Data Security: Put in the Time or Face the Fine
Data breaches seem to be growing increasingly common, with enormous monetary and social consequences. There is no longer any excuse for firms with lax security.
The very first month of 2020 saw Travelex, Microsoft and Regus experience high-profile data breaches. The enactment of GDPR and the ICO’s intention to fine British Airways £183m for its 2018 cyberattack – plus the estimated compensation pay-outs that could reach the billions – has not resulted in businesses taking cybersecurity seriously.
But how much of this inaction is down to a lack of understanding about data safety? The increasing digitalisation of information storage is not being met with additional staff training and employees are often unaware of how to avoid simple data leaks that could have catastrophic consequences.
So, how can businesses approach data security and protect themselves from any reputation-tarnishing breaches? Aman Johal, Lawyer and Director of Your Lawyers, shares his advice with Lawyer Monthly.
Educating Staff About Cybersecurity
The importance of educating your staff about cybersecurity cannot be understated. If your employees are not clued up, you don’t have a viable defence. Your defence is only as good as the weakest link – it’s as simple as that.
But despite the constant threat to consumer data, businesses are still dragging their heels and failing to upskill staff or at least bring in experts. For example, the 2019 State of IT Security Survey found that email security and employee training were the top issues faced by IT security professionals. Yet, more than 30% of employees surveyed by Wombat Security Technologies didn’t know what phishing or malware was. That’s almost a third of employees not even knowing what two of the most basic forms of cyberattacks are.
There’s a clear gap between what employees need to know about cybersecurity and the training opportunities available to them from their employers.
Your defence is only as good as the weakest link – it’s as simple as that.
Employees Risk Leaks Without Education and Training
The risks posed by not educating your staff extends beyond defence. For instance, without adequate training, your staff can easily end up being the cause of a data leak. This was the case in the New Year’s Honours list leak, where a member of staff didn’t seem to think that publishing the addresses of more than 1,000 honour recipients constituted a data leak. It was a farcical and avoidable act which showed a total lack of regard and understanding of the most basic security protocols.
A similar situation arose with the Wyze Labs data breach in December. Here, a mistake by an employee when using the company’s database exposed the personal information of 2.4 million users, including protected health information and email addresses.
Your employees need proper cybersecurity training to protect themselves and the company from cyber-attacks, and data protection training to avoid other breaches and leaks. By making employees aware of security threats, how they might look and what procedures to follow when a threat is identified, you’re strengthening the most vulnerable links in the chain.
At the same time, it’s the employers’ responsibility to make sure that employees are not put in a position where they can cause a data leak. The 56 Dean Street Clinic and the Charing Cross GIC clinic leaks are perfect examples. Instead of the organisations making use of readily available mass mailing software, employees were instead left to send emails to people using the BCC function. Unfortunately, on both occasions, the BCC function was not used, and the recipients’ private and sensitive confidential medical data was exposed.
These events are often referred to as “human error” breaches. In reality, they are the result of systemic failures within the organisations.
Know the Legal Implications of a Data Breach
All businesses are legally required to take all reasonable steps to prevent cybersecurity incidents. They should have effective defences and infrastructure in place to prevent third-party threat actors from gaining access to their systems, networks and information. It should be thorough: from basic protocols, such as encrypted storage, to the use of professional tools like firewall protection.
We know that businesses still take a lax approach and almost seem surprised when a data breach is followed by a hefty regulatory fine and compensation claims. The rules are clear – if you breach the law, you can be liable to compensate those affected.
British Airways was recently handed a provisional fine of £183 million for their 2018 cyberattack. But this financial cost does not account for the huge bill to compensate consumers – estimated to be £3 billion – and the loss of consumer trust which follows a data breach.
The rules are clear – if you breach the law, you can be liable to compensate those affected.
Security experts have suggested that British Airways could have spent as little as a few thousand pounds on a bug bounty to avoid their infamous 2018 cyberattacks. Instead, they’re facing costs that may hit the billions.
It’s not an understatement to say that competition in sectors could be shaped by data breaches. Those who experience an attack could face reputational damage that’s so significant that they lose market share, and the costs of meeting regulatory fines and compensation claims could be ruinous. Businesses simply cannot afford to treat cybersecurity as an afterthought and must urgently be more proactive in their approach and bolster their online security if they have not already done so.