search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
DATA MANAGEMENT, COMMUNICATIONS & SECURITY Building cyber resilience


Figures from the Government show another increase in cyber security breaches or attacks last year, with the Cyber Security Breaches Survey 2024 advising that the most common cyber threats are ‘relatively unsophisticated’. Here Lauren Wills-Dixon, solicitor and data privacy expert at law firm Gordons, sets out some of the legal, regulatory and best practice measures that building services and energy managers should consider to help build cyber resilience


C


yber security continues to pose a challenge for building services and energy managers. As our reliance on digital technologies and


connected systems to manage, monitor and improve building efficiencies keeps growing, so does the threat of cyber attack and malicious activity. Figures published in the recent report from the UK’s Cyber Security Breaches Survey 2024, which details the cost and impact of cyber breaches attacks on businesses, charities and educational institutions, are alarming. Half of businesses (50%) report having experienced some form of cyber security breach or attack in 2023, and the figures are higher for medium (70%) and large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). By far the most common type of breach or attack is phishing (84% of businesses), followed by others impersonating organisations in emails or online (35% of businesses) and viruses or other malware (17% of businesses and 14% of charities). The report estimates that the single most disruptive breach from each business, of any size, cost an average of approximately £1,205 - for medium and large businesses, this rises to approximately £10,830. Clearly this is a challenge for organisations, in any sector, but particularly those which rely heavily on IT infrastructure and connected systems to streamline their operations. However, the good news is that cyber security can be maintained with some relatively simple steps, particularly when supported by a third party provider or professional advice. While the report notes that phishing attacks have become more sophisticated because of an advancement in technology, it also states that the most common cyber threats are “relatively unsophisticated.” With this in mind, here are some of the legal,


28 BUILDING SERVICES & ENVIRONMENTAL ENGINEER SEPTEMBER 2024


regulatory and best practice measures that we are increasingly supporting clients with, to help build cyber resilience.


Business continuity and disaster recovery plan


Companies who have been hacked often have resilient and industry leading security measures in place, but incidents do still happen, whether through vulnerabilities or human error. It’s important to prepare for the worst. A good plan will identify the appropriate individuals in the organisation who need to be involved in decision-making, technical details on if and how a business can continue to trade without some or all of its key IT systems, how PR and communications are dealt with, and the technical detail on transfers, backup and restoration of any data subject to a data breach (this is often achieved with help from third party experts). Organisations should also have cyber, PR and legal experts on hand to quickly support with an incident as soon as it is identified, assisting with any regulatory notifications which need to be reported - usually within 72 hours of the organisation becoming aware of the breach. A “privacy by design and default” approach Remember, the survey shows that 84% of cyber incidents are caused by phishing links and similar – if only one person clicks on the wrong link, it could infiltrate parts of an IT system. Protect your organisation by making sure staff


are aware of policies and regularly trained on best practice with respect to cyber security and data protection.


Map data and risk assess from there


For example, sensitive HR data will likely need more access restrictions and additional protections than a database of B2B contact


details. Consider additional security measures such as pseudonymisation to high risk data.


Review contractual terms


When engaging with any third party provider, for example an end point detection provider that will support with scanning for any unusual / unauthorised activity within an organisation’s network, take time to review the proposed contractual terms before signing the contract. Look out for key obligations on the provider, the commitments it is willing to give and its financial liability if things go wrong. Vendors of one-to-many platforms or services usually seek to operate on standard T&Cs and often heavily limit their liability under the agreement to ensure they don’t take on an unworkable amount of risk. That being said, customers of these services should seek where possible to get these to a balanced position.


As part of the supplier onboarding process it is also prudent to undertake financial due diligence on vendors to understand whether they are likely able to support their financial liabilities under the contract.


Invest in your cyber security


All too often, organisations only invest in cyber software and protections when something goes wrong. The report shows how prevalent these attacks are and how they can affect any organisation. These measures cannot completely prevent attacks, but they can help detect threats early and help keep systems as secure as possible. We have advised on many incidents where end-point detection has spotted a threat early and it has been identified, and adverse effects mitigated quickly. It is also a legal requirement under data


protection laws where personal information is concerned to have appropriate technical and organisational measures in place to protect personal data.


Read the latest at: www.bsee.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46