Different companies are subject to different requirements
To gain a better understanding of the dangers online, it is necessary to find out about the different types of such attacks that may occur. Companies are most often exposed to malware, such as Trojans (Trojan horses), ransomware and other viruses that are likely to be distributed not just on websites, but also by email or even via social networks and mobile apps. Likewise, businesses often suffer from the so-called phishing — data dredging (spoofing) — a situation where fake websites are created attempting to extract confidential information. More serious cyber criminals may also attempt to hack into the company’s information systems directly.
It is interesting to note that although every company may encounter these issues, not all of them are, and not in all cases, will they be under the obligation to notify the National Cyber Security Centre, the State Data Protection Inspectorate and the police. Following the provisions of the Law on Cyber Security, cyber incidents must be reported by those companies that control or manage public information resources, e.g. the Centre of Registers. Furthermore, such an obligation lies with those that manage critical information infrastructure, provide public communication networks or public electronic communication services, or offer electronic information hosting services and digital services, such as telecommunications companies, data centres and many others. Incidentally, digital service providers only report major cyber incidents, while those companies which voluntarily report incidents do not have to assess the magnitude of the impact the incident has caused.
The reporting deadlines are also different: in the case of a major incident experienced by a company, the National Cyber Security Centre must be notified no later than within one hour after the incident is detected. Where there has been a moderate cyber incident, it must be reported within four hours of its detection at the latest, for minor incidents, periodically on the first day of the calendar month. What type of incident has occurred must be determined by the degree of disruption it caused to the service, the number of affected service recipients or computerised jobs, the losses, and the fact whether there has been breach of confidentiality and integrity of communications and the information system. All of the above come from the publicly available National Cyber Incident Management Plan. Furthermore, it is worth remembering that even a company under no obligation to report an incident may voluntarily contact the National Cyber Security Centre to help tackle the situation.
Reputational and financial damage
Ignoring cyber threats these days is highly irresponsible as the damage caused by a cyber incident measures not only in the lost data or disruption of website operations, but also financial losses. Cyber attacks may have serious economic implications, including stolen financial information such as bank or payment card details and money, disrupted trade or even lost business. What is more, repairing the affected systems, networks and devices will also come at a cost.
In the event of a cyber incident, the company will most certainly suffer reputational damage too. After all, this weakens trust and willingness to cooperate and may lead to a loss of customers and a decline in profits. It is important to note that cyber incidents frequently also come with legal implications: the laws require that the available data of staff and customers be processed in a responsible manner and their security be ensured. So the companies that fail to do so face fines, constraints and legal proceedings for damages in courts.
Breaches of the Law on Cyber Security – failure to act in a timely manner, failure to cooperate with the authorities or to provide them with information, or ignoring their instructions – may entail a fine of up to EUR 1,950 imposed. However, this is nothing compared to the situation where a cyber attack has been carried out in conjunction with a personal data breach, which must be reported to the State Data Protection Inspectorate and, in certain cases, to the victims themselves, no later than within seventy-two hours after becoming aware of the breach.
Depending on the circumstances in each individual case, a company may be fined up to 4% of the corporate group’s total annual global turnover for the previous financial year. And it does not end there, as in situations where it comes to data leaks, there is a risk of individual or group claims for damages being brought. Knowing all this, it will probably be easier to make the decision on what investments in security are worthwhile, in particular, given the fact that businesses occasionally fail to recover after huge fines and reputational shocks.
What helps protect against cyber attacks and how to handle them?
A cyber attack, which had taken place, will not necessarily become known; in certain cases a cyber criminal will only need specific information they are not intending to sell or make public. That aside, encryption ransomware attacks are the most frequent where a ransom is demanded to prevent the publication of stolen data. A ransom may be also claimed by cyber thieves for the data to be unblocked. There are different views on how this should be handled and there is never any certainty as to whether access or data will be recovered when the ransom is paid.
In order to prevent such incidents or minimise their damage, it is advisable to have a separate encrypted access to the data and an action plan on how to liaise with the public, customers and partners whose data have been leaked or blocked. Contacting the National Cyber Security Centre is always an option as it has developed guidelines on how to deal with and protect against a cyber incident.
For prevention purposes, companies are advised to adhere to the principles of creating and using secure passwords, having strict access control and multi-step authentication, in addition to having a secure wireless network installed. It is also recommended that the HTTPS protocol, antivirus software and a firewall be installed, the software be constantly updated and data backup available. The human factor is also of importance, i.e. that the company’s staff are made aware of cyber risks and that training encourages them to be attentive or they separate work and personal devices. Moreover, it is advisable to take steps to prevent data leaks, encrypt sensitive data, carry out regular cyber hacking tests and have cyber risk insurance cover in place.
Leave the interpreting to us! Translated by Pasaulio spalvos
