It’s fair to say that 2016 wasn’t a good year for data protection, with numerous high-profile breaches hitting the headlines. Unless businesses make a determined effort to improve, 2017 will be no different.
By Jake Madders
In the coming months, many businesses will be finalising preparations for the General Data Protection Regulation (GDPR) legislation that comes into effect in May 2018. Though current legislation, such as the UK Data Protection Act of 1998, provides a starting point for the protection of personal data, this new European legislation will require businesses to ramp up security. While many in the UK think that the Brexit vote will shelter businesses from the new EU data rules, this isn’t the case. The fact of the matter is that GDPR will still apply to UK companies that deal with the EU, regardless of the UK’s membership status in the European Union. As such, many businesses will still need to prepare for the change.
Under the GDPR, organizations will now be subject to much stricter rules with regard to protecting data. The GDPR has widened the classification of ‘personal data’, meaning more organizations are effected by GDPR than the Data Protection Act. Many businesses will now have to employ a data protection officer under the new law and any organization that does not report a data breach within 72 hours of detection is subject to hefty fines: up to 4 percent of annual global turnover. These new rules require businesses of all sizes to re-evaluate their data protection and determine the most effective method for their business.
In order to develop a more flexible approach to data protection, businesses need to focus their efforts on protecting against three key categories of security risk: people, technology, and operations:
The human factor: still the weakest security link
According to a report by the UK Information Commissioner’s Office (IPO) 93 percent of data security incidents that were investigated in Q4 of 2014-2015 were caused by human error. This demonstrates that people are (and have been) the weakest link in the security chain in any organization. While comprehensive background checks of staff members can encourage trust and confidence across the team, this is not the only consideration. In order to protect against human error, every company must provide thorough security training that covers initial set up through to daily operations concerning customers’ data.
The tech factor: why partners also need to make security a priority
Whilst comprehensive business planning goes a long way to solving the problem, even a small security fault can threaten your organization’s confidentiality, integrity and availability (CIA). To ensure full protection, companies must implement security services that are designed to go beyond industry standards. This means that businesses can maintain the CIA of their data. When it comes to security, placing your company’s data protection in the hands of a specialist MSP (managed service provider) is a good idea. When choosing a MSP it is important to look for solutions that offer a network integrity layer, a content filtering layer and of course a data protection layer. This complex system of layering will help to make the path for potential data hackers as difficult as possible.
The community factor: why security should be part of your company culture
Operational security is achieved by instilling security as a culture within your organization. By encouraging this culture across your entire organization, data protection is more effective. Operations are the actions associated with policies and procedures. Strong access control measures, for example in terms of encryption and authentication, are paramount to counteracting security breaches. Email encryption of sensitive data and PIN number verification for account access are a key example of these measures.
For data breaches similar to the Yahoo hack, the future looks bleak. Under the new rules, Yahoo would have been fined at least €20 million. For larger organizations – this financial hit may be sustainable, but the truth remains that small companies cannot absorb this amount of financial damage and survive.
On 5th October 2016, TalkTalk Telecom Group was fined £400,000 by the ICO, due to ‘security failings that allowed a cyber attacker to access customer data “with ease”.’ While this exemplifies the financial implications that sub-par security measures can cause – it doesn’t tell the full story. As a result of the security breach, TalkTalk’s reputation suffered severely – leading to £60 million in lost revenue and the loss of 100,000 customers. Instances such as this should motivate businesses to make a concerted effort to tackle cyber security and should act as a warning that poor security can have dire business consequences.
As such, it is imperative that businesses research and invest in appropriate methods of data protection for their business, to protect themselves – and their customers - from the damage of a data breach.
Jake Madders is a director at Hyve.