In recent years, businesses that have suffered data breaches are becoming the rule rather than the exception. In 2016 year alone, 65% of large firms detected a cyber security breach or attack, and 25% of those experienced one at least every month. Yet, British businesses still do not know how to combat these crimes, or even report them, according to a recent report from Barclays and the Institute of Directors.
A high-profile data breach can have a long-lasting impact, and its repercussions often reverberate throughout an organisation. When data is compromised, there are significant costs for a business. Reputational damage being the biggest. A YouGov poll last year revealed that almost eight out of ten people would rethink giving their custom to a company whose security had been breached by hackers.
EU legislation that will soon enter into effect will further exacerbate the consequences of a breach. Under these regulations, not only may all companies suffering a serious breach have to notify the affected members of the public but they can also be fined up to four per cent of their organisations’ global turnover. Large businesses will also have a hefty price to pay should their data be compromised. Estimates suggest that had the GDPR been in effect, Tesco would have faced fines of up to £1.9bn following the security breach on Tesco Bank last year. This legislation will make a post-breach strategy just as important as a breach-prevention strategy for all organisations dealing with customer data.
Worryingly, recently data breaches are no longer exclusively the work of external agents hacking into a company’s system. A US study found that internal employees now account for 43 per cent of data breaches. What’s more, our own research of 200 fraud prevention managers revealed that employee access to social media (43%) and bring your device to work (35%) are considered to be the biggest obstacles to preventing security breaches.
To defend against data breaches organisations should consider implementing a three-pronged strategy combining internal actions, external safety measures, and a comprehensive post-breach plan that protects your customer’s information from being compromised.
Security from within
The finding that half of internal data breaches result from a mistake made by an employee demonstrates the importance of ensuring staff have a good understanding of what their role is in protecting sensitive company data. So, it is no surprise that our research found that the biggest fraud prevention priority for the majority (86%) of organisations is creating a fraud aware culture.
Yet, 18% think this is also the hardest priority to address. Regular security-awareness training programmes are one avenue companies are exploring to ensure employees know how to use internal authentication correctly, and understand the difference between a secure password and one that could be easily bypassed.
As part of their efforts to keep cyber-attacks at bay, some organisations are also attempting to inform employees of methods hackers use to breach data. Malware, phishing and rogue software updates have all been used to breach businesses’ lines of security. Organisations are only as strong as their weakest link, and the entire workforce should understand what the cyber vulnerabilities are in order to prevent them.
Unfortunately, whilst half of internal data breaches are genuine mistakes on the part of employees, some are the result of malicious intent. One way companies are attempting to protect against this is through controlling the access employees have to specific data, for instance through implementing permissions and policies. This may involve only allowing certain employees access to select pieces of information (at specific times and locations). These employees could, for example, only be able to view and not download some files onto external devices.
Only giving employees access to as much data as their jobs require is important. By doing this, businesses aren’t needlessly releasing valuable data, and therefore have more control over their sensitive information. This might limit the risk of the data falling into the wrong hands and reduce the threat of an internal data breach.
Verification, not only of employees, but also of an organisations’ customer base, are often crucial elements in a comprehensive cybercrime prevention plan. Technology has enabled the creation of sophisticated solutions that allow for a comprehensive identification process – with questions and answers tailored specifically to each user. Companies that implement these personalised identification solutions can make it significantly more difficult for hackers to gain entry into a company’s systems.
In the event of a breach
Whilst these measures could significantly reduce the risk of a data breach, few cyber-security strategies are completely water tight. This is why an effective post-breach plan is needed to ensure businesses can react instantly should the worst occur. If a breach takes place, advanced solutions such as Noddle Protect offer businesses access to tools to help protect company reputations and put an action plan in place to move swiftly should an organisation need to. Strategies like this can help protect businesses from the reputational damage of a data breach and ultimately safeguard consumers’ digital identity.
Implementing a strong, clear and flexible cybersecurity policy and post-breach plan and communicating this to employees regularly is important to a breach-prevention, and damage limitation, strategy. High-quality third party security software solutions can establish practices and plans that are easy to use for staff, and those in charge of its implementation. Thereby, helping to ensure that sensitive information remains securely within an organisation or is protected as best as possible in the event of a breach.
By John Cannon, Commercial Director – Fraud & ID, Callcredit Information Group
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.