Cybersecurity: A 10 Step Legal Guide for Companies Operating in the Built Environment and Technology Sectors
May 25, 2023
Digitalisation didn't happen at a slow crawl. It came like a wave, so rapid, that companies around the world have found themselves in a never-ending battle of playing catch-up.
These digital systems and technologies have enabled businesses to be more efficient, more innovative, and more competitive. However, it has also fostered a dangerous sense of dependency - a relationship in which companies are reliant on digital systems that are constantly at risk of cyber threats. A relationship in which companies are unlocking growth with technologies more vulnerable to financial, operational, and reputational damage.
This article explores the legal obligations imposed upon companies operating in the built environment and technology sectors, and outlines key practical steps businesses can take to protect themselves from cyber risks.
What cyber threats should all businesses be aware of?
- Ransomware attacks: Ransomware is a type of malicious software that encrypts a victim's data and demands payment for its release. These attacks can disrupt critical systems and operations, resulting in significant financial and operational losses.
- Data breaches: This is the unauthorised access to sensitive data, including personal information, intellectual property, and trade secrets, which can ultimately lead to financial losses, reputational damage, and regulatory penalties.
- Insider threats: Malicious or negligent actions by employees or other insiders can compromise an organisation's security and result in unauthorised access to sensitive information or disruption of critical systems.
- Supply chain attacks: Cyber attackers may target an organisation's suppliers or other third parties in an attempt to gain access to sensitive data or disrupt operations.
- Industrial control system (ICS) attacks: Cyber threats targeting ICSs, such as supervisory control and data acquisition (SCADA) systems, can result in physical damage to infrastructure, production downtime, and potential safety risks.
Often when a company embarks on creating a strategy for cybersecurity protection, they look to the technologists - the advisors and consultants that build everything from cloud security systems to comprehensive code that encrypts user processes. However, what is often overlooked, and worryingly so, is the need for a comprehensive and anticipatory legal approach to cybersecurity.
Our specialists at Conexus GC provide Virtual Counsel to businesses on this exact topic. We answer questions such as “What laws will my technology need to comply with?” and “Are our digital systems aligned with regulation or are they exposing us to the possibility of sanctions?”
It is questions such as these that bring us to the most important question of all, answered below.
What are the most important legal and regulatory obligations for companies operating in the built environment and technology sectors?
There are numerous legal and regulatory obligations relating to cybersecurity. However, these are the main laws and regulations that a UK company operating in these sectors should comply with:
Data protection laws: Under the UK GDPR and Data Protection Act 2018, businesses have a responsibility to implement appropriate technical and organisational measures. This should sufficiently protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Network and Information Systems (NIS) Regulations 2018: These regulations apply to operators of essential services (OES) and digital service providers (DSPs) in the UK, and require them to implement appropriate security measures to protect their network and information systems from cyber threats.
Industry-specific regulations: Companies in certain sectors, such as energy or telecommunications, may be subject to additional industry-specific cybersecurity requirements such as the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Financial Services and Markets Act 2000 and the Financial Conduct Authority (FCA) Handbook.
Contractual obligations: Whether it be employees, suppliers or third parties, all contracts should factor in the risk of cybersecurity threats, the right to audit, and include relevant provisions to tackle both of those. This translates to provisions stating that all parties to the agreement are abiding by company cybersecurity policies, data access and protection requirements, system maintenance standards, system security standards, incident response standards, and any other industry-specific regulations that may influence the activities of that relationship.
Understanding the legal landscape of cybersecurity is important, but this understanding is only the first stage of the process. When a company chooses to use digital systems and technologies, there are ten key steps that they can take to protect their operations, assets, and reputation from cyber threats.
10 key steps to enhance your business' cybersecurity
Step 1: Conduct a cybersecurity risk assessment
A comprehensive risk assessment can help businesses identify their most critical assets, assess potential vulnerabilities, and prioritise cybersecurity initiatives.
Step 2: Implement a robust cybersecurity framework
Adopting a cybersecurity framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or the UK government's Cyber Essentials scheme, can help businesses establish a structured approach to managing cyber risks.
Step 3: Develop and enforce cybersecurity policies and procedures
Draft clear and comprehensive cybersecurity policies and procedures, covering areas such as access control, incident response, and employee training. This helps businesses to establish a strong cybersecurity culture and ensure consistent adherence to best practices.
Step 4: Invest in employee training and awareness
Human error is a leading cause of cybersecurity incidents. Regular employee training and awareness programs can help reduce the risk of insider threats and improve overall security posture.
Step 5: Implement appropriate technical security measures
Businesses should deploy a range of technical security measures, including firewalls, encryption, multi-factor authentication, intrusion detection and prevention systems, to protect their digital assets and infrastructure.
Step 6: Regularly monitor and review your company's cybersecurity posture Ongoing monitoring and review of an organisation's cybersecurity posture can help identify and address emerging threats and vulnerabilities. This may involve conducting regular security audits, penetration testing, and vulnerability assessments.
Step 7: Develop a comprehensive incident response plan
A well-defined incident response plan can help businesses respond quickly and effectively to cybersecurity incidents, minimising potential damage and downtime. The plan should include clear roles and responsibilities, communication protocols, and recovery procedures.
Step 8: Engage with third-party suppliers and partners
Businesses should assess the cybersecurity practices of their third-party suppliers and partners to ensure they meet appropriate standards and do not introduce additional vulnerabilities into the supply chain.
Step 9: Collaborate with industry peers and law enforcement
Sharing threat intelligence and best practices with industry peers and engaging with law enforcement agencies can help businesses stay informed about emerging cyber threats and strengthen collective defences.
Step 10: Obtain cybersecurity insurance
While insurance cannot prevent cyber-attacks, it can provide financial protection and support in the event of a cybersecurity incident, helping businesses recover more quickly and maintain customer confidence.
Cybersecurity is a critical concern for companies operating in the built environment and technology sectors. The increasing reliance on digital systems and technologies exposes businesses to a growing range of cyber threats and vulnerabilities. By understanding the cyber threat landscape, complying with legal and regulatory obligations, and implementing a robust and comprehensive approach to cybersecurity, businesses can protect their operations, assets, and reputation from cyber risks and build a more secure and resilient digital ecosystem.
If your business operates in the built environment or technology sectors and would like to know how the topics in this article apply to your case specifically, please get in touch with our legal experts here.