Navigating HR's Cyber Frontier - Risks, Compliance and TrainingPosted in : Webinar Recordings on 26 October 2023
Recent government statistics reveal that a staggering 1 in 5 Irish firms experienced a cyber-attack or data breach in 2022. It’s not enough to rely on your IT team, HR should be front and centre in the fight to protect data and in making sure that all employees know their responsibilities.
From Facebook/Meta to Munster Technological College, high-profile organisations have been subject to attacks in recent months. It’s recognised that the largest threat to an organisation’s cyber security is human error and employees’ failure to comply with data security rules, not hackers.
Ricky Kelly, Partner and Lead of RDJ LLP’s Cyber Security, Privacy and Data Protection Practice, Giles Tyler, Senior Consultant Control Risks and Julie Holmes of Legal Island chat all things cyber security and prepared some excellent slides: Slides 26.10.23 Cybersecurity.pdf
Ricky and Giles lead you through all of legal and practical angles including:
1. Current cyber security risks and trends
2. Legal obligations and consideration in relation to information security
3. The importance of staff training and how to do it
4. Preventative controls you should consider implementing
5. Key organisational measures to mitigate against cyber security risks.
Julie: Good morning and welcome to our webinar, "Navigating HR's Cyber Frontier –Risks, Compliance, and Training," and it's sponsored by MCS Group. My name is Julie Holmes, and I'm part of the Knowledge team here at LegalIsland. I'm joined by Ricky Kelly, who is partner and lead of RDJ's Cyber Security, Privacy, and Data Protection practice, and Giles Taylor, Senior Consultant at Control Risks. And I want to thank them both for joining us today.
Recent government statistics reveal a staggering one in five Irish firms experienced a cyber-attack or data breach in 2022. It's not just enough to rely on your IT team. HR needs to be front and centre in the fight to protect data and also in making sure that your employees know their responsibilities. October is cyber security month, and this morning we'll discuss some of the most up-to-date tips and advice from our experts.
It's also timely because LegalIsland has launched our brand new cyber security eLearning course, which is a comprehensive, all staff training course, and our eLearning team are offering a generous 25% discount to today's attendees. So if you're interested in trialling the course on behalf of your organisation, you can type Yes in the question box now, and a member of our eLearning team will give you access to the demonstration following the webinar. If you're interested in the discount as well, which I know I would be, then make sure that you mention today's webinar when you're speaking to one of our team as well.
I also want to say thanks to our sponsors, MCS Group. MCS help people find careers that match their skill set perfectly, as well as supporting employers to build high-performing businesses by connecting them with the most talented candidates on the market. If you're interested in finding out how MCS can help you, then please head to www.mcsgroup.jobs.
Okay, so now to the main event and let's get an idea where we are with cyber security. We have a few poll questions for you. It's going to help Ricky and Giles by letting them know a little bit more about you and about your organisation. Don't be shy. We won't publish the results. We'll just, again, all see where we are with cyber security at the moment.
So first of all, does your organisation currently provide all employees with cyber security training? And just before we came on, we had an interesting discussion about who in your organisation does cyber security training. Is it everybody else except for senior management? Or do your senior management also make sure that they do it as well?
All right, so great, very heartened by these results. So Ricky and Giles, what do you think? Big thumbs up already for everybody.
Julie: Great. Okay. So I'm going to move on then to our next question, which is, when was cyber security training last delivered to all of your employees? Just in case you're feeling a wee bit too confident after answering that first question. So was it less than 12 months ago? Was it between 12 and 24 months ago? Was it over 36 months ago? Or have you never done cyber security training? So again, don't be shy. Let us know when the last time was that you did cyber security training.
So less than 12 months ago is 73%. So we've got a very aware audience and again protecting your organisation and your data, which is fantastic. We have a number of people that have between 12 and 24 months ago, and we'll talk a little bit about how that relates to how often you should actually refresh your training. We also have people that did it over 36 months ago. And then we do have some people, and thank you for, again, letting us know that you've never actually done cyber security training, and hopefully we'll be able to convince you that it's worthwhile today.
All right, and then last poll question, please, Maria, is for anybody that hasn't done cyber security training, or maybe it's one of the reasons why you found it was difficult to really introduce within your organisation, what are the key factors for that? What has restricted you from delivering all staff cyber security training? Was it staff time limitations, trying to get everybody together? Was it logistics? So trying to get everybody in one place, one location, trying to get all those people that maybe have different working arrangements as well. Is it the cost in a cost of living crisis? So sometimes, again, that can be off-putting. Or as I mentioned, is it senior manager buy-in or that attitude of it'll never happen to us because the cyber criminals are really after all the big organisations.
So interestingly enough, we've got that a lot of people find that staff time limitations is a big impact. So again, we'll talk a little bit in the webinar today about the fact that training can be done on any device, which means that people can do it on the bus as they head into work. They can choose their own times. You don't need to worry about getting everybody together.
