According to a report from the ICO in August most data breaches are caused by incompetence or human error. Unsurprisingly, with GDPR requirements to report breaches in 72 hours now in place, we’ve already noted a surge in these being reported.
Below, our expert team gathered key insights on how to best protect your company against human error, and the potential regulatory fines tied to it.
The Information Commissioner’s Office (the ICO), UK’s GDPR regulator, defines a personal data breach as a security breach that leads to the loss, destruction or unauthorised disclosure of personal data. A data breach can be accidental or deliberate, and include cyber risks such as sending personal data to an incorrect recipient, access by an unauthorised third party or alteration of personal data without permission.
A data breach is usually the result of a successful cyber-attack involving the infiltration of a data source and the consecutive extraction of sensitive information. Cyber criminals are able to infiltrate networks by either gaining physical access to a computer or by remotely bypassing security through ransomware.
Historically, some of the biggest reported breaches to date include big names such as Yahoo, eBay, Uber and more recently, Timehop.
Ideally, you would have efficient security software in place, which will alert you of any suspicious activity on your business network. If you are lacking adequate security monitoring systems which can flag up personal data breaches, your staff identifying and reporting errors that can lead to the exposure of sensitive information is your next best line of defence.
Having the proper controls in place to identify a data breach is an essential condition of GDPR. Under the new regulations you are required to ensure that your business is capable of detecting and responding to security breaches. If the personal data you collect has been compromised without your knowledge, and a data breach is made public by a third party, you could be facing huge fines.
To identify breaches in real time, upskill your employees or outsource your data security systems to an expert IT firm. Ensure both your company’s security team and technology are up to date by providing regular cyber security training and monitoring your organisation’s security systems, infrastructure and applications.
According to GDPR legislation, in the event of a cyber security break, you should promptly establish whether there’s also been a personal data breach and take the necessary steps to address it, including alerting the ICO.
Under the new data protection regulations, in the event of a data breach you have up to 72 hours to alert the ICO, unless there’s a valid reason for a delay. To notify a breach to the ICO, visit their dedicated pages on reporting a breach. You should also note that if the data breach affects EU citizens, you may need to contact a different European data protection agency.
Failing to notify the ICO of a data breach can result in fines up to 10 million euros or 2 per cent of your global turnover, as well as any additional ICO corrective fines.
Since the GDPR came into effect, the ICO has been busy. Over the past six months, they’ve been conducting investigations into big names such as British Airways and Dixons Carphone Warehouse.
In one of the biggest data breaches post-GDPR, British Airways lost the personal details and credit card numbers of approximately 500,000 customers as well as their CVVs to a group of Russian hackers. This data breach served as an example that large businesses still lack the robust cyber security required to protect their databases against hackers as well as the capabilities to detect cyber-attacks in real time. While BA have been commended for their swift response to the cyber-attack, their reputation with customers has been severely damaged.
Similarly, 5.9 million of Dixons Carphone Warehouse’s customers had their bank cards compromised in a data breach made public this summer. Along with the payment details, cyber criminals gained unauthorised access to as many as 1.2 million personal data records. The consumer electronics firm identified the breach during a review of their systems, further highlighting the need for businesses to proactively assess their data security systems instead of taking action once the damage is done.
Large numbers of data breaches are still caused by poor patch management – in fact, one of the biggest cyber security challenges businesses face today is unpatched security software. This is especially true in large organisations which work with numerous different pieces of software – staying ahead of the vulnerabilities in all of them with patching is a losing battle.
The best way to prevent data breaches caused by poor patching is to make sure your IT security team is able to identify and prioritise vulnerabilities in your software. Training your staff on this key aspect of cyber security will allow them to make calls on what needs to be patched first quicker.
Alternatively, if you don’t have the in-house resources to take patch management on, you can outsource it to a trusted IT provider like CNS, who have the resource to deal with such threats.
Some of the most efficient ways to protect your organisation against data breaches include encrypting the database where your customer data is stored, running malware detection software on servers and computers alike, and conducting regular network security health checks.
To avoid hefty fines and damage to your reputation caused by a data breach, make sure you have robust cyber security in place, alongside a thorough breach reporting process which allows you to swiftly detect and report any potential breaches.
Do you hold Cyber Essentials certification? When was the last time you carried out Penetration Testing? The highly qualified and experienced team at CNS will provide cyber security training solutions tailored to your business needs.
Ask about our Breach Readiness Services
Prevent - We block malicious internet requests and files
Detect - We see and stop malicious requests and analyse behavious
Respond - We provide full reporting with outbreak control and quarantine