A data breach can involve the leaked information of one person, or millions, but we only ever hear about the big ones, a few times every year.
But data has become a bit abstract, on a daily basis we use so much of it, and we’ve gotten used to it being signed away, tracked, stored and sold.
So when data is involved in a breach, it’s hard to imagine the consequences of another drop of data in the endless ocean of data already on the internet.
But the right data in the wrong hands can have tangible negative effects on your business. Which is why that data is sought after by cyber criminals, and they know precisely what they’re looking for.
Usernames, passwords, debit & credit card numbers, names, phone numbers, email addresses, street addresses. Depending on the criminals motivation they can hack, steal, defraud or sell it onto someone who can.
The implication for businesses is even worse.
Data breaches can be caused by internal and external factors, for intentional or accidental reasons; not all breaches are the same.
The following are listed by the ICO (Information Commissioner’s Office) as examples of a breach:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Why do criminals cause Data Breaches?
When data breaches occur thousands, if not millions of peoples’ data can be exposed.
Collections of stolen data are sold on the dark web by hackers, and can be purchased by other criminals.
These transactions can happen before the breached company even knows they’ve been breached, and well before, you, the customers knows you’re potentially exposed.
But why do hackers want to buy this data?
Because of one simple and true assumption, people usually reuse a password somewhere else. Maybe the password they’ve already bought lets them access other accounts, one they can leverage for their own personal gain.
The information stolen from one breach, may then be used successfully to perpetrate another one. A known repeated password, acts like a master key to other accounts, maybe even a work account, one that allows a criminal to intercept invoices.
Phishing attacks can also be used to trick your employees into handing over their own data under false pretences, which will give criminals access to your business systems. Are your staff aware of phishing attacks?
Your business has had a data breach?
If you discover your business has suffered a data breach, what do you do?
The process for this outlined by the ICO (Information Commissioner’s Office). What you legally have to do depends largely upon what risk is caused by the data breach.
First of all, when a business realises they’ve suffered a data breach, within 72 hours of discovering the breach, they must go the ICO website.
Here you can use the ICO self-assessment tool to determine whether you need to report the breach to the ICO, and inform your customers. This is based on primarily on, how likely is it that the breach will result in a risk to individuals?
Using their questions and examples, and your own judgment, you could determine that the risk is unlikely, at which point you do not have to report to the ICO, or inform your customers.
If you think the breach as high risk, well, then you should report it the ICO. At this point you have to inform your customers as well.
Tips after a breach
- Whether the data breach was high risk or low risk, you should document them all, and put in measures to prevent future ones.
- Improve your cyber security.
- Increase your staff’s awareness with clear policies and user training.
What are the consequences of a Data Breach?
The consequences of a breach will vary depending on its scale, and on the nature of the data, as well as the risk it poses in the wrong hands.
Different sectors have even greater consequences for data breaches, such as the finance, health and defence sectors.
Which is why they have greater levels of cyber security. Even something as simple as MFA (Multi-Factor Authentication) would be standardised across these sectors, but not in others.
So what about businesses?
Let’s go over the consequences of being breached and what you can do about it, before and after.
ICO & GDPR failure fines
A breach that is considered to cause risk toward individuals, must be reported to the ICO and comes with a very real consequence.
A possible GDPR (General Data Protection Regulation) failure fine, of up to 4% of your annual turnover.
Worse than one fine is another fine on top, if you fail to report the breach to the ICO in good time, or never at all.
Loss of trust
If a business suffers a data breach, and that knowledge is made public, understandably there will be a loss of trust between them and their current customers, and could stand to lose future customers as well.
Business-to-Business service relationships stand to be significantly damaged if one party is breached, and exposes data of another business which makes them vulnerable.
The business world is a small one, especially at a local level, and someone’s negligence is bound to be remembered for longer, than that of an individual customer.
Customers expect to be informed when their data is involved in a breach, but that doesn’t the business have to.
That depends on the ICO self-assessment, if the breach poses an unlikely risk to individuals, you don’t have to report the breach to the ICO, or tell your customers.
How to protect your business from a Data Breach?
If your data is involved in a breach, that’s not your fault, you aren’t responsible for the standards and practices of another company.
But as the decision maker of your own business, you are responsible for yours. If your businesses data, your staffs, or your own, is leaked in someone else’s breach, don’t let that harm you in the future. Be defensive, be proactive.
- Use password managers to incentivise using unique passwords.
- Use MFA (Multi-Factor Authentication) to ensure you aren’t relying on a password to keep you secure.
- Enter an IT security partnership, where they can monitor your accounts, and alert you if there are involved in a breach.
It’s our goal to put in place a multi-layered security system to protect businesses as much as possible with an economical solution.
With our comprehensive security services only the most determined of attacks have a chance of getting through.
If your business is compromised, our systems also ensures that you have the backups required to get you back up and running; and on your way to make your business better than ever
Keep your eyes open for a subsequent blogs which will explore and explain other topics.