Thanks, Maria, very much for sharing those results for us. And Ricky and Giles, I hope that gives you a good overview of everybody that we have and so where we can give a big thumbs up and, again, where people may need to be aware of those risks to the organisation. So I'll see you in a little bit then.
Ricky: Thanks, Julie. If we could bring up the first slide. Okay. Thank you. So thank you all for coming, and for the introduction there, Julie. We've got quite a bit to get through today. And so we've got just short of 40 minutes left. We're going to leave some time for questions and answers at the end. So if you have any questions along the way, don't be afraid to pop them into the chat there. And Julie will put those to us at the end.
There's so much content to be generated in this area around cyber security, so much investment and lots of organisations. And sometimes it's difficult to see through as to what should you be doing and what must you be doing and what can you do to ensure that you're protected.
So I'm going to look at just to start with, just to set the scene a little bit in terms of business risks and what they are. And Giles and I will be coming in and out at various stages.
So if I look at the next slide there, I think it's important just from setting-the-scene perspective is to identify the difference between what is a cyber security incident and what is a data breach. So a cyber security incident, it carries lots of definitions, but essentially it results in the unauthorised access to data. It can access applications, services, and networks or devices. And it normally involves bypassing a security mechanism, an underlying security mechanism.
A personal data breach on the other hand is solely concerned with personal data. So a cyber security incident might access other information like, for example, commercially-sensitive information or information that's not personal in nature. But when you have a cyber security incident, you will always inevitably have to undertake an assessment to determine whether there was a personal data breach. And obviously, if there's a data breach, you have obligations related to that.
But what is a personal data breach? It's defined under the General Data Protection Regulation, and it, again, is a breach of security. But it can arise in a number of scenarios, and these are not individually. And there, you can have a confidentiality breach where information is just accessed by a third party without authority. Or in fact, not necessarily a third party if it's somebody within the organisation that doesn't have authority to see the information, that can give rise to a confidentiality breach. And we'll refer a little bit more to that in a while when we talk some of the case studies that DPC has published.
You can have an integrity breach. And this arises where there's been unauthorised or accidental alteration of personal data. That can arise, for example, in a ransomware attack, where you've got encryption of the information. But it can also arise as a consequence of accidental error. And again, it can arise in a breach of confidentiality.
The last one is an availability breach, where information has been lost, for example, and it arises, can be accidental or unauthorised loss of access to personal data. So even though information wasn't seen by a third party, or it hasn't been changed in some way to affect integrity of it, the fact that it's not available can give rise to a personal data breach and carry all the implications from a data protection perspective.
So what are we experiencing in terms of breaches that we deal with? The next slide, Maria. So we provide 24/7 incident response services for cyber data protection breaches. So we have a team that deal with those on a regular basis. So what we're seeing in terms of those, from a cyber security perspective, has evolved over the years. And Giles is going to come in and talk about cyber security incidents a little bit more. So I'm not going to dwell on that too much. But certainly over the last year, we've seen a significant increase in business email compromise. And to demystify that to those that don't know what it is, it's essentially where a hacker gets access to your email account, and then can use it for nefarious purposes.
Social engineering or invoice redirection, that can sometimes be connected to business email compromise or not. And it can be a type of squatting, and that's where hackers set up a domain, an email account similar to your own, like, for example, RDG as opposed to RDJ, and they mimic across. And we've seen a number of organisations where the hackers have gone to quite some extent to set up fake websites as one to try to bring credibility to the email address.
And then, obviously, the ransomware and malware attacks. As I said, Giles will touch on those a little bit more.
But from a personal data breach perspective, we're seeing those more and more as well. And the DPC helpfully, to some extent, have in their report for 2022, in terms of data breaches that were reported to them, reported that 62% of the data breach notifications related to unauthorised disclosure. And that can happen from an unintentional human error, so someone sending an email to the wrong place or sending a letter to the wrong place. Obviously not cyber related, but it can arise from that.
It can also arise from an internal attack, where we've seen employees that were part of an internal disciplinary process or maybe possibly a redundancy scenario, or are just disgruntled in some way, where they go and access information within an organisation that they're not entitled to do, or they leave resources open to attack in some way. Again, that can have pretty drastic impacts on organisations.
And then you have just simple loss or theft of devices, and we're seeing that too, where not sufficient security measures have been applied to the personal devices or the devices have been lost.
So why is it important? So the next slide, Maria, thanks. It's important because it can have a significant impact on organisations in terms of their business losses. It can give rise to massive disruption. In the aftermath of a breach, organisations need to take steps to contain the breach and conduct thorough investigations as to how the breach happened and what systems were accessed and what was the overall impact. It can give rise to diversion of management time. It could give rise to shut down of an organisation's business or part of its business for long periods of time. And that can have a knock-on effect on revenue, obviously.
