Identify key business assets.
As a first step, take an inventory of your business assets and identify those that are critical or otherwise of high importance. Your inventory should include your key intangible assets (for example, customer data stores, business plans and trade secrets) as well as physical networks and hardware.
Identify external dependencies.
Your inventory should consider assets outside of your organisation upon which you rely. Does your business operate using an external network or cloud service provider? Do you offer any services that customers are able to access remotely? Do your subcontractors have control over any of your key assets?
Assess risk associated with the above.
For each asset that you have identified, consider its value. Make a risk assessment of how much damage your business could suffer if each asset was compromised. This will help you to determine the level of security that you should apply to each of your assets.
Audit of supply contracts.
Part of your risk assessment should involve a review of your existing supplier relationships. Do you have appropriate warranties on IT security? What remedies are available should your supplier cause a network breach? Our Commercial team can audit your supply contracts and advise on these points.
Review employment contracts and internal policies
It is important not to focus solely on protecting against threats from outside your organisation – PwC's 2014 Global Economic Crime Survey found that more than half of companies surveyed reported their main threat to be from an insider. Our Employment team can advise on the adequacy of your standard terms of employment and internal policies to protect against insider security threats.
Assess safeguards over trade secrets and intellectual property
Our Trade Secrets group can advise on the protection available for your intellectual property, including any registration requirements and how best to document and manage your business ideas.
Develop measures and policies commensurate to risk profile
Striving to attain impenetrable network security for all areas of your business may quickly run up unwarranted costs. A more sensible approach is to apply protections proportionate to the risk faced by your business. After identifying your key assets and the risks associated with each, you will be able to determine the areas of your business that require the most protection and allocate your IT spend accordingly.
The level of security that you require will depend on the risk profile of your business. Possible measures that you should consider include: deploying malware protection and automated system monitoring; introducing IT policies for staff and subcontractors; user awareness and training; and creating incident response plans.
Review and negotiation of IT licences and consultancy agreements.
Depending on the level of risk that you face, you may consider enlisting a specialist IT consultant to help implement your security measures. Our commercial expertise and deep industry knowledge of cybersecurity means that we are well placed to advise on any software licenses and service contracts associated with your IT security.
Compliance check of personal data storage.
Our Data Protection group can advise on the suitability of your measures to protect customer information and other personal data.
Staff awareness and reporting
With adequate training, your staff can become your front line for detecting cybersecurity breaches. It is important that your employees are able to identify possible threats to your network and are aware of how to report incidents.
IT solutions (e.g. real-time monitoring software)
As well as training staff to detect cyber threats, you may consider deploying dedicated software or other IT services to identify and report breaches. A vast array of monitoring products has emerged on the marketplace in recent times and we would recommend researching carefully the products most suitable for your business.
Short-term legal resource to maintain business continuity
Depending on the scale of the breach, your in-house legal teams may be required to assist with your response at short notice. Bird & Bird can provide extra bandwidth to your legal team to assist on business as usual matters whilst your legal team is engaged in resolving the incident.
Follow business continuity procedures
It is at this stage that your early work to identify and protect your business assets pays off. Follow your business continuity procedures and plans to allow your business to continue operating whilst you work to resolve the breach.
Identify the source of the breach
An important part of resolving the breach is to work out where it came from. Work should be done to identify the source of the breach so that you may take steps to stop it from happening again. Identifying the perpetrator will also help should you wish to take action against them.
Advice on compliance with data protection and cybersecurity regulation
Depending on the scale of the breach, the nature of your business and the jurisdictions in which you operate, there may be regulatory requirements that you have to comply with following a security breach. Our global reach and market leading expertise in cybersecurity and data protection mean that we are well placed to advise on any regulatory steps that you must take.
Advice on regulatory compliance
Businesses today operate in a patchwork of regulation on cybersecurity and data protection. With offices in 18 countries and strong links with an international network of lawyers, we can advise on any regulatory steps that you should take having identified at security breach.
Having identified the breach and maintained business continuity, your next focus should be to prevent the breach from reoccurring. The steps that you should take will depend on the cause of the breach and could vary from updating your IT architecture to restricting user access to your network.
Notify affected customers, employees and subcontractors
It is important to take stock of any data that has been compromised so that those affected can be notified. You should investigate the scope of data that has been affected and give appropriate notices to any affected parties.
Advice on ownership of software fixes
Our expertise on contracting for IT services and intellectual property issues mean that we can offer comprehensive advice on the licensing and ownership of any software fixes that you require.
Advice on liability for losses
Our Dispute Resolution team can provide a thorough assessment of your potential liability arising from the breach as well as that of any parties from which you may seek to recoup your own losses.
Update internal policies and procedures
After resolution of a breach, it is worth considering whether your internal policies and procedures on IT security could be updated to prevent the same breach from reoccurring. Depending on the severity of the breach, it may also be helpful to provide training to employees on how the breach occurred and how similar incidents could be prevented in the future.
Share lessons learned with wider community
Collaboration on cybersecurity is one of industry's best weapons against hackers. Various industry forums exist where businesses can exchange information on current cyber threats. It may be of benefit both to you and the wider business community to share details of the breach and its likely source.
Consider enforcement action if possible.
It can be notoriously difficult to identify and track down perpetrators of cybersecurity attacks. To the extent that your investigations reveal the source of the attack, you may consider informing law enforcement or bringing a claim against the attacker.
Our Dispute Resolution team can assist should you wish to bring legal action against the parties responsible for the security breach.