Andrew Avanessian, vice-president at endpoint security software firm Avecto
Construction companies represent an extremely lucrative target for cyber crime – they hold vast amounts of sensitive customer and employee data and are often seen as leverage to access other companies in their supply chains. Despite this, many continue to rely on reactive solutions rather than proactive cyber defences.
Naive employees are the obvious target for those looking to access the corporate system – used to receiving a lot of emails and opening attachments quickly, they are likely to fall for malicious phishing scams. Although the technology to protect against these scams is relatively simple to implement, many companies only look to invest in this following an attack.
Nick Gibbons, partner at insurance and risk law firm BLM
Many in the sector still see cyber risk as primarily a personal data risk, despite the EU’s new Cyber Security Directive, which addresses every type of risk. This is of significant concern because a cyber attack on infrastructure may result in devastating physical damage, personal injury and fatalities, rather than simply financial loss.
Each business needs to ask whether it has implemented organisational measures in addition to technical security. These include: appointing a cyber risk manager; checking the security of suppliers and advisers; and creating a risk management plan for each type of cyber incident.
Justin Harrington, partner at law firm Blake Morgan
From a legal point of view, cyber security is rapidly moving up the agenda with the introduction of the new EU General Data Protection Regulation.
This will introduce mandatory reporting for any organisation that has suffered a security breach – it will be compelled to report the attack to the information commissioner wherever there is a risk that client or personal data may have been compromised.
There will also be a duty to advise any third parties whose data may be affected. Failure to do so carries a fine of up to £20m or 4% of the company’s worldwide turnover. It is likely that businesses will need to comply with this regulation to continue to trade in Europe, regardless of the outcome of the EU referendum.
This may also lead to increased litigation as third parties seek legal redress. Businesses will need to ensure not only that their systems are as safe as possible, but that they are prepared to defend themselves if the worst should happen.
Neil Hampson, PwC’s UK cyber security practice leader
Companies need to understand the risks they are facing and from whom – the most likely threats will involve financial crime, nation states and hactivists. They need to understand what information they hold and who has access to it.
Companies also should be investing in technology, but more importantly in awareness, assurance and monitoring of activity. They need to practise their response in a crisis scenario.
They need to make cyber crime a board issue rather than a technology issue – it’s all about developing an appropriate risk posture.