It's important, when you're replying or responding to a breach, that — it's the previous slide, Maria — you do it in a way that maintains integrity, and this is back to the reputational damage – previous slide, sorry. And that is the reputational damage can be or can arise in number of scenarios.
Obviously, the reputational damage to the organisation, and flowing out of that can have an impact on suppliers. Suppliers may think, "Okay, well, if we're dealing with an organisation that's having a number of sub-related breaches, then it puts our supply chains at risk because we need security in our business." So they might be thinking, "We're not going to continue to deal with that organisation."
Employees, again, there's a move towards employees getting particularly disgruntled if organisations aren't taking sufficient measures to protect their information. And employers can often process a significant amount of information relating to employees, which is sensitive in nature. So it can give rise to significant issues, obviously. And then you have customers and clients, and that somewhat speaks for itself.
But it can also trigger then, I suppose, regulatory and contractual issues for your own customers. So from a regulatory perspective, you might have notification obligations to regulatory authorities. And that might just be in Ireland, for example. It could be in multiple jurisdictions. And then also you might have to consider your contractual obligations if you process, for example, or the information that you process, whether you have contractual obligations to notify your clients, and the impact that that might have.
But it obviously and ultimately it results in significant costs and loss of revenue. In terms of the types of costs that arise, in the immediate aftermath of a cyber security incident, you would have possibly a cyber-crisis management, a breach cost, for example, might need PR crisis management teams. Then from a legal perspective, you could be looking at someone to deal with your statutory and contractual obligations. And depending on size of your organisation, you might have a lot of contracts to consider. If you're not using template contracts across all of your customers, you might have employee-related issues, and that could be disciplinary related, or just simply complaints related to the breach or concerns arising from it. And supplier issues, obviously a breach of contract related to those, because you might have contracts in place to accept certain number of supplies.
You might have law enforcement issues, if they're reported to law enforcement. And depending on the sector that you're operating in, then you might have increased statutory obligations relating to notification. And then, the obvious one is claims and court applications and claims arising from that.
You could have breach forensics, where you have to bring in a forensic company to do a thorough investigation. But ancillary services associated might be rebuilding your IT. You might need somebody to do the ransom note work for you if there’s a ransomware attack. You might need to check sanctions. You might need to do credit monitoring. Depending size of your organisation, you might need a call centre to deal with customer queries and complaints. You could have PCI investigations, and you could have issues in the short term in relation to payroll and meeting your financial obligations to your customers and your employees. So the costs and the loss of revenue can be significant. Thanks, Maria.
So in terms of why it's important, I just picked a couple of the case studies that were published by the DPC, and they are published in the DPC's Case Studies Report. There's a link there on that slide, and I just picked one or two of them. The DPC makes a distinction between breach notifications and unauthorised disclosure within the case studies that they've published.
So just looking at those, in terms of 36, this one related to a failure to implement data protection policy. So the organisation had put policies in place, but it didn't provide sufficient training and didn't provide sufficient monitoring of the implementation of those policies. And ultimately it resulted in a data breach, which was notified to the DPC. So it's not sufficient just to put the process in place. It's not a tick-box exercise. It's important that once you have those in place, that you have someone monitoring those and that everybody knows what their obligations are in terms of those policies.
And number 37, that related to the encryption of a USB stick that was lost. It was sent in an unencrypted form. And again that there was policies in place relating to the encryption of the USB, but it wasn't properly encrypted in that instance. And it was lost in the post.
In relation to 50, that was the misdirected email and encryption. In that one, somebody sent an email to the wrong place. But what happened is the documents they had attached to that was encrypted, thankfully, and since it was password-protected. But of course, as is often the case, people send the password immediately afterwards, saying here's the password for the previous email I sent you, which is what happened here. And in that instance, obviously that you're giving the passwords to the third party as well. So you may as well not have password-protected the document at all. And what the DPC recommended in that instance is the importance or they talked about the importance of having or sending passwords not by email, by SMS or by a phone call or some alternative mechanism to how the original document was shared.
That email address disclosed, again, that nightmare scenario where somebody sent emails in copy as opposed to blind copy, and then everybody was able to see who's receiving the email. And that, again, somewhat of a human error. But it did give rise to a data breach. In that instance, you're just talking about an email address. So I'll give you an idea as to . . . Depending on the number of organisations impacted, you could have still quite significant notification obligations.
Social engineering attack, and I think it's important to say this was a law firm. The law firm suffered a business email compromise, and it resulted in an invoice redirection fraud. The law firm in that instance had a third-party supplier managed service provider providing its IT, and it was relying on that in its entirety. But it wasn't monitoring what they were doing in terms of their obligations. And ultimately the DPC in that instance just makes reference to the fact of how important it is to undertake that monitoring to make sure that any of your suppliers are complying with their obligations and possibly making sure that they have their own security process in place. And again refer back to the obligation being under the control of the law firm, in that instance, to make sure that their supplier is doing that.
