland.
Tech firms like Quorum Cyber and ID Cyber Solutions provide expert technical, training or forensic resources to help identify and protect against threats or upskill staff and systems. Glasgow based Acumen Cyber has a Security Operations Centre to monitor and protect clients’ systems. Insurance brokers Lockton advise on Cyber Insurance and PR gurus like Clark Communications help clients deal with reputational fallout.
And (of course) there’s the Data & Technology Team at Anderson Strathern.
We recently joined Cyber & Fraud Scotland’s small panel of approved law firms with the expertise to help organisations respond to a cyber or data breach as quickly and painlessly as possible.
However, we would far prefer to help you prevent one happening in the first place.
If you have questions on any of the issues raised above, Douglas McLachlan leads Anderson Strathern’s Data & Technology team and has been certified by The Law Society of Scotland as a specialist in cyber security. He would be more than happy to discuss how best to create a cyber and data security plan for your organisation.
A version of this article was published in Edinburgh Chamber of Commerce’s April/May 2024 Business Comment magazine.
You may also be interested in the following articles and events: