October is Cyber Security month!

Government statistics reveal that a staggering 39% of businesses experienced a cyber-attack last year. 74% of all data breaches can be traced back to human error. It’s not enough to rely on your IT team, HR should be front and centre in the fight to protect data and in making sure that all employees know their responsibilities.

Employment Law at 11 regulars, Seamus McGranaghan of O’Reilly Stewart Solicitors and Christine Quinn of Legal Island, discussed all things Cyber with special guest expert, Keith Anderson of Vertical Structure.

Keith discussed:
1. Best practice for your systems and protocols.
2. Lessons from the PSNI breach.
3. The biggest cyber risks to be aware of, how to avoid them with all staff training and hear how Legal Island can support you on this journey

While Seamus covered all the legal angles including:
1. How to assess risk following an incident.
2. Ransomware: when can you pay a ransom? Should you pay a ransom?
3. The investigation, legal privilege and DSARs by both employees and ex-employees.

Recording:

Transcript:

Christine:  Good morning, everyone. Welcome to Employment Law at 11, sponsored by MCS Group.

My name is Christine Quinn. I am one of the Knowledge Partners here at Legal-Island. A bit about my background. I'm a qualified employment solicitor. I'm not practising at the moment. Thoroughly enjoying my work here at Legal-Island.

I'm joined, as usual, by Seamus McGranaghan, Director and Employment Law Expert at O'Reilly Stewart Solicitors. We're also joined today by a special guest, Keith Anderson of Vertical Structure. Keith is Lead Information Security Consultant at Vertical Structure and helps them keep everything safe for their clients by helping them achieve and maintain certification to include ISO Cyber Essentials and GDPR compliance. So you're very welcome, Keith and Seamus.

Keith:  Thank you.

Seamus:  Good morning, Christine.

Christine:  So what are we talking about today? You may or may not know that October is Cyber Security Awareness Month, so today we want to give you the most up-to-date tips and advice on all things cyber.

During today's session, you'll be exposed to numerous examples highlighting the importance of implementing organisation-wide cyber security training. It's easy to say, "It's IT's problem", or, "Let's just outsource this", but today we're going to explain to you why cyber security is everyone's responsibility, and it's not just for the techies in the organisation.

So you might find managing this initially daunting, but Legal-Island offers a comprehensive all-staff training course that can greatly assist you. And more importantly, our eLearning team are offering a discount to today's attendees. You may have seen my LinkedIn post promising to try and secure you a discount. Well, I succeeded, so stay tuned for that.

If you're interested in trialling the course on behalf of your organisation, if you could type "yes" in the question box now, a member of our eLearning team will set you up with free demo access after the webinar. And of course, I will tell you more details on the discount we're offering a wee bit later.

So thanks as always to our sponsors, MCS Group. MCS help people find careers that match their skill sets perfectly, as well as supporting employers to build high-performing businesses by connecting them with the most talented candidates in the market. If you're interested in finding out how MCS can help you, head to www.mcsgroup.jobs.

So, as usual, we're going to kick off with some polls. Maria is just going to put the first poll up for us. Does your organisation currently provide all employees with cyber security training? If you can answer yes or no there, let's see what type of audience we're dealing with today. Are you all very clued up and trained to the hilt, or are you still waiting on your training?

So let's have a look at that result. Seventy per cent are saying yes, so that's encouraging, isn't it, Seamus, that we're on the right track here?

Seamus:  Yeah, absolutely. We know that a lot of the guidance coming out in some of the recent case law and things like that as well, particularly around those ICO cases, has been that the training aspect for employers is really, really important.

And even some of the guidance that you see out there talks about going further than just training, Christine. They talk about having tests and running little schemes in the office to test staff in relation to breaches and things like that that can happen. So you're really testing your structures, your procedures, and your guidance that you have there. That's a way, I suppose, of keeping staff on top of what it is.

As you know, it's always very easy to say, "Yeah, we have a policy on that", that nobody's looked at in three or four years. So it's keeping it fresh and it's a bit more than just bringing everybody in and giving some training or putting together a session on it.

I think that it's something that has to sort of work on a live basis throughout your organisation. Make sure that those tests are happening, and even running tests that, "If this was a data breach, how would we all react?" and not necessarily letting the staff know that that's going on.