And then just the two final ones for the purpose of today, these are related to unauthorised disclosure in the workplace, where employees within the organisation were able to access information relating to other employees. And that was due to kind of inappropriate policies or processes around access controls within the organisation. So again, it's an internal breach, but it's, again, connected to fact that you need to think about your external and your internal protective measures, which Giles will get into a little bit later on.
Very quickly, if we look at the next, this gives you an example of the DPC's approach to data breaches. We just referred to two there. So there was the Ark Life & Allianz, where they suffered a breach, which was reported. And in that instance, they had good policies in place. They had proper training, and they were very proactive in terms of how they responded to the breach and notified it. And there was no fine or corrective action taken against them in that. And that is not, obviously, from a reputational perspective, because here we are talking about it today, and we can see how really well they replied and responded to the breach. Where on the other side we can see other organisations who did receive fines and corrective actions from the DPC because they didn't fully engaged or they didn't comply with their obligations in a timely fashion.
So looking at the next slide, the DPC has really upped it in terms of the fines that it's issuing. It's issue the most number of fines in the European Union. And we often think that they're associated exclusively with the large fines, but they're not. And there's an example of some other fines, obviously the Meta one at the end, but that is brought in, not because it's directly connected to the larger fines that we see investigations. But you can see here, there are fines issuing to other organisations that we don't often hear about.
Next slide, Maria. Thanks.
So when you have a breach, and just in terms of what the risks, you have data subjects claims, and there's been quite some developments in this area of late. And it has been helpful because it gives us some guidance as to how we can advise clients and deal with these types of scenarios. But just to cover it all, data subjects claims, there is a right to compensation, and that is for material and non-material loss. Non-material loss isn't defined. And that is the point which has been the subject of most discussion in case law.
And as I move back to the next slide, there's reference to three cases. Probably the main case out of the Court of Justice is the Austrian Post case. And that one they found that a mere infringement of the GDPR is not sufficient. The Advocate General on that one had a point that there must be a minimum threshold of loss or damage, so that it couldn't just be nominal damage. But the court didn't follow the Advocate General in that instance. So essentially, it was saying that minimum is sufficient. And they refer back Recital 146 of the GDPR, which says that compensation must be full and effective compensation for the damage that was suffered, but there must be a link between the breach and the damage.
And helpfully now we have a decision in Ireland, in the Ballymaguire Foods case, where that's a circuit court decision. It didn't relate specifically to the cyber breach per se, but it does give us an idea as to what they will receive if there has been a breach of their data protection rights. And in that instance, the non-material loss, the circuit court awarded them €2,000.
And there is another unreported judgment where seven trade union members had their actions for breach of data protection rights dismissed because there wasn't a basis for that. It was minimum loss. So it'll be interesting now if that case was to be heard again in light of the Austrian Post case or what will happen.
Over to you, Giles.
Giles: Thanks, Ricky. So just to introduce myself, my name is Giles Tyler. I'm a senior consultant at Control Risks. My role is to help organisations that are going through cyber incidents respond to them as successfully as possible. I think sometimes clients come to us and think, you know, you sort of fix the issue. No, that's a little bit too late by the time we're involved. But we can help people recover as best as possible. So if you go to the next slide, please, Maria.
So just to get started with a bit of an overview as to what we're seeing in the Irish market at the moment. So really interesting data since sort of 2018, 2019, we were seeing a really good growth, well, I say good, bad obviously, but a real growth in ransomware globally, but also in the Irish market. That came to a peak in 2021. But then really interestingly, it kind of fell sort of off that cliff a bit.
What we've seen is the war in Ukraine really disrupted sort of organised crime in the region, and a lot of that organised crime did have links into the cyber world. So I think a lot of the time people think cyber threat actors, cyber criminality and they think, you know, guys in basements in a hoodie, and not sort of serious organised crime, which it absolutely is.
So we saw, in 2021, a real drop-off in, well, into 2022 really, a real drop-off in ransomware and a focus more to traditional business email compromised style attacks. So instead of compromising an organisation, encrypting data, stealing data, and then extorting the victim, we were seeing more attacks focused on getting in the way of invoice payments and stealing just hard, you know, I say hard numbers, but currency, euros, dollars, pounds.
Now why is that? So when the criminal groups, they got disrupted, that was both from an operational level. So you had a famous example of Conti. They came out and said that they were for the Russian state and that they would actually hack anyone that they found to be hacking Russian infrastructure. What they didn't realise, though, is that a number of their affiliates, as these groups typically operate in an affiliate models, you have a core with a number of sort of supporting actors, a number of those affiliates were not aligned to should I say Russia's strategic interests, and ended up actually leaking a load of the tools and techniques and internal chats that the group actually used.
