Skip to main content
Become a member
  • Register
  • Login

Register Login


News Cyber Security - Need to know

How small businesses should react to a cyber attack

18 Dec 2018

Laptop_password_hookWhy taking swift and decisive action is essential to protect yourself in the fight against online crime.

One of the hardest decisions any business will make in the wake of a cyber attack, is when to go public with the news. Nobody wants to tell customers that their confidential data – bank card information, passwords, personal details – may have been compromised.

Imagine, for example, that you’re running a tech start-up and, therefore, selling services on an expectation that the customers’ data is secure. If that security is breached, it can seriously harm your reputation.

Making the right response in such a situation can limit the damage to your business. However, adopting the wrong strategy could have in lasting repercussions.

In partnership with leading cyber insurer Hiscox, we outline a four-step plan from understanding the threat posed by hackers, through to how you should respond in the wake of a cyber attack.

1. Recognise the scale of cyber crime

British businesses are 40% more likely to be a victim of a cyber attack than a victim of burglary. A 2018 Hiscox study also revealed that 45% of more than 4,000 businesses surveyed across the UK, Europe and the US also suffered an attack over the previous year, with 67% of those affected experiencing more than one attack.

Irrespective of whether you work for a micro-business or a multinational, cyber crime is now a mainstream risk.

Adding to the challenge is the growing sophistication of those attacks. Formjacking, for example, is one of the latest techniques where hackers inject malicious Javascript into a company’s payment processing webpages to capture customers’ card details.

British Airways has been one of the most recent high profile victims, with card details from nearly 400,000 customers compromised. Information security experts Symantec estimate there have been around 250,000 formjacking attacks worldwide since mid-August.

Another threat is known as ‘the man in the middle’. This is where a communication such as an email is intercepted and changed to persuade a business to make what they believe are genuine payments without being aware they are paying a fraudulent third party.

In 2015, a criminal gang operating in Belgium used a method known as ‘man in the middle’ to steal over €6m from companies across Europe.

2. Every business is a target

Many small business owners will, understandably, think that hackers have got bigger fish to fry. However, being part of a supply chain that links you to a larger organisation means you could become a target for criminals looking to infiltrate a wider network.

Meanwhile, as cyber attacks become more widespread and sophisticated, some companies have fallen short when it comes to knowing how to crisis manage the situation.

In 2016, taxi app Uber was the victim of a hack which compromised the details of 2.7 million UK users and 82,000 of its drivers. According to the Information Commissioner’s Office (ICO), which recently imposed a £385,000 fine on Uber’s European operations, the hack was compounded by Uber not informing customers.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said the ICO’s Director of Investigations.

In Uber’s case, the way in which it handled the incident appears to have made the issue worse by the lack of information provided about the breach. If a business finds out it has been the target of a successful cyber attack, it is better to go public sooner rather than later, especially as failure to notify those affected can lead to a hefty fine under the EU’s General Data Protection Regulation (GDPR).

In the final reckoning, clients, regulators and the public are likely to be more forgiving if a business communicated a data breach or other cyber attack at an early stage rather than hoping the issue would go away.

3. Ask the experts

As any good crisis management expert will say, it pays to know the facts before going public. In the world of cyber crime, getting all the facts together quickly can be very difficult. This is why being able to draft in IT forensic experts early on to establish where a breach has taken place and what data has been stolen, is so important.

A good cyber insurance policy will include breach investigation costs – the IT forensics that are so important – as well as the costs of legal counsel and public relations help. In addition, the actual costs of client notification – now mandatory under GDPR – are included.

4. Take decisive action

A key ingredient for the success of any business is the ability to take swift and decisive actions, whatever the scenario. Also, you need to think strategically – do you have a plan in place to deal with the fallout of a cyber attack?

Being open and honest about what has happened while reassuring clients and the wider public that the firm has taken decisive steps to manage the situation, is hugely important. Fail to take control and the situation could run out of control with untold damage to a business’s brand.

Insurers can provide resources and advice that are tailored specifically for the needs of small enterprises, and will allow you to continue running your business as smoothly as possible.

Help protect your business against data breaches, viruses and other attacks from hackers. Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive a 5% lifetime discount on policies.

0800 280 0354

Find out more

Coronavirus Hub - IoD

An error has occurred. Error: Related articles is currently unavailable.

Contact our press office

Press office

IoD Professional Development Brochure

Knowledge, skills and mindset for a challenging world

IoD courses are designed to tackle the core competencies needed to thrive at board-level.

Download course brochure