Are Businesses Taking Data Breaches Seriously?
A data breach is something that will strike fear into the hearts of chief technology officers (CTOs) and CEOs in any business. It’s an event that can have serious consequences for a firm, from the loss of trust among consumers to the potentially hefty fines.
The introduction of the GDPR legislation earlier this year means that the financial penalties can by eye-watering: up to 20 million euros or four per cent of annual global turnover, whichever is highest, i-Scoop reported.
That alone should be enough to make your business look seriously at its data protection policies. But it’s important that you don’t forget about confidential data destruction too.
Despite the stricter laws and considerable fines, there are still regular reports of companies suffering data breaches, both in the UK and elsewhere in Europe.
Some are concerned that as data breaches have become more and more frequent, consumers - and shareholders - are switching off from the notifications about personal data being accessed illegally.
One of the latest companies in the UK to suffer a data breach is Superdrug. The company announced earlier this month that the personal details of 20,000 of its online customers had been stolen by hackers.
The BBC reported on the retailer’s response, which included advising people to change their passwords. However, Superdrug stressed that no payment details had been accessed in the hack.
Some customers were less than happy with the breach and the firm’s response to it, though. The news provider shared tweets from some frustrated customers, who berated the retailer for failing to apologise and who stated that they’d be closing their accounts with Superdrug.
High-profile data breaches
When you look at some of the high-profile data breaches that have occurred in recent years, you can see some very big names on the list. In the UK, Dixons Carphone, owner of Carphone Warehouse and Currys PC World, as well as TalkTalk have both been hit by significant breaches.
In the US, one of the largest and most prominent cyber security breaches happened at retailer Target. More recently, T-Mobile also suffered a significant data security attack, in which the details of three per cent of its 77 million customers were accessed by hackers, CIO Dive reported.
Customers’ names, billing zip codes, phone numbers and email addresses were exposed, as were account numbers in some cases, the company announced. Although it has stressed there is no ongoing risk, as a consumer you have to wonder just how safe your data is in the hands of various organisations.
Are consumers ignoring data breaches?
According to The Motley Fool, the T-Mobile data breach should act as a wake-up call. However, the news provider suggested that the majority of consumers would have done little more than scan the text message they were sent notifying them of the issue before continuing with their daily lives.
This is because there have been so many similar breaches in recent years that customers are ignoring them, especially where they’re told no financial data was stolen.
The website stated: “This should be a wake-up call that just because something bad happens frequently and seems not to affect you doesn’t mean you should let your guard down.”
As a consumer, the most important steps you can take are to regularly change your passwords and ensure that you’re not using the same passwords and sign-in details across multiple sites.
In the case of the Superdrug breach, the firm believes its system wasn’t compromised. Instead, it has suggested that the hackers obtained customer email addresses and passwords from other sites, and then used those to access the accounts on the Superdrug website.
SVP of products at ClearSwift Dr Guy Bunker told Information Security Buzz that if this is true, Superdrug is not to blame for the breach and therefore can’t be fined under GDPR.
He also noted that by going public with the blackmail demand from the hackers, the company is showing that it won’t pay, while also encouraging customers to think more about their own online security.
But Andy Corey, identity management services lead at KCom, told the website that businesses need to be careful about passing the buck to consumers.
“While a customer’s security weakness does not help, a weak authentication system is a company’s problem as well as its responsibility,” he asserted.
Mr Corey acknowledged that businesses can force consumers to set up passwords, but they can’t ensure that the consumer then keeps this a secret. However, he believes it should be the business that takes responsibility.
He stressed that he’s not advocating for the removal of identity access management, but is suggesting that “the legwork is transferred from the customer to the business - organisations need to make the process simple and time efficient for their customers”.
Could password-free security work?
While Mr Corey didn’t provide any suggestions of how companies might take on a greater role in identity access management, another expert did have some suggestions.
Also speaking to Information Security Buzz, head of EMEA at Okta Jesper Frederiksen offered some pointers on where businesses can go with this line of thought.
“Retailers may choose to scrap passwords altogether and go for a “passwordless” society, where user authentication is enabled based on a number of contextual factors such as device trust and IP geolocation,” he stated.
Mr Frederiksen pointed out that this would make personal information useless to hackers and thereby better protect consumers and businesses.
How else can companies protect data?
Given the number of data breaches, it’s fair to ask whether businesses across all sectors and of all sizes are doing enough to protect our personal data.
A recent article for Channel Web suggested that although companies are aware of the importance of cyber security, many are still falling behind in terms of implementing systems and procedures to boost data security.
It cited a breach at Butlins Holiday Camp, which occurred when a member of staff opened a phishing email. In this case, improved staff training on data security could make a difference.
However, it’s important to make sure that IT teams in the business are aware of all the weak points and understand how and when systems can become vulnerable, particularly during a migration or upgrade.
Another issue is that stretched IT teams are being expected to do more with less. Smaller budgets are a real problem for information security teams who need to “weave their way through a myriad of devices, operating systems and infrastructure” in order to protect against a range of cyber threats, Jason Holloway, managing director of Bridgeway Security, told the website.
“We are creating a bigger attack surface area and we are consolidating more and more data into bigger buckets, so a breach is more likely to occur, and when it does, its impact is greater,” he asserted.
Being aware of the increased risks is just one part of the puzzle. Directing greater resources towards information security is a must if companies of all sizes are to stay ahead of the curve when it comes to cyber attacks.
Staff training on how to identify potential threats, as well as how to correctly and safely dispose of confidential data and documents that are no longer required, is essential.
A worldwide study carried out by Frost and Sullivan for CA Technologies found that many executives aren’t taking cyber security as seriously as they should, Business Insider Singapore reported.
It noted that almost one-third of executives “saw security initiatives as a negative return on investment”, and as a result were failing to learn from previous mistakes. Interestingly, those involved directly in cyber security did not share this view.
The report also revealed that many firms are overestimating their data security capabilities. It pointed out that 90 per cent of those surveyed described their cyber security as good or excellent. However, more than half of these companies had suffered a data breach.
Being honest about your capabilities and shortcomings would also seem to be essential if you’re going to improve the situation at your business.
What happens next?
Although it would be wonderful if businesses changed their policies and upgraded their systems because it is the right thing to do, the reality is that unless there is a financial or reputational benefit to doing so many will wait until they are forced to invest in these areas.
If consumers become jaded by frequent media reports of data breaches - and therefore don’t take action to leave the companies that fail to safeguard their information - there will be less incentive for businesses to invest in cyber security.
The T-Mobile breach in the US demonstrates this. The share price fell very slightly following the incident, compared to the significant drop experienced by Target when it suffered a very high-profile data breach in 2014.
Of course, the significant fines introduced under the GDPR legislation will certainly encourage many businesses to upgrade their cyber security, but it’s important that firms continue to innovate and don’t stick with the bare minimum.
Cyber crime is on the increase and the hackers will continue to adapt and evolve. It’s essential that businesses do the same if they’re to stay one step ahead when it comes to data protection.