So we had some sort of operational disruption at the time, but we also had the impact of sanctions, which, you know, Ricky may come onto it a little bit later. But, you know, when you're looking at engaging with a threat actor, making a payment, one of the key aspects you need to be thinking about is, you know, can, can we actually pay? Is it legal for us to pay?
And now that can be from both a sort of, you know, within a country, are there laws that prohibit us paying? You know, I've had experience in with an Italian client who ran into some issues with laws prohibiting sort of payment of ransoms that was a leftover from sort of anti-mafia laws, all the way through to whether the entity that you're looking to pay is on a government watch list for, you know, financing terrorism or is a sanctioned entity for another reason.
So when the war started, you had a lot of noise around sort of trying to clamp down on income into Russia and Russian-backed criminal groups. So all of that created a bit of a drop in the value of cryptocurrency, more concern around whether people get picked up by law enforcement. So it did have a sort of . . . It's coming back, but for a short period of time it had a real impact.
So they focused on thefts where they could steal currency directly. So just let's take the email. So getting to those emails, take money that way by injection themselves into payment diversions, into invoice chains and going from there. So we're seeing that that general trend creep up in Ireland. We're seeing it globally as well, but want to just focus in on the Irish market for now.
What we are seeing as well with threat actors is a focus more and more on data. So before, and to the classic example of ransomware is, you know, everyone turns out their computer on at the start of the day and nothing is working. The screens have all got some text on them or all their files are gone. You know, that sort of thing. Now that still absolutely happens and is a symptom of a lot of the ransomware events that we respond to.
But what threat actors have been doing really since about 2019, and Maze was sort of the first ones that really popularised it, but they've been looking at data more and more. Now reason for that, organisations are getting better. They are, you know, getting better at having backups that are kept offsite. They're getting better at having segregated environments within their networks, meaning that threat actors find it more difficult to guarantee that they've got all of your data and you can't rebuild.
But with data theft, once they've got that, they've got that. There's not really anything you can do about it. So we're seeing a much bigger focus, from a threat act perspective, on stealing data and then extorting based on that alone. One example group [BianLian 00:29:47], there's one or two examples of them encrypting, but they almost only take data. So the first thing you know is an email comes through to your senior leadership team with some screenshots of documents that they've already stolen from your network. And then the extortion begins from there. So some really interesting changes in the market.
You can go to the next slide now, please. So, you know, what does this mean for organisations? So organisations are being targeted a lot. And I think targeting is sort of an interesting word. I think a lot of organisations think that they're too small or they don't have the big brand to be picked up by these cybercriminal groups. But that's not what we see at all in the cases that we respond to.
Threat actors only in sort of very rare instances appear to actually target an organisation because of it being the organisation they want to target. So an example would be when Lazarus Group targeted Sony Pictures following them releasing the film. It was the dictator, sort of a comedy film regarding Kim Jong Un. So that was a sort of direct targeted attack as a response to something.
But generally, threat actors are looking for vulnerabilities. They don't really care too much where they find them. So we will see say a sector that is using a similar technology, threat actors find a vulnerability with a technology or with an operating procedure, and then we'll see them go round that marketplace and compromise more and more. Or they'll be searching just generally for, you know, remote connections that don't have multifactor authentication on them and will try and access, you know, we'll try and then phish employees, try and get credentials and go in and cause harm.
So, you know, this is very prevalent. It's impacting all organisations from our data to professional services are probably the most targeted, followed by IT and communications firms. But then there's also probably a bit of a slant there as to organisational capability, access to insurance policies that can get sort of professional support involved to support these organisations. So there might be a sort of slight bias in the data, but it really is broad and global.
One really interesting trend that I would call out as well is MFA bypass. So I think for the last sort of three, four years, maybe a bit longer all of these, and I'll say it as well I imagine all of these sort of presentations that you've listened to, the key control that everyone sort of goes on about is multifactor authentication. So that is when you have to enter a code or number match when you are accessing, say your email account, for example. That comes in lots of different flavours, but the one that pretty most people are familiar with is their bank. So when you sign into your bank, you'll almost always have to add some additional level of authentication, not just username, password, or a PIN.
Now it's easy to think, "Right, this is a threat. Here is our mitigation. We're going to be okay." But this is a dynamic environment, and threat actors are responding to what organisations are doing. If anything, you know, it's organisations responding to the threat actor more so than the other way around. But what we see then is in 2020, 2021 there was almost none . . . Well, there were none in our data MFA bypasses, but we're up to about 30% now of all of the business email compromises that we're dealing with. So when someone in fact gets in someone's mailbox, usually to try and steal money, around 30% of those now involve some form of bypassing of multifactor authentication. So it's important to kind of really keep on top of this, understand what controls you can put in place as an organisation and how effective they will be in the changing environment.
