The world of data breaches - and how to avoid being part of it
Norman Shaw looks at the causes of data breaches, what it costs and what the market needs to consider in order to protect itself.
Norman Shaw, IT industry veteran & CEO and founder of ExactTrak
Data breaches are increasing as are the fines for them. With new EU data protection regulation coming, fines will increase even more. But why are these breaches happening? What is the cost to businesses? What will the new EU regulation mean for business? And how can you combat these breaches and protect your data, reputation, and bottom line?
What are the causes of data loss?
There's competition for the main cause. IBM and The Ponemon Institute indicate that breaches are mostly caused by malicious or criminal attack (47 percent globally), with human error accounting for 25 percent of cases (28 percent in the UK). However, the IT Policy Compliance Group says 75 percent of ALL data losses is human error, the Aberdeen Group says 64 percent and most recently, CompTIA said 52 percent of the root cause of security breaches is human error.
Whatever statistic you choose to believe, human error is always part of the equation and I would say the easiest part to fix.
Delving into more detail, the Wall Street Journal exposed some of the problems associated with human error in November last year. They reported that:
- 77 percent of people from the 5,000 interviews they conducted had lost a laptop, tablet or mobile with sensitive data;
- 84 percent used personal email and 50 percent used the public cloud to send sensitive information;
- More than 30 percent had lost a USB drive containing confidential information;
- And 63 percent of IT managers lack visibility of mobile data within their organisation.
Of course, accidents happen and that's unavoidable, but not deploying technology to protect against these accidents when we know they're likely to happen is unforgivable.
What are the costs of data breaches?
The financial cost has risen by 23 percent globally over the last two years according to IBM and The Ponemon Institute. In the UK, the Information Commissioner's Office (ICO) has already handed out four fines this year amounting to £595,000. But it's not just the financial cost that companies should be concerned with.
The South Wales Police was fined for losing a video recording that was part of a sexual abuse case – discs were unencrypted and left in a desk drawer. Meanwhile, StaySure.co.uk Limited was fined when hackers accessed and used over 5,000 customer credit cards.
These organisations played fast and loose with people's information and understandably, concerns amongst the public about data losses and data protection have soared and the cost is now reputational too. Would you book through StaySure.co.uk now? And as always, the failings of the few affect the many – the public is now ALWAYS cautious with its data and the new EU regulation will apply to EVERYONE.
What do we know now about the forthcoming EU data protection regulation?
Fines are increasing – up to €1 million or 2 percent of a company's annual worldwide turnover although the European Parliament may raise this to 5 percent .
24 hours – organisations will be obligated to reveal data breaches within 24 hours.
Deleting data – under 'right to be forgotten', an individual's data will need to be able to be deleted upon request.
Protection and privacy expectations – The principles of ‘Data protection by design' and ‘Data protection by default' mean data protection safeguards need to be built into products and services at development and the default settings should be privacy-friendly.
One rule for all – the 'one-stop-shop' and 'consistency mechanisms', mean the interpretation and application of the new regulation should be comparable across orders.
What can you do to avoid the data breach?
There's no monopoly on ideas to avoid the fine, and notoriety, of a data breach but here are a few of the things I think it's imperative, and possible, to do right now:
Senior sponsorship – culture drops down from the top; if you want employees to take data protection seriously, you need senior sponsorship.
Technology – for remote workers with USBs, laptops, mobile phones on the move, companies need more than encryption which is difficult to prove after the fact. Consider geo-location tracking, technology that provides a verifiable audit trail, and the ability to destroy data remotely if it's lost irrevocably.
Education – educating employees is paramount; especially for companies using mobile data or those with BYOD policies.
Policies and procedures – get ready now for the new EU laws. Even the 24 hour notification procedure will require time to develop.
The increase in public awareness around personal data coupled with the impending EU regulation means there's nowhere to hide; the only viable option is to do everything in your power to avoid a data breach.Contributed by Norman Shaw, IT industry veteran & CEO and founder of ExactTrak.