Of course, there are strict Data Protection regulations that restrict the sharing of information, but this has not prevented numerous serious security lapses.
You only have to think back to losses of discs containing thousands of individual’s personal tax information by HM Revenue & Customs, or a USB stick containing details of RAF pensioners, to realise that the hue and cry quickly dies down after such revelations. If august government bodies can be so lax with our details, opening up a myriad of possibilities for fraud, how can we trust businesses?
And often we cannot. Several High Street banks have lost tapes or laptops containing personal banking information. The list of major UK companies and public sector bodies which have been lax with their customers’ data touches almost every area from banks to mobile phone companies, social services to hospitals.
The International Picture
In the United States data protection is as important as health and safety. If the board is notified of risks to either health and safety or data and does nothing about it, it is liable. It’s their heads on the block. For the moment that only applies to health and safety here.
In most US States you have to declare publicly any loss of data and companies who fall short are named and shamed in the Press, TV or on the internet. In serious cases, the loss of confidential information can lead to prosecution and imprisonment. In the UK, if we compare incidents published on sites such as the FSA website of security breaches and fines imposed, there are only a handful noted. This could lead one to think there are very few breaches. However, when this is compared to the US, published incidents for the last 12 months have amounted to over 2,100 serious data losses effecting well over 500 million records. So it must be happening here! The difference is we keep things quiet.
Financial fraud is the motivating factor behind 63% of targeted cyber attacks on UK businesses, a study by the Ponemon Institute has revealed. This is followed by customer data (48%) and intellectual property theft (46%), while only 2% of security attacks were thought to have been driven by political or ideological agendas. UK businesses are also reporting 68 attempted cyber attacks a week, with successful attacks costing businesses an average of £144,000.
Their research went on to identify that of the UK companies that have not yet suffered a breach, 58% told the Ponemon Institute that they believed brand reputation would be untarnished by a breach and 70% did not think the cost of customer acquisition would increase.
Yet the 54% of the more than 500 respondents whose organisations had experienced at least one data breach in the past year and the 19% that reported four or more breaches, told a different story.
Nearly half of those that suffered a breach said that it damaged their reputation, close to a third were forced to downsize due to a loss of customers, and, on average, the cost of customer acquisition rose by £91,985 after a breach.
Our Data Protection Act says records of personal, private information must be held securely. Previously, if the Information Commissioner found a company or individual was in breach of these regulations there was a fine of a paltry £250. This hardly amounted to a smack on the wrist. Now the maximum fine for such failings is £500,000. This is a huge leap forwards and illustrates the way the UK is headed.
At Digital Pathways, we are striving for it to be taken as seriously here as it is in America.
Why does it matter to business?
The trust of your clients is paramount in business. They may question if you don’t care about their data what else are you being slack about? Without secure systems you could drive existing clients away and deter potential customers from coming to you to do business. If you want to do business across borders, you may well be forced to revise and strengthen the way you protect your data. This is already the case in the US. And it is increasingly becoming the case in other major markets. By not prioritising the security of data you hold, you could be in danger of losing your competitive edge.
Aside from the fact that it’s basic good management practice to have a hierarchy of who can access information, due diligence from prospective clients looking to do business with firms usually includes how sensitive data is protected.
There is a duty of care for all companies to their clients and employees to keep their information safe from abuse. Investment in research and development represents significant seed capital; do you really want it to be easily accessed by a competitor? The secrecy of M&A activity is of paramount importance and breaches could lead to fines and suspension if someone takes advantage of leaked information to manipulate the market.
In most cases, problems arise because systems have grown organically as the company has developed and new systems simply bolted on. Yet all businesses know that information is power, that their data is valuable both to themselves and their competitors. However, many companies, both large and small, view security as just a speed bump in their commercial processes. But it doesn’t need to be.
Is there a simple solution?
The short answer is yes. Companies don’t want to have to rewrite applications and business processes, and they shouldn’t have to. All you need is to install technology that is transparent to the business processes but adds the controls needed to understand who or what is accessing the companies’ information. Such solutions can, for example, encrypt and control who has access to company data without the need to throw existing business applications away. You should, at the very least, be able to run a regular, simple, audit of your servers and applications at the press of a button just to see what has gone on. This will show you who has accessed information, when it was done and what areas they went in to. It’s astounding to think that you could have no idea who is accessing your system.
When you translate this into actions in the physical world, it makes perfect sense. You wouldn’t dream of not having a log of who has removed important documents from filing cabinets and these documents would be closely guarded. Yet with computers, vast stores of information can be unlocked with a simple password, copied and emailed without you even knowing.
A lot is talked about intrusion detection to prevent Trojans and other computer viruses, but this is just the basics. Staff move around organisations keeping their access privileges to departments they no longer need and employees leave without having their access removed – at least not for several months. This makes it easy for a disgruntled ex-employee to hack into your system and use this information to help a competitor.
The court case of a T-Mobile employee selling information to other phone companies made headlines because it is a rarity for someone to be prosecuted for these offences. In many cases when someone is caught nothing happens, companies just brush such embarrassments under the carpet. But the world is changing. The reputational damage from publicity for breaches of security is just as threatening as fines.
In years to come these elementary breaches will be seen as archaic as shoving small children up chimneys to clean them.