And one just sort of data point I'll call out. So it's about 200,000 is our average euro amount stolen in a business email compromise. I think it's quite easy for organisations to sort of think, "Oh, it's just someone's email. It's not going to be too harmful." But around €200,000 is our average, with around €41,000 being our median. So these are big numbers that are happening for even the kind the smaller end of the incidents that we respond to.
Over to you, Ricky. We can't hear you there, Ricky.
Ricky: Sorry, I think I was muted there. Thanks, Giles. So just looking in terms of legal obligations and considerations for organisations, if we move on to the next slide there's not really enough space possibly in one day to cover off what the current cyber resilience framework is, both at European and in member states.
The main one I'm going to touch on today is the GDPR because that is currently in effect, but there are others. And there is an article on our website if you want to get a little bit more information on this, and there's so much information published on it. But looking at some of the others, there's the NIS2, which that was well brought into law in January of 2023, and it will apply from January of 2025. So there's a little bit of time for implementation there, and it does bring about some additional security requirements. More organisations than previous are now captured by it. And if you are a supplier into one of those organisations, you may also be captured by it.
And, again, the second one is DORA, the Digital Operational Resilience Act. And that one is, again, going to come into effect in January of 2025. So NIS is going to come in before that.
So then there are others around EU Cybersecurity Act and there's EU Cyber Solidarity Act, which is a proposed act at the moment, it hasn't come into effect yet. It's currently working its way through. And ultimately they're all designed to ensure the harmonisation of cyber security measures across EU at various levels, as opposed to having different regimes in different member states.
But looking at it from a data protection perspective under GDPR, what it requires us to do, under Article 5, organisations are required to ensure the security of personal data that they process, and implement technical and organisational measures in relation to their data processing.
So what are those technical and organisational measures? They're set out in Article 32. Next slide, please. They require us to both, I suppose, consider it from a technical perspective, which Giles will get into in a minute, in terms of preventative measures, but also organisational measures.
When you're considering the measures you need to implement, it does allow you to take a number of factors into consideration. They are that you consider the state of the art. So what is the current best product available or best practice available in terms of security? And what would the cost of that be? And you can balance two of those against the nature of the information that you're processing, the scope of the information and the context of the processing.
And then when you're considering what measures to put in place, you need to consider the likelihood and severity of the impact on the rights and freedoms of natural persons arising from the breach. So if you've got more sensitive information, you may have to impose increased security measures. So, for example, it's almost always, and now, you know, and it has been for a number of years, the DPC will ask us, "Does the organisation have anything in place where it will report a breach?" And most now are saying, yes, they have, obviously, but in didn’t in the past. But it does require you to carry out that assessment in terms of technical and organisational measures. And I'll touch on some more of the organisational measures later on in terms of training.
Giles: Perfect. Thanks. Next slide, please. So I think it's useful just sort of thinking about how an organisation should be approaching the controls that they are looking to put into place. And I think organisations often get this slightly wrong and will cherry-pick specific technical measures or specific controls that they think, "Right, that's what my peers are doing. That's what we had in my last firm. Let's just go ahead and do that, because that's going to make a difference." It may. But what you should really be doing is following a process to identify what controls you should be putting in place in your organisation, what fits best for you.
Now, the start of that is always going to be asset identification. How do you know what you need to protect and how you need to protect it if you don't know what it is? So, you know, you might be protecting the crown jewels. You might be protecting your recycling bin. You know, there's very different controls you'll be putting in place. So what is your asset? Where is it and what's its criticality?
So then we move on to the threat. So again people sort of think, "Oh, right, okay, we've got this important asset. What can I be doing about this important asset to secure it," without realising that actually there's not really a threat, or maybe there's a really big threat and the control should mitigate that. So what are the realistic threats that your organisation is going to be facing? So I said earlier, you know, as a small business, you might think that you're not going to be targeted by cyber-crime. Now I think that that is a foolish assumption. But what you probably could assume is that you are maybe not going to be targeted by advanced system threats, you know, government agencies, you know, state-backed hacker groups. You know, that's maybe something that you could think that's less likely. Or you work in a relatively, you know, uncontroversial industry, you know, maybe activists aren't going to be going after you. So that's key. So what are your assets and what are the threats to those assets?
Then conducting that risk assessment. So, right, so putting those two things together, what is the likely risk to what we're doing? And then a sense of proportionality. So identifying, you know, yes, we could be putting in all the bells and whistles, really expensive control frameworks, really expensive, you know, security tools. But if you're a small business, that's not proportionate. You know, you can't be spending 100% of your budget on securing your data. You need to be able to be agile as a business. So thinking, right, "Okay, these are the assets. These are the threats. These are some of the types of control that we should be looking at. What is reasonable for our business actually to go ahead and pay for?"
