Think before you’re hacked. Being legally prepared for a cyber-attack

Cyber-attacks are nothing new, but the latest data shows that 70% of UK organisations have experienced a rise in incidents over the past year. Attacks have become increasingly sophisticated over the last decade, alongside the evolving legal landscape. The current public interest in the security of sensitive data may give organisations an opportunity to reflect on their cyber roadmap and re-engage their workforce and supply chain.

Targeted threats – are they really “a thing”?

Most organisations appreciate that cyber-attacks can be either random or targeted. But are some sectors more vulnerable than others?

Opinions differ, but the National Cyber Security Centre (NCSC) is an excellent source of sector-specific information. On 21 May 2025 the NCSC highlighted that some western logistics and technology organisations face a specific targeted threat and urged organisations to familiarise themselves and act accordingly.

It’s not just tech and logistics. Over the years the NCSC has issued reports and guidance to various sectors, while professional bodies have provided advice to members. For any organisation serious about resilience, the NCSC and your professional body are useful sources of information and guidance.

It’s more than just an “IT” problem

What does this mean in real terms? Cyber security is not just an “IT” issue. To combat a threat, the whole organisation has to embrace the challenge.

It isn’t only technical, it’s cultural. Just like equality or financial sustainability, it requires buy-in across the workplace. It’s more than phishing awareness. Staff must know they are the first and last line of defence. A strong culture means people can admit mistakes, ask questions without embarrassment, and avoid risky shortcuts. Too often, staff hesitate to speak up because they are afraid of asking a “silly question.”

On 4 June 2025, the NCSC launched guidance on cyber security culture principles. Whether you are a security professional or a leader, it is compelling reading.

The two Ps

Aside from understanding your sector’s challenges and working to build a security-conscious culture, what else can organisations do? I tend to think in terms of two Ps: preparation and post-event analysis.

Preparation

As the UK GDPR puts it, organisations need “appropriate organisational and technical measures.”

Organisational measures include policies and procedures tailored to the business, risk registers, responsibility matrices, training, auditing and simulating crisis response. Having the right contracts in place is also key, as is having third-party providers ready to assist if an attack occurs. Timeliness matters, response times are set out both in contracts and in law.

Technical measures go beyond passwords, firewalls and anti-virus software. They include patching, access privileges, logging, monitoring and continuity measures. What suits one organisation may not suit another, so each must consider its own infrastructure and threats.

Don’t forget the supply chain, your partners can be a risk. Certifications such as Cyber Essentials Plus or ISO27001 are no guarantees, but they do show an organisation is reviewing practices and acting responsibly.

Post-event analysis

During an attack, your preparation pays off. Follow your action plan, keep a clear head, and record everything carefully. Communications also matter; incorrect but well-intentioned statements can cause real problems.

Afterwards, review how the event was handled. What went well? What needs improvement? Update policies, test again, and simulate. Don’t forget to thank staff who performed well, retaining key people is part of resilience.

This is a fast-moving area, but organisations are not alone. At HCR Law we have a dedicated team of lawyers specialising in data governance and cyber security.

Author - Dr Kerry Beynon - https://www.hcrlaw.com/people/kerry-beynon/