Cybersecurity – What does it mean and what steps can you take to minimise cyber risks?

Alongside the rapid rise in the use and regulation of Artificial Intelligence (AI), cybersecurity needs to be a focus for business, for government, and for individuals.  Reliance on digital systems across all aspects of our lives means that secure systems are more important than ever before. In this article, our technology partners Robert Peake and James Tumbridge explain what cybersecurity is and how to reduce the risks it presents.

What is cybersecurity?

Cybersecurity describes a range of activities and concerns, and those can vary widely depending on the circumstances. At its core, cybersecurity refers to measures and behaviours that protect the confidentiality and integrity of digital information, and access to the systems on which that information is held, used and shared.

Cybersecurity measures can operate in physical space, to restrict access to areas where sensitive information is held, and to protect computer hardware and network infrastructure; and equally in the digital realm to secure access to software, maintain its functionality, and prevent its misuse.

Appropriate cybersecurity varies – whether at an individual level in our personal lives or at an organisational level for a large enterprise – and there is no one-size-fits-all approach.  Many cyber incidents affecting businesses and public bodies begin at an individual level, where a malicious actor exploits human error to gain access to a system. For that reason, some of the most basic cybersecurity techniques which can help individuals remain safe are equally important to maintaining safety across very large systems, for example checking that your software is up to date, and not  reusing passwords.

What are some of the key risks that cybersecurity seeks to address?

We are all familiar with the dangers of cybersecurity incidents in our personal lives, for example malicious electronic messages purporting to be from our family or friends, our bank or service providers.

Many of us will also have experienced disruption from cyber events affecting a service provider such as our credit card network, airline, or phone company. In recent years, many have also been impacted by cyber attacks against healthcare networks in the UK, Ireland, Canada, and the US.

For businesses, key risks flowing from cybersecurity breaches include business disruption, loss of control over inventory systems, or intellectual property such as trade secrets, investigation and remediation costs, civil and contractual liability, regulatory investigations, penalties, and reputational harm.

When businesses enter into supply chain contracts, they will typically have cybersecurity obligations (and risks) passed on to them and will often give warranties about their own cybersecurity preparedness. When a cyber breach occurs, those other businesses affected will look to the ‘weak link’ in the chain for compensation for any damage that may have been suffered.

Where personal data have been affected by a cyber breach, the threat of regulatory inquiries and fines has increased considerably in recent years. The 2016 General Data Protection Regulation (GDPR) opened the door to fines up to 4% of global annual turnover for data protection breaches. Big fines have been levied; the Information Commissioner’s Office fined British Airways (£20M, reduced from £183M), but that is additional to the costs associated with engaging with the regulator, and reputational impact can be financially painful too.

The cybersecurity regulatory landscape

A wide range of laws and regulations impose obligations on organisations, including UK GDPR and the Data Protection Act 2018 (GDPR in the EU), the EU Artificial Intelligence Act, the Digital Operational Resilience Act (DORA), the EU Cyber Resilience Act, and the Network Infrastructure Security (NIS) Directive.

A variety of standards-setting bodies also provide benchmarks for cyber security readiness, including the European Union Agency for Cybersecurity (ENISA), the National Institute of Standards and Technology (NIST), and the Institute of Electrical and Electronics (IEEE). In the UK, the National Cyber Security Centre (NCSC) is tasked with providing best-practice guidance to industry and to individuals to guard against cyber threats.

Business in some sectors will have additional obligations to ensure that they have effective cybersecurity measures in place, including in the design of consumer products such as software and IoT devices. In the EU, the new NIS 2 directive has updated the law in order to bring additional sectors into scope of the heightened security obligations, including postal services, space, food, research and manufacturing. The UK’s Cyber Security and Resilience Bill similarly seeks to update the domestic law to meet growing risks from cyber threats across industry sectors.

What steps can organisations take to minimise cyber risks?

Security threats to digital systems are becoming more sophisticated; AI, quantum computing (on which, see our previous Digital Explainer here)and the wide presence of IoT devices present new challenges for maintaining effective cybersecurity.

Prioritising cybersecurity is no longer optional; it is essential. For very large businesses, cybersecurity is likely to form a significant budget item each year, to try to meet and counter cyber threats. We have learned, though, from recent high-profile cyber incidents, that even the most developed cyber defence programmes can fall victim to lapses in basic procedures (failing to install critical software updates) and to human error (an employee clicking a malicious link in a text or email, perhaps whilst using a personal mobile device).

Some cybersecurity tips to adopt include:

• Understand your risks by documenting your systems and the access points;
• Consider the consequences of remote working and the use of personal devices by staff, read more here;
• Identify risks in the supply chain;
• Adopt risk reduction strategies (including insurance cover where appropriate), and put in place response plans to cyber incidents;
• Educate and train staff on cyber risks and procedures;
• Continuously monitor the cyber risk landscape; avoid the trap of ‘set it and forget it’.

The head of the NCSC has said: “[T]he severity of risk facing the UK is being underestimated.”  Preparedness is key to reducing your cyber risks; cyber incidents are a question of ‘when’ not ‘if’.

If you have questions or concerns about cybersecurity, please contact Robert Peake and James Tumbridge.