And then if you just click once, there's sort of a call out box. So most of our cases that we work on could have been mitigated quite easily. MFA being a really key one, multifactor authentication. So having that on your emails, having that on your VPN and all your other ways of accessing systems remotely, having it on all of your external web applications, just locking down everything with MFA. User credentials get stolen the entire time. They get sold on the dark web. People buy them and try them. If you've got MFA, that stops that to a larger degree, absolutely. There's ways around it. I've already discussed there are ways around it, but it helps.
Robust backup procedures. Now that's more of an impact, but it's still critical. So having backups means that when you are hit with the ransomware, then potentially the only aspect that you are worrying about is a little bit of business continuity and then potential data extortion. You're not worried about getting your operations back up and running. You're not worried about servicing your clients. You can continue doing that and give yourself time then to investigate fully.
Rigorous patching, if it's not credential theft, it's almost always someone's not patched a system. So making sure that your IT teams are looking into that, they are patching things as they need to be patched. Things aren't being left open on the internet that are, you know, running a 10-year old version of Windows because it's just a matter of time. We see threat actors scanning the internet for these types of vulnerabilities.
And then finally, and probably most importantly, that user training and awareness piece. Now for the MFA, for phishing emails for not getting caught out there, you can see how it's important making users understand how they can identify malicious emails and what they should be doing about them when they're received. But also even with the more technical attack types, users will often see something a bit strange. You know, they'll see their antivirus pop up a couple of times and it'll stop. You know, little things like that that actually training your users as to what they can be expecting to see and what they should be doing about it, gives you that really big early warning system. So just a few controls there at a very high level, but that would really help the majority of our customers.
Ricky: Thanks, Giles. So next slide there. So looking at the training that should be considered. So I mentioned earlier on, you've got to implement technical and organisation measures, and one of the organisation measures that you should implement and that you really have to implement is training. And the DPC in the investigations we've been involved within far dating back, you know, decades, from a decade or more at this stage is around training.
So when is it required, and why is it important? So looking firstly at your statutory obligations and technical and organisational measures. One organisational measure is training, and it's training in relation to information security and training in relation to data protection and training in relation to your policies. But leaving aside the statutory obligations, you can have contractual obligations too. So you need to look at your customers and see what obligations that they impose on you. They may have minimum security requirements, which require you to comply with and to implement certain security obligations. And that may involve training, or at least training in relation to those security measures.
And then just business resilience and continuity of business will require you to, if you undertake training, you'll see from Giles' previous slide, you know, most breaches can be avoided by a little bit more training around business processes. And if they use - training around that is important so that your employees understand completely how it works and when they should not trigger an MFA request on their device, for example.
So what topics should be covered? You should certainly cover your business policies and processes. And I touched on that earlier on when we talked about some of the DPC examples.
Privacy and data protection should be covered so that within your own organisation, people understand what their obligations are. And you might have tiered training for different people across different parts of your business that might be more involved in processing personal data. So somebody in HR, for example, will possibly need more training than someone operating a machine for example.
And then obviously, from an information security perspective, it's really important to cover password protection, phishing email, what to look out for, social engineering around invoice redirection. So on your finance team seeing a lot of invoice redirection at the moment and sophisticated invoice redirection, which is generally associated with social engineering.
So next slide, please, Maria. So how should you do it? Regardless of how you do it, it's important that you can demonstrate that you provided the training. And that's an obligation under the GDPR, where you must have the ability to demonstrate your accountability with the General Data Protection Regulations. So being able to show the training that you carried out and who did it. It should be easily accessible and not have kind of any barriers to the training. So if you can do it online, great. If it needs to be a little bit more than that and in person, I think it's important that you make it easily accessible as possible.
It should be done at the time of onboarding before an individual gets access to your systems. And that's really important. But again, regularly thereafter in relation to your policies and processes.
And who should do it? It's important that it's across the entire organisation. We see a lot of instances where some women in senior management doesn't have MFA on their computer because it's around their access services because they just don't think it's . . . They don't have the time to learn or they don't have the time to get involved in that. So training should bespoke and needs to be targeted at specific individuals across the organisation.
So I think we're just about over time. Maria, we had some case studies that we could try to cover off, but unfortunately we'll have to do that another day. And if you have any questions that have been coming through, happy to take those.
Julie: Hi, Ricky. Thank you. Thank you both, the two, you and Giles. So it was great to get your legal overview about the risks about data breaches and cyber-attacks really. And then Giles, again backing that up, interesting to hear about ransomware and the evolution and how things change as well, Giles.
So first question, Ricky, aimed at yourself. You talked a little bit about maintaining integrity for the organisation when something like this happens. So what does HR need to do if something like this happens? What advice would you give to an employer?
