You may have heard about data breaches in the news, with companies getting fined thousands of pounds for leaking customer data. However, any business that handles sensitive information must take care not to lose any of this data or they could find themselves subject to similar penalties. In this article we look at the 3 main causes of data breaches and what you can do to prevent such problems.
What is a data breach?
A data breach is an incident involving a company’s IT security where sensitive, protected and confidential data is either stolen, copied, transmitted or used by an unauthorised third party. This data is usually information of value, such as medical records, company trading data, intellectual property or customer bank details.
Hacking is the type of breach that’s often given the most attention in the media, but data breaches can arise from simple human error — for example, by workers throwing away old computers without erasing data on the hard drive, or even leaving an important laptop in a taxi.
Data breaches — Implications
Until the implementation of the General Data Protection Regulation (GDPR) in 2018 the UK was subject to the laws of the Data Protection Act (DPA) which could see the Information Commissioner’s Office (ICO) fine companies up to a maximum of £250,000 per breach. However, in some of the larger cases in recent years these fines were not considered to be stringent enough when dealing with poor practice.
Now under the GDPR, the ICO has the power to fine up to a maximum of 20 million euros or 4% of a company’s annual global turnover, whichever amount is higher. However the ICO must make a full investigation prior to issuing any fine and check several factors including:
- The size of the breach
- The type of data involved
- Action taken by the organisation to remedy the breach
- The intentional or negligent character of the breach
In addition to the power to impose fines, the ICO can also issue warnings and reprimands alongside suspending the ability to process data and prevent data from being sent to overseas processing units.
High profile breaches
Data breaches are not limited to smaller companies. Even high profile organisations and corporate companies are subject to errors in their handling of customer data. Large organisations can also become targets for attacks. With many people concerned about the security of vital personal information such as bank details, passwords and addresses, there has always been a call for breaches to be featured in the mainstream media. Some of the most notable of recent times are as follows:
- London Heathrow Airport — the UK’s biggest airport was fined £120,000 by the ICO after a staff member lost a USB stick containing a raft of personal data, which was eventually discovered by a member of the public. Reports at the time claimed that the stick even held sensitive top secret information about the Queen’s travel plans and security.
- Morrisons supermarket — a claim was brought against the company by workers after an employee stole data, including bank details of 100,000 staff. Morrisons tried to claim that the organisation could not be held responsible for the criminal misuse of data, after the guilty employee was jailed for 8 years, but its appeal was rejected at the Court of Appeal in 2018.
- Wonga loans — in 2017 this popular payday loan provider allowed unauthorised parties to access the bank details and records of nearly 270,000 customers. As a result, a special helpline was set up to advise customers after the company was seen to give out conflicting messages about the security of accounts, while telling customers to be vigilant and check for suspicious activity with their banks.
Cause 1: Malicious, intentional or criminal
It can be very difficult for an organisation to resist intentional malicious attacks on their systems. With CIFAS reporting record numbers of identity theft cases in 2017, criminals are increasingly turning their eyes towards stealing data to commit crime. It’s not only customer records that are at risk, thieves may also be interested in competitor information and corporate espionage.
Many of these attacks are technological in origin. Third parties may not be interested in your company for any other reason than its vulnerability, because many of these crimes are automated, relying on email and other communication channels for access to information. Phishing, false bank communications and viruses are amongst the most common attack methods used.
Hiring expert security analysts is a company’s best line of defence against technological attack. A good IT service provider should have a security team or expert who can keep you up to date on the best antivirus and malware removal programs, as well as advising on firewalls and routers to deny access to potential intruders.
The important thing to remember here, is that stopping intentional attacks against your systems is an ongoing battle. Programs and precautionary measures that worked 12 months ago may now have been cracked by hackers. Stay on top of your security by working with a provider that is always giving you updates and new ideas.
Cause 2: System glitches
Computers are machines, and much like your car on a cold and rainy January morning, sometimes they can go wrong unexpectedly and you can lose data. If this is simply Word documents then it might not matter too much, but imagine if you are an e-Commerce company and you lose all your transaction history for the last week and you have no idea which customer has ordered what products from you, but you still have all their funds in your accounts.
System glitches can originate from several sources. Firstly, people simply assume that computers will keep on running forever and don’t maintain them properly. Secondly, companies can produce regular patches and updates for software and even hardware products that ensure they run correctly and do not malfunction. Companies need to stay on top of these important updates or problems could occur.
Most system glitches can be covered by a good policy. Having multiple backup devices, such as on-site tape backup units and cloud storage can ensure that if the worst does happen you can simply restore the system and recover the status quo. The easiest way to stop glitches from being a problem is by asking your systems teams: what’s the absolute worst that could happen? And then planning for this contingency.
Cause 3: Human error
Sometimes a data breach can come from simple mistakes made by managers and employees. From using obvious passwords to leaving computers turned on and logged in when a user leaves the room, there are multiple points of potential failure in most systems that are entirely dependent on their users.
Most of these weak points are caused by simple failures to observe good practice, or a reliance on the common sense of workers to avoid problems. However, even if a company’s workforce do the right thing in 99 out of 100 occasions, there’s still that 1% room for error that could be exploited by identity thieves and hackers.
The only way to combat human error is to have very tight procedures that are constantly checked by management. Adopting policies where passwords are always strong and never shared, certificates of destruction are obtained for old hardware that’s thrown away and computers are never left alone while logged in — all of these practices and more can mitigate frailties in a system. Ensuring strong leadership and inflexible processes is key here.
Certification for protection
One of the more direct ways of ensuring that your company’s data protection policies are up to date and robust enough to deal with all the rigours of modern business life, is through ISO 27001 certification.
This internationally recognised standard gives you a framework for creating a strong data protection policy in your workplace that not only covers your IT systems, but all aspects of information security in your company. Best of all, it gives you a framework for continual improvement that allows you to make important changes and updates to policy in your stride.
It is no longer enough to simply hope that IT problems and data breaches will not happen to you. With the introduction of the GDPR, all businesses must be responsible for their data processing and could be penalised for failures to protect customers. Precaution is the watchword here and by choosing the right partner or implementing a policy like ISO 27001, it is certainly one less thing your business needs to worry about.
ISO 27001 is the best practice framework for an Information Security Management System, and is recognised across the world. To find out more about ISO 27001, visit our dedicated service page, or free phone 0800 404 7007 to speak to an expert.
Alternatively, complete an online enquiry form and we’ll get back to you, providing you with a quote to becoming ISO 27001 certified.
Free Introduction to ISO 9001 course