Christine:  Yeah. Brilliant. Thanks very much, Seamus. And Maria, if you could just put up the next poll please, that would be great. When was cyber security training last delivered to all employees? So if you could click one of those answers. Less than 12 months ago, between 12 and 24 months, over 36 months, or never. Hopefully we don't have too many nevers there, but . . .

Keith:  It'll be interesting, yeah.

Christine:  Yeah, because I think it's tempting to just train people on induction and then leave it. So less than 12 months ago. I think I'm fairly encouraged by that, Keith. What do you think? Fifty-nine per cent say less than 12 months ago. What would be your gold standard, I suppose?

Keith:  It depends what you're training on, I suppose. It depends on content, but yeah, that is encouraging. We would always expect, at a minimum, a company has an annual refresher as well as catching any new joiners as they come in as well.

And just to go back to Seamus's point, the vast majority of cyber incidents, the root cause can come back to not human error, but social engineering. It's always a human-based weakness that the attackers go for, and we see that over 80% of these attacks are that. Yet whenever we look at businesses, their spend and their investment on those type of protections, awareness training, and things like that can be less than 5% of what they spend on, say, firewalls and hardening and things like that. So that's great to see, but definitely room for improvement.

Christine:  Yeah. So "people are your weakness" is kind of the message.

Maria, let's have a look at the third poll, then. What factors restrict you from delivering all-staff cyber training? So we've got staff time limitations, logistical delivery, cost, senior management buy-in, or the kind of attitude of "it'll never happen to us". What's everyone thinking there? If you could just vote please, and we'll see what mind-set you're in this morning.

If we could have a wee look at that result there, Maria, that would be fantastic. So staff time limitations there is coming out on top.

I think that there is that misconception that all-staff training takes everyone away from their general duties and it disrupts your workforce a lot because you have to get everyone into a group to train them, you have to book a trainer, you have to get your croissants and your coffee and get everyone in the same room.

But the beauty of the eLearning trainings that Legal-Island have launched is that you can just get it on their laptops. They can do it as and when they have a moment. I mean, they're compliant and up to date on that training at a time that suits them and suits the business. So stay tuned for that discount and we'll see if we can help you out with that.

Brilliant. Thanks very much everyone for getting involved with that.

So Keith, you've spoken a couple of times for us and I'm always really fascinated with your kind of description of what your typical cyber security ransomware type criminal is like. In my head, I've always thought an American teenager, lives with his mum, hoodie on, kind of in a basement somewhere doing dark deeds. That's not really the reality, is it?

Keith:  So it's a mixture. The organisations who are doing the vast majority of ransomware at the moment are quite organised in terms of . . . Some of them might be double-jobbing. So they're software developers during the day for a big enterprise company, and then at night they're running ransomware grifts to try and catch their competitors' sites and make a double salary.

We do see what you call the script kiddies as well. But they generally focus more on doing a little bit of damage to sites and things like that.

I was on a long flight yesterday home listening to a podcast about the 15-year-old kid who hacked into Twitter and then posted crypto scams on Barack Obama's Twitter account. You're thinking, "Of all the things you could do when you get into Barack Obama's Twitter account, you post a Bitcoin scam? What a waste".

So you have that side, but we see some of the big ransomware gangs like LockBit, like Revo, like all the ones that are . . . Black Basta. I need to say that very carefully. The ones like that who are coming out are very organised.

And actually, there was a big ransomware gang called Conti, who were massive. They accounted for over 50% of all ransomware attacks and pay-outs in 2020, 2021. And they were a mixture of Russians and Ukrainians. Whenever the Russia-Ukrainian war kicked off, all the Russian members of Conti pledged their loyalty to Russia, and the Ukrainians sort of went, "Excuse me?" And what happened was one of the Ukrainian gang members released all of Conti's internal workings, almost hacked his own organisation.

It was fascinating because what we realised was they were bringing in revenue in the high tens to hundreds of millions every month.

Christine:  Wow.

Keith:  They were enterprise ransomware. There was even an organisational structure released, and they had a bank of developers. They had a sales team, because if they got the data, they would try and sell it on. They had customer support because if you got hacked and ransomwared by them, you could log in and then start dealing with somebody in customer support. They had a whole management structure. Around 60 people were working for Conti at the time, and they fell apart. But it was a real eye-opener into just how sophisticated they are.

I think it's within any sector, and Seamus would probably agree, that once you start adding big money into it, it becomes sophisticated. It becomes something that is really focussed and they will attack you in the same way as your sales team will go after new clients, with that level of effort and thought.

