Knowledge Hub
for Growth

Cyber security risks: how to stay safe and compliant

Some of the biggest corporations in the world have fallen victim to cyber attacks in recent years. But it’s not just information held by global giants that’s attractive to cyber criminals: small and medium-sized businesses face the same risks. Cyber security is now an essential consideration for every organisation. Here we look at some of the main risks and how you can mitigate them, and we consider the general legal framework that companies should follow when considering cyber security.

Cyber security: what are the risks your business could face?

As cyber criminals become increasingly sophisticated in their methods, the risk to businesses from cyber crime is greater than ever. A 2018 survey of 400 small businesses in the US revealed that two-thirds of the organisations surveyed had experienced at least one cyber security incident in the previous two years.

It’s notable that most of those questioned in the survey blamed human error, lack of training and a poor understanding of the repercussions of cyber crime for their exposure to an attack. A cyber attack on your business that jeopardises personal data could result in heavy fines from the ICO as well as long-term reputational damage to your business as consumers lose faith in your ability to securely process their data.

What regulations do you need to comply with?

The measures you are required to take to combat cyber security will depend on the nature of your business and the risk your processing poses. But taking some kind of proactive action to prevent cyber attack is no longer an option for most businesses. There’s no single set of regulations that apply in this area.

Instead there is a raft of regulations – some rules apply to everyone and others relate to specific industries and sectors.

The two main sets of regulations are:

  1. GDPR: The security principle means that when you process personal data you must do so securely and take all appropriate ‘technical and organisational measures’. This will involve some form of risk analysis and an assessment of your internal procedures. It will often include measures like pseudonymisation and encryption of data.
  2. The Security of Network & Information Systems Regulations (NIS): These govern IT systems and apply to businesses in the energy, health, and transport sectors. They also apply to cloud service providers. They are designed to mitigate the fallout from incidents affecting the security of network and information systems

Other laws apply to cyber security in financial services companies and businesses providing electronic communications. It’s important to remember that the regulations across all sectors are flexible: the measures a business is required to implement should be appropriate and proportionate for the business in question.

How to reduce cyber security risks

We referred above to a survey that showed most successful cyber attacks resulted from human error. To reduce risk, it therefore makes sense for businesses to invest in staff training and awareness around cyber security.

For example:

  • Educate all staff – not just those working in IT – about malware and unsecured networks and introduce strict protocols around opening email links and other electronic communications.
  • Ensure there is proper training when new systems are introduced. For example if new software systems are introduced across the organisation it’s crucial to equip staff with the understanding to operate them correctly.
  • Introduce an information security policy that co-ordinates the right teams and people, limits access to company devices and systems and ensures regular security reviews.

How to manage risk with commercial transactions

An effective approach to cyber security doesn’t just involve assessing your internal processes. When you do business with third parties you must also consider their processes: if an external company – a contractor, client, service provider or customer – has inadequate security, this poses a risk to your own data and information systems.

It’s essential then to make proportionate and appropriate due diligence enquiries into third party IT systems, data security policies and staff training to ensure that any data you share with them is secure and will be processed in a way that complies with GDPR and any other relevant legislation. Depending on the circumstances you may wish to implement security policies that any third parties you deal with must sign up to.

Cyber security risk assessment checklist

As part of our data protection training, we put together checklists to help companies meet their obligations under GDPR. Specifically, these checklists encourage companies to observe GDPR’s security principle – protecting their data against unauthorised processing and accidental loss with appropriate technical and organisational measures.

A checklist for cyber security measures should direct staff to:

  1. Analyse the risks to data security posed by the way the organisation processes personal data.
  2. Assess the cost of implementing any security measures: are they proportionate?
  3. Introduce an information security policy.
  4. Review information security policies regularly and update where necessary.
  5. Implement essential technical controls and consider signing up to the government-backed Cyber Essentials certification scheme.
  6. Use encryption and/or pseudonymisation where appropriate.
  7. Introduce adequate recovery systems to deal with any security breach.
  8. Regularly review your security systems.
  9. Ensure third party processors you deal with maintain adequate security protocols.

How to deal with a cyber security breach

Many cyber security incidents will have internal implications only and it will be up to you as a company to take the steps you think appropriate to deal with the consequences of the attack. Some attacks however will involve a breach of personal data that must be reported to the Information Commissioner. This means:

  • You must report a breach to the ICO within 72 hours of becoming aware of it, unless you can demonstrate that it’s unlikely to result in a risk to individuals’ rights and freedoms.
  • If you think there is a high risk to individuals you must also inform them of the breach without delay.
  • Reporting the breach to the National Cyber Security Centre. It’s not a legal requirement but the NCSC has the expertise to help companies minimise the reputational damage caused by a cyber security incident involving personal data loss.

We’ve explained how your business could be at risk from a cyber attack and the legal obligations you need to be aware of. Small and medium-sized businesses that lack the IT resources of larger companies can often be seen by cyber criminals as an easy target so it’s essential to ensure you have adequate security protocols in place. If you have a question or concern about your businesses cyber security protection measures, contact one of our data protection specialists today.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

Our data protection solicitors can offer practical advice on how to train staff and implement security checklists and other measures appropriate for your business. For more advice on GDPR call us on 0800 689 1700, email us at, or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry