Security breaches – the Information Commissioner’s Office (ICO) reported a 46% increase in cyber security incidents in its last quarter report. These incidents are not just the headline grabbing events, such as the TalkTalk hack which cost the company a £400,000 fine from the ICO alongside the significant negative publicity and impact on customer perception; or the Russian election-related hacks in the US. Organisations of every size are being targeted, from the use of ransomware to hold a company’s data hostage until a ransom is paid, to compromising an employee’s credentials using phishing to gain access to customer data, including email addresses and credit card details.
The business implications of any breach are very significant. Not only will reputation be damaged if customer information is released via a breach but if a company’s Intellectual Property is accessed, stolen or shared with the public, that business may lose its competitive advantage.
Keeping it legal.
From a legal perspective, if hard drives containing confidential customer or employee information are accessed, the company could also breach the Data Protection Act (DPA), leading to a substantial fine form the ICO – up to £500,000. And looking ahead, when the EU’s new General Data Protection Regulation (GDPR) comes into force next year, companies must inform affected parties and the ICO within 72 hours of a breach and will face fines of up to €20 million or 4% of global revenue.
The value of data is making every business, and individual, a potential target of cyber crime – and organisations need to take every possible step to minimise their risk of compromise. Clearly it is essential to understand the legislative requirements. For example, an organisation that handles personal information about individuals has obligations to protect that information under the DPA and public authorities have a legal obligation to make official information available under the Freedom of Information Act. Under the forthcoming GDPR, organisations must also seek permission from individuals to collect information, inform them how that information will be used and ensure it is erased securely after a set timeframe.
Know the signs of a security breach.
But it is also essential to understand the way in which security breaches occur. According to the 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organisations to unwittingly provide them with access to sensitive information.
The fact is that the threat landscape is changing and organisations need to be continually on their guard. Security policies and practices – including essential employee training and education – need to be routinely reviewed and processes assessed. The cost of a data breach is already severe: with the arrival of GDPR it will become even more so. This combination of rising risk and escalating penalty means that failure to place cyber security on the board agenda could result in more than just the loss of customer trust.