Christine:   Yeah, that blew my mind when I heard it. I can just imagine them all in their lovely office now. Maybe they've got their HR team and stuff.

Keith:  Well, I think it was all very remote, but they released chat logs. In some of the chat logs, the developers were complaining about long hours and poor pay, so . . .

Christine:  So even in criminal organisations, everyone's on burnout.

Seamus:  Like every other office, yeah.

Christine:  So Seamus, I'll bring you in now. If an incident occurs, so somebody has unfortunately clicked on the wrong link in the email in your organisation, what are the first things that people should be doing to keep themselves safe?

Seamus:  Well, from experience and from client work and things like that, I suppose the culture in the workplace has to be that if there is an incident that happens, and whether it's a data breach, whether it's a more severe ransomware situation, once there's been any kind of concern, the employee needs to be in a position where they're coming to report it internally.

You don't want to wait until your whole entire system or server is completely manipulated and it's too late to do anything about trying to salvage or to take those steps.

I always have a funny image in my head of people running around pulling the wires out of every socket in back of computer and every server that they can see in order to try to limit the damage when these things happen.

And I think we all try to be as aware as possible. If we're getting good training and we are getting the testing that happens and things like that, if that is all good, that's all very, very helpful. But there's always that little slip that has the potential to happen.

And at times, even from my own perspective, law firms feel like very much that we can be in the firing line of the target, I suspect, as much as any other business feels it. But it is something that you're living with on a daily basis.

You can come into work and you can be very comfortable about all your systems in place and everything that's happening in the background that you don't see, that you don't really want to see or want to know about, unless you're Keith and you're dealing with it on a daily basis. But there is the potential that a breach and that risk can happen at any stage.

I had taken a look through a lot of the ICO guidance and a lot of the other statutory guidance that is out there. And I have to say, in preparing for this, I've learnt a lot more than what I knew, and then I went back and listened to Keith's podcast and my mind was blown and my knees started to shake and quiver as well just at the thought of what could happen.

So starting point for it in ICO guidance is don't panic if something happens. What they say is not every breach is going to require reporting, not every breach is going to be as severe and as bad as what you think that it might be. But what you should have is your policies, your guidance, your steps in place that you can go quickly and know where to access that.

And hopefully maybe through your disaster recovery plan or your training that you've done, you've been through a sort of process before internally where there have been those tests and checks happening that everybody knows where to start.

If you don't have anything in guidance or if you're not familiar with your guidance, you're going to be starting from a really, really difficult point.

The other thing that the ICO talks about is we know that when it comes to reporting that you have to do that within 72 hours. That's what's in the regulations. And what they say is to start your clock from that point. A really helpful tip that they talk about is to start a log to record what has happened, who's involved, and what you're doing about it.

And then they talk about that as you progress through the different steps of risk assessment, you're keeping your log updated. It means that if you have intervention from ICO, or if ICO come and are looking to look at some sort of enforcement proceedings or fines and things like that, if you have a log that you can present to them, the information that you can provide to them will assist them in determining how well you might have handled it or how difficult the situation was and how it all unravelled.

So, at that point, start your timer. Look for your starting point. Your starting point will be not when the breach happened, but whenever you discovered the breach. So there could be panic around that as well.

The next thing on the risk assessment is really to find out what happened. Pull all your facts together as quickly as possible and keep updating your log. And that will involve getting to the bottom of whether it has been a phishing email that's come in that somebody has clicked on and you're open to a ransomware attack, or whether it has been a data breach because there has been information that has been either accidentally sent out, or if it's been more sinister in relation to it.

So the next step that they talk about is just finding out what happened and then moving on to try to contain the breach.

And I suppose, Keith, for me, that probably is that idea of running around and trying to stop the problem.

Keith:  Even in modern companies, some of the last-ditch scenarios could be unplugging things. We do see that. You get some very red-faced IT managers who have to sprint for the first time in about 20 years down the hall.

But yeah, containment would be definitely my number one priority. And I suppose, Seamus, from your side and my side, that'll always be the challenge within the business in terms of the compliance with legislation, and then also, "Let's get this locked down".

There will be people in your company who'll be saying, "Who cares about the ICO right now? Everything is on fire. Can we just shut it down first?" So one of the things that I definitely recommend is you have people who are massively focussed on fixing the issue, and they don't need to worry about the ICO. You have other people in the business to do that, and then you coordinate some sort of leadership around that. That can be outlined in an incident management plan, potentially a disaster recovery plan as well.

