Think your organisation is unlikely to be affected by a data breach? Think again.
A Carbon Black study has found that 88% of UK businesses were breached last year, demonstrating just how widespread the threat is. If your organisation hasn’t yet suffered a data breach, it’s probably only a matter of time.
Indeed, you may already have fallen victim and simply not know it yet. The average time to detect a security incident is 206 days. That’s almost seven months.
Consider how much damage is being done in that time. The criminal hackers are probing your systems looking for more and more useful information, thousands, if not millions, of records are being compromised and the people whose information has been stolen are being subjected to all sorts of malicious acts without their knowledge.
How are breached businesses affected?
Organisations suffer in many ways when they fall victim to a data breach, but the most immediately worrying are the financial repercussions.
There are several costs associated with a data breach, such as:
Compensating affected customers;
Setting up breach response efforts, like helpdesks for affected customers and complementary credit checks;
Investigating the incident, which might include hiring a third party or paying your own security staff in overtime; and
Falling share prices.
There’s also the threat of regulatory penalties following a data breach. The disciplinary powers introduced in the GDPR (General Data Protection Regulation) has made this potentially by far the biggest financial cost of a data breach.
The GDPR gives supervisory authorities – which in the UK is the ICO (Information Commissioner’s Office) – the power to fine non-compliant organisations €20 million (about £17.5 million) or 4% of global annual turnover, whichever is greater.
Don’t overlook the reputational damage of a data breach
After paying off fines, the breached organisation must also deal with the damage to its reputation. It can be hard for the organisation to retain customers’ trust, particularly if the breach was widespread or caused by basic security errors.
Regardless, you are bound to see people take their business elsewhere after a breach and you’ll struggle to bring in new customers.
Unless it was a catastrophic breach, the loss of trust will subside over time as people forget about the incident and competitors suffer a similar fate. However, the damage will already have been done by then, with the breach halting your growth.
During this time, you must also hope that you don’t suffer another security incident, as this could compound the damage to such an extent that it’s impossible to recover from.
The dangers of collecting sensitive information
Data breaches are more likely to have bigger financial and reputational effects if sensitive personal data is involved. This includes information relating to an individual’s:
Racial or ethnic origin;
Religious or philosophical beliefs;
Trade union membership;
Genetic data; and
Biometric data (where processed to uniquely identify someone).
The misuse of sensitive data can cause a lot more damage than the standard things that are involved in breaches, like names, addresses and financial details.
Whereas ‘normal’ personal data is generally used to commit fraud or launch personalised cyber attacks (which, although bad, are a one-off event), a breach of sensitive personal data can permanently disrupt the victim’s life.
For example, it can expose information that the individual wanted keeping private for fear that it would lead to prejudice. Think of the emotional damage that might occur if became publicly known that a data subject had a health condition or was a member of a controversial political party.
Similarly, consider the effects if biometric data was breached. This isn’t just a privacy breach; it can also have an irrevocable impact on their information security practices.
If they were using the information as a security mechanism (which is the most likely reason to share such information), it’s not as if they can reset their fingerprint, like you do when a password is breached.
The victim will forever know that their biometric data is out there and can potentially be used to access their accounts.
Organisations are therefore expected to take extra care when handling sensitive information. If it’s breached, the victims will be much less likely to forgive you and the ICO will come down much harder when issuing a fine.
Protect your organisation with a DPO
To help organisations tackle the threat of data breaches, the GDPR requires certain organisations to appoint a DPO (data protection officer). They are independent data protection experts who help organisations meet their regulatory obligations.
DPOs’ tasks include monitoring an organisation’s data protection policies, advising management on whether DPIAs (data protection impact assessments) are necessary and serving as a point of contact between the organisation and its supervisory authority.
Although not every organisation is required to appoint a DPO, many experts – including the European Data Protection Board – believe all organisations will benefit from assigning someone to take on the DPO’s responsibilities.
Finding someone with the right experience can be tricky, though, which is why many organisations are turning to third-party help.
DPO as a Service
Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security.
Under its DPO as a service offering, a qualified, experienced member of the team will act as DPO for your organisation. The role of the DPO is to monitor your data protection activities and compliance with the GDPR, and to offer advice on a day-to-day basis.
A version of this blog was originally published on 9 April 2019.
Read more: itgovernance.co.uk