Ricky: Well, reacting quickly is important. Hopefully, you will have a policy in place or a process in place to deal with it. So that's the first place I'd be going. I'd be looking at who I need to report it to. I'd be then considering whether we have insurance in place to deal with it, whether our policy will cover it. Maybe you need to contact your broker.
But depending on the nature of the incident, you would be bringing in senior people at an early stage, if it requires IT, if it requires PR, if it requires somebody in senior management positions, that's what we'll be doing. As was shown earlier on, if you will react well to these events, then you're likely to recover more, quicker and better. And surveys have shown that organisations that have suffered data breaches, who respond well, they're more likely to not lose their customers and recover customers they have lost quicker when they deal with it well.
Julie: Okay, great. Thank you. And then, Giles, for yourself, you talked a little bit about how that's almost evolved a little bit from ransomware. So are cyber criminals using the threat of releasing sensitive information more? How has that changed?
Giles: Yeah, absolutely. And what we've also seen is how the threat actor goes about leaking change as well. So before you might have just say a big zip-file dumped on deep and dark website. We are now even seeing threat actors in one instance they created an entire spoofed version of the victim's site. This BlackCat is the threat actor group. They're a little bit more inventive than some of the others, but they created a spoofed website of their victim that had a full browsable catalogue of all the data that they had taken. So these threat actor groups are really trying to up the ante in the data leak space. And they will be searching for the more critical data. So HR data, passports, document scans, you know, those are all things that we've seen threat actors search for when they're on compromised machines. So yeah, absolutely critical data within an organisation, HR data, a real big focus of the threat actors as part of their extortive leverage.
Julie: Okay. All right. And then I can't remember which one of you, apologies, mentioned it earlier on. You were saying about cases where people almost sent emails to say here's this password-protected document and then a following email. Was that yourself, Ricky, I think mentioning that?
Julie: So do you find that people are a lot more cyber aware now, cyber secure aware, I guess I should say? Or do you find that people are still using things like the same passwords for all their programs? Do you find that they're still using passwords, like children's name, pet's names, days of the week, or months?
Ricky: Yeah, there certainly has been increased resilience. Generally, as a population we've all been targeted, and we've seen the impact. So we're starting to understand why it's more important. We're also starting to see a little bit more as to what the hackers are up to and when they might be up to something. So we're a bit more suspicious. In fact, we're probably suspicious all of the time now with everything that we receive in email.
So I think it really depends. We are seeing, in terms of our clients, an increased cyber resilience around passwords. But if you are listening to the news anytime throughout this month in Ireland, there's been so much on weak passwords and the use of easily crackable passwords and so on. So that is there.
We've had some instances where we have had breaches arising from passwords being hacked, but mostly they are as a result of phishing emails, so someone providing their credentials in that way. In some instances, we can never identify exactly how it happened. So we don't know the root cause. But in my experience, certainly we've started to see an increased awareness from a security perspective around their personal information and their own devices.
Giles: Just on that one as well, so I was going to say we had one recently where a threat actor released the data. And within the data dump there was an Excel spreadsheet called I think passwords. And inside that was a password. Well, it was the username, admin, and then password123, to speak to your weak passwords. That was then picked up by victims of the data leak, because the victims had gone into the data themselves to work out what data about them was in it. And due to the scale of the incident, they were able to do that on a targeted way much quicker than the organisation was able to do it from a sort of a big data review perspective. And you can imagine that sort of ended up being quite a few awkward questions, when that was sort of appearing on Twitter, from the regulators sort of asking, "Are you serious? Was that really what your password complexity was like?" So yeah, just as what Ricky is saying there,
Julie: Thank you. That's interesting. I just wondered whether people, you know, because time is a factor, sometimes you do get a little bit lazy about making up new ones as well.
So thank you both very much for a very informative session. And Maria, if you could bring up just the last slide please and just a little event to talk to everybody about. And thanks very much to Ricky and Giles again.
So for Legal Island, we have our Annual Review of Employment Law coming up very soon. We are going to be at the Dublin Convention Centre on the 29th of November. We're going to have RDJ there as well. So you'll be able to see them. We'll talk about all those essential bits of employment law that you need to know for the year coming up ahead. And we've also got different topics, like neurodiversity, artificial intelligence, and emotional intelligence as well. So lots there for you to see. The program is online, and it's also in person as well if you're interested in learning a little bit more about what we have in store for you.
So just to finish off, we will have a recording of this available, and Ricky and Giles have kindly said that we can provide their slides as well so that you can catch up on any of those cases or any of those scenarios that you really want to take a little bit more closer look at. And we'll also have a podcast available as well too.
So thanks very much, and again, just remember to get in touch with our sales team if you're interested in looking into cyber security awareness eLearning for your organisation and, again, mention the 25% off code, say that you were an attendee at the webinar. And thanks very much and enjoy the rest of your day.
This article is correct at 26/10/2023
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.