But in terms of going a little bit before that and thinking about how you try and reduce the likelihood of a ransomware attack happening . . . And just to be clear, everyone should be familiar with a ransomware attack, but what that means is all your files on your computer and all the computers in your organisation, all the files have been encrypted. They've been locked up.

If you tried to click on any of the files in your My Documents or SharePoint, it asks for a password. You don't have the password, the attackers do, and they will give it to you in exchange for a ransom pay-out. So just to be clear, that is a ransomware attack.

So one of the things to try and reduce that . . . Well, one of the things that we know is the attackers will most likely come in through a phishing attack. So good awareness around how to spot phishing attacks. Good antivirus and good email filtering are the things that help reduce that down.

But then that's not always going to work. Ones will get through, and then what they're trying to do is install either remote access onto your device or the ransomware, the malware, that can automatically go around and start locking and encrypting everything.

The attackers, from what we know, could be in your system for up to a month before they do anything. Because what they're trying to do is they're trying to understand, "Well, what do these guys do?"

If it was Legal-Island, "What do Legal-Island do? Where are Legal-Island's crown jewels? What's the valuable data that they have?" And once they have that, that's when they pull the trigger on it.

So some of the things around that that you can do is have multifactor authentication on, strong passwords, unique passwords for all your different systems so that if they do get one of the passwords, they can't just use it everywhere else, good controls on your laptop, and things like that. All of those types of things can reduce the likelihood of that happening.

And then the next step is, "Oh, dear. Right. We've been hit with the . . ." It'll be a bit stronger than "oh, dear", but, "We've been hit with the ransomware attack", and that's when your incident management process kicks in, and that's where part of your business just focuses on fixing the ransomware attack. Maybe it doesn't affect everything, so the other thing is you're trying to do BAU as well.

One of the things I would definitely recommend is to have a printed copy of your incident management plan and all the contacts in your office, because if you get ransomware, it's more likely than not that all of that good planning is locked up as well. So there are just a few pointers.

Christine:  Yeah, that's a good point, Keith. We all have these lovely folders. Incident management folder is gone.

We're getting a few questions in, if I could just put a couple of those to you. And everyone, please do keep sending them. Somebody's asking about the IT manager running around unplugging everything. What if you're cloud-based and you don't have the plug to unplug?

Keith:  So the benefit of being cloud-based is it does offer you more protection. So say your SharePoint or your OneDrive or your office Google Drive is compromised. There are ways that you can go onto those as the admin and reverse back, restore back to a backup or an older version to recover the data. But that doesn't solve the issue of how the ransomware got onto devices.

So they're similar principles. Think about your devices and how that is potentially being shared across devices. So we would recommend everything is turned off, and then you identify the infected devices, you clean them up, you close everything back before even restoring your data.

The potential is you restore your data and then there's a device that is still infected and it syncs up all the encrypted files again to your SharePoint or things like that.

So one of the things, and it's always hard with business, especially with customer-facing business, is to slow down and contain it first. Identify the issue and then bring everything back in a very controlled manner.

That's where you might need to have customer comms, thinking about how you communicate with your customers, be it other businesses or the public as you bring things back. Do it right once and be confident that you've identified their entry route so that it can't happen again.

Christine:  Brilliant. And Seamus, that brings us in that when we're communicating with customers, that is when the problems are going to start happening. If O'Reilly Stewart's customer data was compromised, you're going to have a lot of very angry clients on your hands. And also potentially maybe if your payroll's been compromised, you're going to have a lot of potentially angry staff. So what legal issues is that going to throw up for us?

Seamus:  I mean, the key aspect for this is really assessing the risk and looking to see what the risk is. I suppose after you've dealt with those containment procedures . . . And there's a lot of stuff in the guidance, absolutely, of what Keith's talking about there in relation to backup systems and looking at all of your key protectors that you have within your business. But ultimately, if you have a breach, then you're looking at assessing that risk, and what does that mean?

It talks about it at a high level certainly through some of the guidance in relation to consider the likelihood and severity of the risks to people's rights and to their freedoms. If you're looking at breaches that would result in safeguarding issues, identity theft, financial concerns, if there's significant distress going to arise, those are the real serious matters. And those were where you're going to have those difficult conversations with your client base or with your customers.

 What I think everything that I read is very clear about is that there shouldn't be a delay in notification if you're at a point where the risk is at that level.

And I read some interesting stuff where they said if you have accidentally sent an email in a hairdresser's to another client about an appointment, you're assessing the risk. What is the damage there in relation to that? Is it reportable? Is it something that needs to happen? That's that human error type aspect of it.

But if you have sent the same customer a receipt for their credit card that they've just paid on, and it contains financial information or names and addresses in the invoice, you can see how that is getting higher.

Right up to the level where your payroll has been compromised and there are details in respect of bank accounts and financial standing, and things in our office in relation to mortgage offers and medical notes and records, right up to sort of really high-level damage.

So it is about assessing that and it's looking at what has been compromised and what has been not compromised. The guidance is a bit woolly around when to report and when not to report, but there's definitely an undertone in the guidance that not everything is reportable. Don't panic too much. If it's something that isn't going to result in that aspect of a breach of freedom or safeguarding issues, then it can probably be dealt with. And if you can manage and contain it, then that's the way to go about doing it.

And not to jump ahead of things, but every day of the week we will get general inquiries in this office about breaches of data that are coming from banks, from clients of banks, from customers of banks, from telephone companies, from software companies, all of that sort of stuff. And we'll constantly be getting inquiries about, "Can I have a claim? Can I get compensation because there's been a breach of my data?" We have a different job to do in relation to that also then.

But if you think about the PSNI breach there, they have full expectation that that's going to be either a litigated matter or there's going to be some sort of reserve compensatory, maybe state compensatory scheme, or something like that set up in order to deal with that.

So it's very wide-ranging, Christine. And from a public perception, the public are very aware of their rights now in relation to their data. There's so much information out there and it tends to be . . . Even if you think back to some of the big employment cases, that Asda and Morrisons cases, where there was a big breach of 4,500 people, they all brought legal proceedings for recovery of compensation because of distress as a result of that.

So it's a big business all around, it sounds like to me, from the ransom, to the legal side, and compensational costs.

Keith:  And just to add to that, Seamus, just from being in the trenches on a few ransomware attacks, some of the things that we've learnt . . . One of the big takeaways was if you're reporting to the ICO, you can do an initial report to almost tick the box of the 72 hours and say, "Look, we're reporting what we believe is a breach and we will add more information to this as we get it". And they will see that as a good faith reporting.

The other thing that we have seen, especially for smaller companies who need clarification on a breach . . . This is a bit of a tip, and you might cringe and you might say, "No, this is awful". Please do if it's a bad one. But you can actually phone the ICO anonymously and give them a scenario and let them give you advice as to whether they believe that would meet the threshold for a breach.

I would only recommend this for micro and very small companies, but we've found that very useful where they can get a bit of guidance, a bit more than just the checklist on the website.

Christine:  What do you think of that, Seamus? Would that be something you would tell clients potentially?

Seamus:  I mean, certainly, I think where a client is worried about whether or not they're assessing that there's a reportable breach or not . . . Look, there are consequences for organisations that report a breach and there are consequences if they fail to report the breach as well. So absolutely, I think where you can get help . . .

I mean, look, the hope would be that if you are an organisation that has been impacted by a breach, that you will be contacting case organisation, or you'll be taking legal advice in relation to it, and there will be help and assistance in terms of being able to assess that.

There's a sort of general rule of thumb that they talk about in Article 20 of the Working Party and they say the risk exists when the breach may lead to physical material or non-material damage for the individuals whose data have been breached.

If you're the one doing the assessment or you're involved in the assessment, did you put your feet into the shoes of the individual and decide, "For me, would that be a breach if that was happening to me?" And that should give you the guidance. But it is very broad, I have to say, physical material or non-material damage.

Christine:  Anything.

Seamus:  Yeah. I think it is about making sure that you are taking advice, and I would assume that if anything like that happens at all, you're contacting your IT company straight away and getting them on board and the advice being learned in relation to that.

Christine:  I mean, certainly at the forefront of my mind when I was planning for this webinar was the PSNI breach. It's very, very close to home. Initially, it was stated that it was human error, and then it seems to be that there was potentially more than one person involved in the decision-making process to send the offending information out. So what can we learn from the PSNI breach? What should others be doing that they maybe dropped the ball on slightly?

Keith:  The PSNI breach, it all came from what was a pretty innocuous FOI. The PSNI deal with hundreds of FOIs on a regular basis requesting all manner of data and information from them.

