Think before you’re hacked. Being legally prepared for a cyber-attack.

The last few weeks have seen a flurry of headlines about successful cyber-attacks on high street names and public bodies. And, these are just the cases we hear about. Many incidents never reach the public domain, often resolved quietly or ransoms paid behind closed doors.

Cyber-attacks are nothing new, but the latest data shows that 70% of UK organisations have experienced a rise in incidents over the past year. Attacks have become increasingly sophisticated over the last decade, alongside the evolving legal landscape.

The current public interest in the security of sensitive data however may give organisations an opportunity to reflect on their current cyber roadmap and re-engage their workforce and supply chain on the subject.

Targeted threats – are they really “a thing”?

I think it’s fair to say that most organisations appreciate that cyber attacks can either be random or targeted. But is it the case that some sectors are more vulnerable than others?

Opinions on this may be divided, but an excellent source of information, should you want to consider the challenges faced by your particular sector, is the National Cyber Security Centre (NCSC). On 21 May 2025 the NCSC published a news article on its website highlighting that some western logistics and technology organisations are facing a specific targeted threat and urged organisations to familiarise themselves with the threat and act accordingly.

And it’s not just the tech and logistics sectors. Over the years the NCSC has issued several reports and provided guidance to specific sectors highlighting the threats to, and guidance for, those particular industries. Professional bodies have also provided advice and guidance to their members highlighting specific industry challenges. For any organisation taking their cyber resilience strategy seriously, the NCSC and your professional body (if you have one) are useful sources of information and guidance.

It’s more than just an “IT” problem

So, what does this mean in real terms for organisations? Well, it means that cyber security is not just an “IT” problem. To meaningfully combat a threat, the whole organisation has to embrace the challenge.

Cyber security isn’t just a technical matter, it’s a cultural issue, just as important as ensuring equality within the workplace and financial sustainability. It’s more than just implementing a phishing awareness campaign. It’s about making sure that staff know they are the first and last line of defence. It’s about creating a culture where people can confess to their mistakes and where they know who to go to for guidance and assistance. It’s about adopting the culture where people embrace the concept that taking short cuts just to “get the job done” isn’t great if those shortcuts have security implications and where people truly believe that the only “silly question” is the one they wanted to know the answer to and were too afraid to ask. If I had a penny for every time I heard someone say that they were embarrassed to ask a question.

It’s with great timing therefore that on 4 June 2025 the NCSC launched its guidance on cyber security culture principles – whether you’re a cyber security professional or a leader within your organisation take a look. It’s compelling reading!

The two Ps

So aside from understanding your sector’s specific challenges and threats and working to create a security conscious culture in the workplace, what else can organisations do to protect themselves in this particularly challenging environment? In very simple terms I tend to think of this as the two Ps – preparation and post-event analysis.

Preparation

To use the phrase used in the UK GDPR, organisations need to have in place appropriate “organisational and technical” measures.

In terms of organisational measures, this includes policies and procedures that suit the organisation (off the shelf solutions are not always fit for purpose), properly utilised risk registers, responsibility matrices, training, auditing and simulating a crisis response. Having in place the correct contracts is also key, as is having on standby your team of third-party service providers should a cyber-attack be successful and you need to respond, Remember response times are set out in contracts as well as in the law, so timeliness is everything.

In terms of technical measures, it’s more than just having a password policy, firewall and virus checker in place. It’s about patching, having the correct access privileges in place, logging, monitoring and implementing the appropriate business continuity measures. What will suit one organisation will not necessarily suit another, so each organisation needs to think about its own infrastructure and threats.

Don’t forget that your supply chain could be a threat, so you need to consider this too. Certifications and standards such as Cyber Essentials Plus and ISO27001 are not guarantors that you won’t fall victim to an attack, but it shows that your organisation is reviewing its practices and is trying to act in a responsible way.

Post event analysis

For the purposes of this article, I’m not going to comment on what to do during an attack, suffice to say that if you’ve prepared properly, it’s time to put in place your action plan and remember to take a breath. It’s stressful. But keeping a clear head and accurate records of how you addressed the situation will be key to a successful outcome. Also key is watching those communications coming out of your organisation – are they correct and meaningful? Incorrect but well-intended statements made during an attack can cause an issue.

Post event you really want to look at how you handled the situation. Look at what you did well and what needs work. Learn from the event. Update what needs to be updated and then test and re-simulate. And remember to thank those staff who did a great job. Staff retention can be an issue, so part of a successful strategy must surely include taking into account key internal stakeholders?

This is a fast moving area but you’re not alone. At HCR Law we have a dedicated team of lawyers who specialise in data governance and information / cyber security. We’re always here to give you a helping hand.