More data records were leaked or stolen during the first half of 2017 than all of 2016, according to the most recent Gemalto Breach Level Index (BLI). This sharp spike in data breaches is concerning. There are certain details exposed by the report which are indicative of an inherent problem faced across the industry. The BLI report revealed that the biggest source of lost records via data breaches was accidental loss and inadvertently leaving data exposed.
Too much attention is spent sensationalising data breaches by cyber criminals when in fact the focus needs to be directed at assessing internal threats such as accidental loss and other negligence. The report proves that UK data security culture needs overhauling. So what actions should businesses be taking to better protect themselves?
It’s tempting to think of information breaches as the result of targeted attacks executed by criminal masterminds. However, truth be told is that these easily preventable data security breaches are largely caused by human errors such as losing hard drives, careless file sharing, leaving confidential paperwork out in plain view, bad password management and the rise of phishing emails.
Businesses should adopt practices that reduce risk and create a watertight culture of information security in the workplace. Long gone are the days where it’s the responsibility of the IT and compliance departments to protect information; data security is a companywide responsibility.
Firstly, businesses should introduce staff training to ensure that everyone understands best practice in the workplace, and this should take the form of interactive training sessions, conducted on a regular basis, as often a cultural change has to be tackled. The HR policy should be revised to reflect the fact that it shouldn’t be the sole responsibility of the IT department to instigate better behaviour.
Secondly, employees should be encouraged to adopt self-policing – reminding each other to be on the lookout for everyday bad habits, such as leaving computer screens unlocked and leaving confidential paperwork in plain view. The BLI reveals that the biggest security threat to an organisation comes from within, therefore if staff can develop best practice methods for safeguarding their information, this will be better reflected in their approach to data practice methods across the business and with clients. As a starter, organisations should look to deploy clean desk policies to safeguard confidential information. It’s what every consumer would expect of any business which deals with data to do in this day and age – why compromise? Data is the most valuable assets for many businesses and compromising those ‘crown jewels’ is not only punished by hefty fines but also by reputational loss.
In addition to creating a culture of data security within the workplace, there are some actions that companies should be taking to ensure that all client and business data is properly safeguarded. Companies need to understand what is in their information estate to be able to better protect it. With the impending GDPR regulation, companies need to ensure that data is not only clean, viable to use, and that all customer permissions and consent is obtained for the appropriate use of that data, but also that they have the relevant data protection and information security practices aligned. Recital (100) of the GDPR states:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
Reporting a breach
While reporting data breaches is currently not compulsory, under the terms of the upcoming GDPR due to be enforced from 25 May 2018, all companies will have to report a data breach to the Information Commissioner’s Office (ICO) within the first 72 hours. Failure to do so will risk steep fines of up to €20mor four per cent of annual global turnover, whichever is greatest. In addition, the long-felt cost to companies will be reputational loss. It is therefore vital that businesses are fully transparent with both customers and the ICO.
Will the implementation of GDPR lead to an increase in data breach reports?
It is highly likely that there will be an increase in breach reports, not necessarily because there have been more breaches, but rather companies will have to be more forthcoming in their approach to tackling the problem, due to their legal obligation to report them. It is of extreme importance to report a breach as it is in the best interests of a company’s customers.
GDPR: an opportunity
GDPR represents a great opportunity for UK businesses to better protect themselves from future data breaches. Under terms of the GDPR, companies will have to be more rigorous in their approach to collecting, storing and using customer data, which in the long run will reduce the amount of accidental loss. Better business transparency will also engender more trust and loyalty with customers.
With GDPR now less than eight months away, it is vital for businesses to start preparing. The sooner businesses start taking the necessary steps, the faster they will be able to reduce the number of data breaches across the UK and beyond.
By Andrew Bridges, Data Quality and Governance Manager at REaD Group
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/