- By Peter Carlisle, VP EMEA, Thales eSecurity
Data breaches of all shapes and sizes have been coming and going with alarming regularity in recent years. For those companies made victims, the media outcry and the reputational, financial and legal consequences are becoming increasingly severe.
When any organisation or individual is caught in the crossfire of data mismanagement, it’s always better to be safe than sorry, particularly with the European Union’s (EU) much-vaunted General Data Protection Regulation (GDPR) looming large on the horizon.
The arrival of the new regulation represents a watershed moment for any organisation harbouring and processing the personal data of EU citizens, be it that of customers, employees or clients.
What’s at risk when systems go wrong
Consider the Carphone Warehouse data breach in 2015 (one of the higher profile breaches in recent years) that saw hackers gain unauthorised access to the personal data of over 3,000,000 customers and in excess of 1,000 employees.
This snatch-and-grab raid saw cybercriminals hijack sensitive information such as names, addresses, phone numbers, dates of birth, martial statuses, and, in thousands of cases, credit card details.
In the aftermath of the breach, Elizabeth Denham, the UK’s Information Commissioner said, “…a company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systematic failures we found related to rudimentary, commonplace measures.”
In 2017, two years after the breach, the Information Commissioners Office (ICO) slapped a fine on the desk of Carphone Warehouse of nearly half a million pounds (£400,000) – the largest ever issued by the ICO.
A check a day keeps the regulators at bay
The fine lobbied against Carphone Warehouse is a perfect example of the ongoing and lasting impact a data breach can have on a business, even years on from the initial attack.
With the post-mortem of the breach identifying elements of security software as many years out of date, this serves as a reminder to organisations of the need and value of carrying out constant health-checks, especially in today’s volatile cybersecurity landscape.
In less than six months’ time, the introduction of the GDPR will be a stern warning to those falling short of the required standard for cyber defences, thus forcing companies to be compliant.
Once the GDPR is implemented, any organisation putting the data of European citizens at risk will not only be faced with eye-watering fines, well in excess of the £400,000 levelled against Carphone Warehouse, but will also be subject to potentially crippling reputational damage.
What’s more, our own research recently revealed that more than three quarters of consumers would consider taking their business to a competitor if the company they were dealing with was found to be non-compliant with the GDPR’s requirements.
Understanding the plethora of risks will mean companies can uncover and mitigate the severity of any vulnerabilities to those systems storing and processing personal data. No matter where data sits in a company’s digital estate, it should be encrypted to the most secure level possible in preparation for a cyberattack.
Follow the carrot, not the stick
The creation of the GDPR is the result of over four years of intensive work by the EU to establish European-wide data protection regulation capable of policing the many new and previously unseen ways modern organisations to hold, manage and, on occasion, fail to adequately protect sensitive data.
For all businesses, the regulation should be treated as an educational ‘carrot’ – i.e. a set of guidelines to follow to ensure cybersecurity practices keep a company’s data policy in ship shape. Better this than for organisations to follow the very large stick of damaging fines after a breach.
Encouraging everyday best practice
All things considered, there are a few basic tips that enterprises can take to instill an organisation-wide approach to everyday cybersecurity.
First, though equipping employees with the right set of skills may seem basic, providing clear and consistent training to staff on what needs to be done to look after data can act as the foundation of a sound cybersecurity strategy.
Second, with Chief Information Security Officers (CISOs) responsible for bridging the historical divide between the IT department, business unit heads and the board, empowering them is more essential than ever.
Third, having a manifesto of data security policies that employees can adhere to makes the policies more easily enforceable, and, in turn, easier to master in the new regulatory landscape.
Fourth, integrating encryption into a comprehensive security strategy is fundamental for any business looking to adopt a failsafe approach to data protection.
However, above all, perhaps the key thing that really has to change across organisations of all shapes and sizes is the perception and value of regular IT security health checks internally.
After all, the operational reality is that consistent security checks do take resource and can cost large chunks of both time and money. But, when fines like the one Carphone Warehouse received hover over organisations’ doorsteps, and we sit on the brink of the post-GDPR age, the value of nurturing an organisational culture of responsible data security cannot afford to be ignored.