This one happened to be asking for a breakdown of staff numbers by rank, grades, location. Obviously, that goes into the FOI team, and then it makes its way through various organisational units until they find the right data source. We can surmise that that data source came from most likely an HR/payroll source potentially when you start looking at what was provided.

What it seems that happened, and I'm sure more will come out as time goes by, but what appears to have happened was there was a full export from one of those systems of more data than they needed to fulfil that FOI request, and it was surnames, initials, rank, grade, work location, and departments of PSNI staff.

It then went through, obviously, again, several organisational units back to the FOI team. And if anyone's familiar with Excel, it looks like they maybe took a sheet of all this data, turned it into a lovely pivot table of all the fantastic answers, and then forgot to delete or remote cleanse the master data. And then that was sent out to the recipient.

Because it was through an FOI website, it was out in the public domain. Within hours, it became apparent exactly what type of data had been given out. It was removed within four or five hours of being on the TheyWorkForYou website, which is what it is. But the genie was out of the bottle at that point. The data can be taken once and spread, and it was spread widely.

PSNI came out initially saying it was an unfortunate human error. And I think that's what you were getting at there. Actually, when you take a step back and you look at just how many different departments within the PSNI, different people who would've needed to be involved in that, it can't be human error. It has to be down to processes and procedures.

And then to add to the pain, there was another breach disclosed where a laptop containing a PSNI spreadsheet of 200 officers was stolen from a car. And then to add insult injury, a PSNI officer drove off on a motorway with a laptop and a notepad with the 42 named officers and staff members in the notepad.

So I know things come in twos, but for the PSNI, it really feels like it came in three this time. They've obviously had a pretty devastating time of it the last month.

Christine:  Yeah. And I suppose that's the argument, that every single layer of person that saw that document needed to be properly trained in cyber security awareness and properly trained in data protection. That's really the argument there, isn't it?

Keith:  Yeah, there is that argument, but I actually think it goes further. No one person should have been able to get that data out of whatever system it was in into a spreadsheet.

If we're looking at . . . Seamus, what did you call it? The material and non-material damages. If you look at the data that they have access to there, there's very clear risk, incredibly high risk for that data.

And I know it didn't have first names, it didn't have home addresses, but there were very unique names on there. And through jigsaw identification, all you would need is the electoral list to start identifying officers' home addresses. The worrying thing in there was . . . I think there were 40 officers attached to MI5 that were identified in the data breach as well.

Christine:  Yeah. And Seamus, if we come back to the ransomware, say the worst has happened, all your files are locked, and you just think, "This is too much. Our business has ground to a halt. I'm going to pay these guys". Can you pay them? Is it legal to pay them? What type of hot water can you get into if you do pay them, I suppose?

Seamus:  Well, I think Keith had sort of touched on it earlier on. I mean, there's a very practical side to the operation of a business and there is that aspect that . . . When we talk about the immediate steps to try to maintain and curtail to an extent you are setting aside all of the precise things that you should be doing because you're immediately trying to salvage the situation, and for all the right reasons that you're trying to salvage it, if you look at the legal perspective of it and what the guidance has to say, whether it's from enforcement, government agencies, ICO, none of them recommend, encourage, or require that there would be ransom paid.

But I think there's a reality of it. We were talking earlier on there's a very high percentage of organisations that do pay ransom. There's no illegality per se, and there's nothing in law that says you shouldn't pay it.

I think Keith made a really good point earlier on. We were chatting just about there are certain restrictions for ransomware where organised crime unit and money laundering and all those sorts of things that go on, and having to be very careful about specific types of payments that would maybe put you into difficulties when it comes to more statutory based and those concerns, that government has said you should not make payments to certain organisations and things like that.

The risk and what the ICO highlight in relation to this is that just because you pay a ransom doesn't mean that everything is solved and that it's a magic wand resolve the whole situation. You still have to take a view that your data has been compromised.

There are issues around if you pay the ransom, does it leave you vulnerable in the future? Those companies and those organisations know that you've paid previously, so are you likely to pay again?

And from a legal perspective, there are no guarantees, I suppose. We were talking earlier on about this, but there are no guarantees that you will pay the ransom and that you will get full access to your data and that it won't then be disseminated out in the public in any event.

Keith was very interestingly saying almost around that you have to sort of due diligence the credibility of these organisations.

