Interviews

Code Red For British businesses

by Mark Rowe

Richard Walters, CTO at email and web security product company Censornet, pictured, asks what the Data Reform Bill means for British businesses.

It has become a cliche to describe data as the new oil. Yet this metaphor can be extended to provide an important lesson for all businesses. For just like any flammable substance, data must be stored securely because it can burn down an organisation in a matter of minutes. When an organisation suffers a data breach, it will face severe financial and reputational damage, with one study estimating that 60 per cent of small businesses shut down within six months of an incident. In its most recent Cost of Data Breach Report, IBM revealed that a breach now carries an average price tag of $4.24m – the highest figure in the report’s history.

In the UK, the government has been working to reform post-Brexit data protection laws and announced a new Data Reform Bill in this year’s Queen’s Speech. On June 23, it released the results of a consultation called “Data: a new direction” which sets out how the Bill will “strengthen the UK’s high data protection standards while reducing burdens on businesses to deliver around £1 billion in cost savings that they can use to grow their business, boosting the economy”.

The reform is part of the UK’s National Data Strategy and promises to be a “clampdown on bureaucracy, red tape and pointless paperwork”. However, the new rules are not a silver bullet for businesses that are already facing a perfect storm of rising threat levels and new risks created by the move to remote working. Small and mid-market companies face the same dangers as large corporations – but without the enterprise-grade security systems and teams of dedicated staff. The government’s new direction on data is only part of the roadmap businesses should be following to keep themselves safe from breaches.

Big Data Reforms

The current UK data protection regime consists of the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA). The Data Reform Bill will remove the UK GDPR’s “prescriptive requirements” that give “little flexibility” about how businesses manage data risks, the government announced. The same “high data protection standards” will remain but organisations will have “more flexibility to determine how they meet these standards”. It is hoped the reforms will create more than £1 billion in savings over the next decade by “reducing these burdens on all businesses”.

The headline changes in the reforms are new financial penalties for companies that pester people with nuisance calls and new rules to minimise the number of “annoying cookie pop-ups” on websites. Organisations will also have to operate a privacy management programme that ensures they remain accountable for how they process personal data. This means that small businesses will no longer have to nominate a Data Protection Officer (DPO) or undertake lengthy impact assessments, as long as they can “manage risks effectively themselves”. Neither will they “have to fill out unnecessary forms where the risk is low”. Rather than appointing a full-time member of staff, leaders must ensure a “designated senior individual” to oversee its privacy management programme.

Although the government has not introduced new recommendations to its data breach reporting procedure, this decision should not be taken as a sign that the danger is any less severe. In 2022, the threat level to businesses soared to an all-time high. The UK is now the third most targeted nation by hostile states, according to cabinet minister Steve Barclay. Last year saw a record-breaking number of breaches and ransomware demands, with The Identity Theft Resource Centre reporting 1,862 breaches in 2021 compared to 1,108 in 2020 – an increase of 68%.

Figures from a Censornet survey revealed that as many as two in three (65pc) mid-market organisations suffered an outage in 2021, with 33pc suffering a systems outage that lasted more than one day. Our study found that 30pc of all businesses suffered a data loss because of a cyberattack in 2021 – with that number rising to 36pc for smaller businesses turning over between £1m to £5m a year.

The effects of a breach are serious and long-lasting. When an organisation’s partners and customers lose trust in its ability to safeguard sensitive information, they will simply avoid doing business with it in the future. It can be argued that no amount of government action can protect businesses from the negative effects of breaches. Organisations must take responsibility for their own security or face the risk of reputational and financial damage.

Identity crisis

A weak point in many organisations’ defences is identity – and attackers are now taking advantage. When the pandemic struck, the traditional cybersecurity perimeter disappeared forever – creating a large, amorphous and constantly growing attack surface. The Verizon Data Breach Report 2022 found that 82pc of breaches involved the “Human Element” and warned that stolen credentials are used in almost half of attacks.

In the new threat landscape created by remote and hybrid work, identity and context are the new perimeter. Organisations not only need to know who is accessing their network, but must be aware of other contextual information such as the time or location of a log-on. The global IDaaS (Identity-as-a-Service) market is predicted to grow from $4.92 billion in 2022 to $23.88 billion by 2029, demonstrating the central role identity will play in the future of cybersecurity.

The government’s new approach to data security is welcome. It delivers on privacy, streamlines the UK’s data protection rules and may enable cost savings at resource-constrained businesses. However, in the face of complex threats, organisations must remain focused on the areas on which the white paper is silent. Identity is one threat that is not addressed – even though it is a major attack vector. Although it is reassuring to see Westminster taking data protection seriously, businesses should not be lulled into a false sense of security. The responsibility for sensitive data ultimately lies with the organisation that stores it – and the quality of their security technology will decide how safe it is.

Related News

  • Interviews

    Digital video storage

    by Mark Rowe

    Media headlines are often dominated by the latest cybercrime. Although organisations are defending against malicious ransomware attacks with firewalls and disaster recovery,…

  • Interviews

    Our covid-19 work rules

    by Mark Rowe

    We’ve not heard from Wilson Chowdhry, director of the London-based guarding company AA Security for a while; all the more reason to…

  • Interviews

    Opposites that attract

    by Mark Rowe

    With database breaches and ransomware attacks making daily news, security is now a top priority for companies, and collaboration solutions are no…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing