Procurement 28 July 2017

Your money and your business – How to protect both from ransomeware attack

The NHS recently suffered a ransomeware attack, costing millions
The NHS recently suffered a large ransomeware attack, costing millions of pounds

With some of the biggest companies in the world now falling victim to ransomeware attack, what chance do micro businesses and entrepreneurs have to protect themselves? A good chance, if you know what to do, writes IT and Intellectual property head at law firm Hill Dickinson, Mark Weston.

Recently, ransomware attack have been big news. The rapidly spreading infections, which encrypt an organisation’s computers and data with a promise to remove the encryption if a ransom is paid, seem more like something from a science fiction story than an aspect of everyday business life.

Yet it is a part of everyday business life. The NHS has been temporarily crippled by ransomeware, and large private sector companies, including WPP, Rosneft, Merck and AP Moller-Maersk, have also been victims of massive world-wide attacks.

What chance do micro businesses and entrepreneurs have to protect against ransomeware attack? The answer is that they have a good chance, if they know what to do and what not to do.

First things first

There are some basic measures that every company owner can put in place to protect from ransomware attack. Firstly, install the latest software patches applicable to your operating system and programs. Even though it’s time consuming, always back up your data to a system isolated from your main data stores.

Make sure to use robust anti-virus software. This will kill most malicious files before they can wreak any havoc. Use commercial firewall software which acts as a barrier between your trusted network and the outside world, allowing access through a positive control model. None of this stuff is rocket science – and it doesn’t cost much either.

Train your staff not to click on unrecognised email links. Teach them that picking up and plugging in that USB stick found in the car park with the word “salaries” written on a label, for example, is probably not a good idea.

The helpful IT technician who phoned you out of the blue from “Microsoft” to fix your machine, probably isn’t who he says he is. Many systems have been infected this way – using workers themselves to gain access.

If you have a larger budget, go a step further and pay a professional to try and penetrate your system (so-called pen-testing) to highlight its weaknesses. And have some network monitoring software installed so you know who is plugging what in and where.

Other than the sensible commercial reasons to do all this to safeguard your business and its ability to operate, and other than the rationale that you are protecting your business’s reputation, there’s also a legal reason for taking these steps.

If you can’t access data because you are locked out of your systems, or if you lose data or (worst of all) if someone else steals data on your system, you will probably be legally liable for breaches of contract with someone, or for so-called torts – which are civil wrongs.

If stolen data is personal data then you are certainly liable under data protection legislation if you have not taken reasonable and proportionate steps – or “appropriate technical and organisational measures”, as the legislation states – to prevent a ransomware attack from happening.

The law on personal data is already quite tough – and is set out in the Data Protection Act 1998. If you possess, use, manipulate, hold, amend or do (pretty much) anything with personal data, then the law requires you to be responsible for it.

Personal data includes any information about a living person, which is a pretty wide definition, and the law is about to get much much tougher.


From 25 May 2018, the General Data Protection Regulation (GDPR) comes into force – and the government has made clear that it is going to apply even on the other side of Brexit.

The definition of “personal data” is being widened to include data about a person who is identified or identifiable if combined with some other data.

If you do not keep to the new rules, which include processing data lawfully, fairly and in a transparent manner, then the fines for doing so are being raised to either €20m or four per cent of your business’s global annual turnover – whichever is the greater amount.

New rules include limiting the purpose for which you collect or use data, minimising what you do with data, keeping data absolutely accurate and correcting it if it’s not, limiting your storage of data, proceeding with “integrity and confidentiality – and keeping records of all this stuff so you can prove what you have done.

The threat of ransomware attack is bad enough, but now the law could come down on you hard too if you do not get ready to apply the extensive new rules.

Under current laws, if you suffer a data breach then unless you are in a regulated industry or a telecoms or internet service provider, there is no legal obligation to report that breach, although the information commissioner believes “serious breaches” should be reported and sometimes it may be a good commercial idea to report it anyway.

But that’s about to change. Under new rules from next May, businesses will have a maximum of 72 hours to make a report of any data breach. Remember the potential fines – don’t let ransomware take your money as well as your business.

Mark Weston is head of information technology, Intellectual property and commercial at law firm Hill Dickinson.

Why home-working employees could be opening the back door to cyber criminals

Sign up to our newsletter to get the latest from Business Advice.


Supply chain