Keith:  Yeah, it's interesting. From a moral point of view, in an ideal world, you should never pay a ransom. It's funding organised crime in some cases. In some cases, it's potentially funding terrorism. And that's where you have to be very careful as a business.

There is now an entire industry of ransomware gangs and then ransomware negotiators that your insurance company bring in. And the negotiators almost do a fit-and-proper check on the ransomware gang to say, "Oh, this gang is trustworthy. They have a history of paying up and doing what they say. But oh, no, this one doesn't", or, "You can't because this one is in Syria", or Russia or something like that.

We had a great example of where a company were bang to rights. They had been ransomwared and their data was completely locked up. The ransomware gang had got in and corrupted their backups as well. They had nothing. And they basically said, "Okay, we are going to pay you a six-figure sum to get our data back".

The ransomware negotiators started asking, "So tell us about yourselves. Who are you as a ransom gang?" And they said, "Oh, we are such and such. We are supporting the People's Republic of Syria", and the ransomware negotiator went, "I cannot believe you said that. If you said you'd been in Switzerland, you would've been getting the money. Now the fact is we can't even pay you. It would be illegal to".

So yeah, it's a funny world. I just don't like the stat that if you get a ransomware attack in the UK, you're more likely to pay it than not, which I think everyone should take on board. We need to look as businesses about why that is tipped in their favour and what we can do to tip it back in terms of physical controls, in terms of technological controls. Staff awareness is key. The vast majority of these attacks come through phishing, social engineering, things like that. So that's our first line of defence.

Christine:  We got a question in here, and I'm assuming it's for Keith because I don't understand it. It says, "Do you recommend pen testing?" I'm not sure what that is.

Keith:  So, for everyone on the call, pen testing is penetration testing. So it's not testing a pen. Basically, if you have a system, if you're a company that has either a network or you have a software platform or something like that where all your data is held onto, you would get companies like us and we have . . . I don't want to call them hackers. Let's call them pen testers. But basically, what they do is they will try and hack into your system. We will always get in, and then we will provide you with a useful report on what you can do to harden your systems.

So that's a very common thing. It's part of the proactive defences that you can have, is have someone have a go at trying to get into your system, and then give you a report to tell you what you need to do to fix.

But again, in terms of your users, can you pen test a person? Not really. But what we can do is we can do phishing simulations. We can simulate trying to get in and see if your staff, through the awareness that you've given them, are spotting these, are reporting these to the right people, and all that type of stuff.

Christine:  Brilliant. Thanks very much, Keith. Thanks very much, Seamus. We've come to the end, and I just wanted to wrap up with a few of my takeaways from today's session.

I think what I'm taking away is that you can have all the IT systems in place that you want to, you can spend a fortune on it, but it really comes down to your people. And cyber security is a matter for absolutely everyone in the organisation, not just the techies, because at the end of the day, it's going to be the HR team that's picking up the pieces a lot of the time when stuff does go wrong.

So all-staff training is really important, and with cyber criminals moving so fast, it's important that training is regularly updated. Just doing one brief course when people are inducted into the organisation is not really good enough, is it?

So thanks, everyone, very much. Just to check if there are any more questions. We've got through all the questions, so thanks very much to anyone that sent them in.

So the promised discount. The eLearning team are offering a 25% discount on Legal-Island's brand new eLearning course on cyber security. So please reach out to your eLearning team and mention Employment Law at 11 when you do to receive your discount.

As I said at the start, if you want to put "yes" into the question box, that'll take the bother out for you. They'll actually contact you and arrange a demo for you. So if that's of interest, drop your "yes" into the question box now.

Seamus and I will be taking a break from Employment Law at 11 in November. Why is that? It's because we will be getting ready for Legal-Island's Annual Review of Employment Law on 7 November. Seamus will be there, and so will I. It's a hybrid event, so you can come along and see us in person at the ICC Belfast, or you can log in from the comfort of your home or office.

So if you're going to miss us, you might want to catch up with us on podcasts. We're on Spotify, Amazon, and Apple Podcasts.

And if you do want to reach out to myself, Keith, or Seamus, we are all on LinkedIn. So please send us a message on LinkedIn. You can get in touch with us there, and we'll be more than happy to have a chat.

But in the meantime, have a lovely Friday, enjoy your weekend, and thank you to Keith and to Seamus. We'll see you all again soon.

Keith:  Guys, it was a pleasure. Thank you.

Christine:  See you later. Bye.

Seamus:  See you.

Sponsored by: