Procurement 28 July 2017

Your money and your business How to protect both from ransomeware attack

The NHS recently suffered a ransomeware attack,  costing millions
The NHS recently suffered a large ransomeware attack, costing millions of pounds
With some of the biggest companies in the world now falling victim to ransomeware attack, what chance do micro businesses and entrepreneurs have to protect themselves? A good chance, if you know what to do, writes IT and Intellectual property head at law firm Hill Dickinson, Mark Weston.

Recently, ransomware attack have been big news. The rapidly spreading infections, which encrypt an organisation’s computers and data with a promise to remove the encryption if a ransom is paid, seem more like something from a science fiction story than an aspect of everyday business life.

Yet it is a part of everyday business life. The NHS has been temporarily crippled by ransomeware, and large private sector companies, including WPP, Rosneft, Merck and AP Moller-Maersk, have also been victims of massive world-wide attacks.

What chance do micro businesses and entrepreneurs have to protect against ransomeware attack? The answer is that they have a good chance, if they know what to do and what not to do.

First things first

There are some basic measures that every company owner can put in place to protect from ransomware attack. Firstly, install the latest software patches applicable to your operating system and programs. Even though it’s time consuming, always back up your data to a system isolated from your main data stores.

Make sure to use robust anti-virus software. This will kill most malicious files before they can wreak any havoc. Use commercial firewall software which acts as a barrier between your trusted network and the outside world, allowing access through a positive control model. None of this stuff is rocket science and it doesnt cost much either.

Train your staff not to click on unrecognised email links. Teach them that picking up and plugging in that USB stick found in the car park with the word ‘salaries? written on a label, for example, is probably not a good idea.

The helpful IT technician who phoned you out of the blue from Microsoft? to fix your machine, probably isnt who he says he is. Many systems have been infected this way using workers themselves to gain access.

If you have a larger budget, go a step further and pay a professional to try and penetrate your system (so-called pen-testing) to highlight its weaknesses. And have some network monitoring software installed so you know who is plugging what in and where.

Other than the sensible commercial reasons to do all this to safeguard your business and its ability to operate, and other than the rationale that you are protecting your business’s reputation, there’s also a legal reason for taking these steps.

If you can’t access data because you are locked out of your systems, or if you lose data or (worst of all) if someone else steals data on your system, you will probably be legally liable for breaches of contract with someone, or for so-called torts which are civil wrongs.

If stolen data is personal data then you are certainly liable under data protection legislation if you have not taken reasonable and proportionate steps or appropriate technical and organisational measures, as the legislation states to prevent a ransomware attack from happening.

The law on personal data is already quite tough and is set out in the Data Protection Act 1998. If you possess, use, manipulate, hold, amend or do (pretty much) anything with personal data, then the law requires you to be responsible for it.

Personal data includes any information about a living person, which is a pretty wide definition, and the law is about to get much much tougher.


From 25 May 2018, the General Data Protection Regulation (GDPR) comes into force and the government has made clear that it is going to apply even on the other side of Brexit.