This year has already seem high profile data breaches and cyber-attacks; last year saw a huge focus on data and data protection. Any company putting their feet up after adhering to regulations should think again, writes AJ Thompson, CCO at IT and data security company Northdoor.
The importance and value of data really came to the fore in 2019. Across business, politics and the general public, data has become a national issue and one that is now a major focus of the nation’s press. The introduction of General Data Protection Regulation (GDPR) caused some panic for businesses and a huge amount of media attention went a long way to raising the profile of data and its potential over and beyond IT audiences.
Public awareness
The public, suddenly aware of how much of their data companies held, its potential as well as the importance of keeping it secure, were now keen to ensure that all businesses they dealt with were using their data properly and treating it with the reverence it deserves. After the implementation of GDPR any breach that lead to a data leakage was front page headline news, whereas perhaps just a year before it got a cursory mention. All of this means that businesses have to be more aware than ever, of the data they hold, how they hold it and how secure it is, otherwise they risk more than losing data, but their customer’s trust and their reputation.
So, if 2019 saw an awakening of the public’s awareness of data, then in 2020 we should be seeing a real effort from companies to secure and use that data responsibly. We have seen, however, a number of high-profile incidents already in the first quarter of 2020. Whether this is a result of better reporting processes, a higher interest from the press in such stories, or a continued blasé attitude from some companies, it is difficult to say.
What have we seen so far in 2020?
The year started with the news that Travelex had suffered a major ransomware attack on New Years Eve where criminals got access to data held by Travelex, encrypted it and then demanded $6million to release it. Credit card details, dates of birth and National Insurance Numbers were all taken. To make things worse it appears that Travelex did not report the breach to the ICO. Up until recently Travelex was still unable to provide online forex for banking clients such as HSBC.
The start of 2020 also saw Dixons being fined by the ICO, under the pre-GDPR rules for a huge data breach which resulted in 14 million customers being effected. Had the breach taken place post-GDPR the fine would have been considerably worse. We have seen an apparent ransomware attack on Redcar and Cleveland council, which saw online services shut down for weeks, impacting local residents. This is a trend we are likely to see repeated over the course of 2020, as cyber criminals target local authorities in ransomware attacks, because of often out-of-date systems and the sensitive nature of the data most hold. The council has been mainly silent about the attack and at a recent meeting shut the public and press out in the name of confidentiality.
More recently we have seen Virgin admit that a marketing database with customer information on it was left open for access for almost a year, with the contact details of almost 900,000 people, approximately 15 percent of its customer base. We have also seen incidents involving Ordnance Survey suffering a security breach impacting the data of 1,000 of its employees. Fresh Film, an advertising company inadvertently exposed data, including bank details and passport scans by leaving a company server hosted online by an unsecure AWS Bucket S3. Another incident involving AWS S3 Buckets saw a wealth of personal and financial data held by British consultancy firms as well as thousands of professionals, exposed, including expense forms and personal names and addresses.
Increased reporting
With the ICO clamping firmly down on these types of incidents, using the GDPR regulations, it is true that companies have to report such breaches as soon as they occur, and the nature of the media agenda means that these are picked up on quickly. Therefore, the start of 2020 might not be as bad as it seems, but the exposure of companies who have breached regulations has certainly increased.
The need to ensure that data is fully secure and being used responsibly now has multiple plus points. Not only will companies avoid falling foul of regulations and the resulting investigation and now inevitable fines, but also retain their customer’s trust and avoid the hugely damaging media fall-out.
What is the cost of a data breach?
In IBM’s 2019 Cost of Data Breach report the average cost of a data breach in the UK was calculated to be $3.88million with the average size of a data breach at 23,636 records. More worryingly the report highlighted the fact that it took 243 days on average to identify and contain a breach. However, it was the customer churn and loss of reputation that really stood out in the report. The average cost of lost business for organisations in the 2019 study was $1.42million, 36 percent of the total average cost. This cost of course is very hard to reclaim and reputations can be damaged for years, this is particularly pertinent in 2020 with the public’s understanding of data higher than it has ever been.
Even if companies are adhering to the various regulations surrounding data, the main issue is that cyber-criminals are inevitably at least one step ahead. It is therefore imperative for companies to remain proactive in their defence of the data they hold, not to sit on their hands and do nothing once they are compliant with regulations. Complacency plays straight into the hands of cyber-criminals and as we have seen the consequences can be disastrous.
Time to industrialise the process?
Many companies are looking to ‘industrialise’ their approach to regulations. Automation takes much of the hard work out of the process, whilst ensuring that the company remains on the front foot in terms of its strategy. Those that continue with a manual method will see that they are unable to scale-up with processes being non-repeatable. Alongside this moving away from a mentality of ‘are we compliant’ to ‘are we secure’ is absolutely crucial. The threat from the cyber-criminal is not going away as the rewards for a successful breach and access to data have never been higher, so businesses need to lose any sign of complacency and protect themselves and their customers with a proactive approach.
