Sarah Reynolds & Rita Higgins
More and more employees are working remotely, in light of Covid-19 restrictions, and will continue to work remotely into the future. However, this leaves businesses more susceptible to cyber security attacks.
In light of the recent cyber security attack on the Health Service Executive, and the costs which have been incurred in relation to this attack, all organisations should review their IT security measures and data protection policies, if they have not already done so.
A cyber security attack can take many forms, but one of the most common forms of attack is by way of a phishing communication, which can be by way of e-mail, phone call or text message. Often these phishing communications will appear as if they are from a legitimate source and could include a link within the said communication or include a request for the recipient to reply back to the phishing communication.
Data Protection Commission Guidance on Cyber Security
The Data Protection Commission (“the DPC”) has recently issued helpful guidance on how organisations can protect themselves from phishing attacks: - When your personal data has been affected by a breach | 28/05/2021 | Data Protection Commission
As part of its guidance, the DPC offers guidance on what a phishing communication may look like and what to do if an individual believes that they may have received a phishing communication.
What to do if your business is subject to a cyber security attack
Should a business be subject to a cyber security attack, the instigators of that attack may attempt to extort money from the business and/or threaten to disclose the business’ personal data unless a ransom is paid.
If you believe that your organisation has been subject to a phishing attack and that information and/or personal data may have been accessed by criminals, you should immediately contact Án Garda Síochána to report the attack.
You should also consider notifying the Data Protection Commission, particularly if the level of risk to the data subjects is a medium to high risk. A medium risk is where the data breach may have an impact on individuals, but the impact is unlikely to be substantial. A high risk is where the data breach may have a considerable impact on affected individuals.
Review of Data Protection Policies
It is good practice for businesses to continuously review their data protection policies and update them, as required. Any such policies should include clear guidelines on what employees should do in the event of a security attack and/or an unauthorised disclosure of personal data. For example, the data protection policy should state to whom the employee should report the attack and what measures the employee can do to minimise the effect of the attack on the operation of the business and its personal data.
Cyber Security Insurance
It is prudent for businesses to have in place cyber-security insurance, as failure to do so could lead to a business incurring unbudgeted expenditure, should it be subject to a cyber security attack. For example, the business may need to retain cyber security experts to remedy any IT servers and/or hardware which has been affected by a cyber security attack.
This article is not intended as legal advice. For further information on how to protect your organisation from a cyber security attack, please contact our Sarah Reynolds or Rita Higgins (details as below)