It’s normal for businesses to hold onto data virtually in today’s world, with personal data being the most expensive type of data. Even though GDPR has increased the awareness of personal data protection, this data is easy to lose, and once it is lost, it’s not cheap to deal with.
The majority of businesses are aware of how costly losing data is. Let’s be honest, there are lots of blogs and reports which will map out the average cost of a data breach in the UK for businesses. They detail the cost of the fines, recovery costs, etc but most of these blogs forget to mention the other costs associated with a data breach.
The reality is when you suffer a breach, you not only lose money in the obvious sense. You also lose your business’s reputation, the trust of existing and potential future clients, the ability to work during and shortly after a data breach, and precious data which may be business critical. It was found that 60% of businesses are forced into bankruptcy within 6 months of a data breach (B2C)
This blog isn’t aimed to make you panic about a breach, but to advise you on how to avoid a breach and teach you how GDPR isn’t as bad as it’s made out to be.
The Reality of a data breach
What is a data breach?
If you speak to most people, they’ll believe that a data breach involves some type of malicious activity, whether it’s a disgruntled employee deleting files or an external hacker/malicious tool encrypting your data. The truth is, a data breach involves any loss of access to personal data including accidental deletion, unauthorised disclosure, corruption, etc (ICO.org).
In simple terms, this means if you have lost control of where that data is or can’t access that data through any means and have no recovery options, you’ve experienced a data breach. There isn’t anything complex about it, but it will impact your business in a big way!
The likelihood of a data breach happening
In the UK, one SMB is successfully hacked every 19 seconds according to Hiscox. This doesn’t mean suffering a data breach, but without the correct tools in place, there is a high likelihood of suffering a data breach following a successful hack.
Cyber attackers are targeting SMBs more and more as many small businesses have the mindset of “we are small…” or “it will not happen to us…”, meaning their cybersecurity is usually an afterthought. Even if you only hold personal data for invoicing or marketing purposes, it’s so so so important for you to protect that data!
You’ve been breached – What are the next steps?
The first thing any company should do if a breach happens is identify whether it classes as a data breach. Ask yourself these questions:
- Has personal data been lost or stolen?
- Is there any way to recover it?
- Can I access it?
- Can we destroy the stolen copy but retain the initial data?
- Does someone unauthorised have access to the data?
- Can we prevent this person from accessing it before it is too late?
Answering these questions can help you uncover whether you have experienced a true data breach. If you believe you have, by law you have to announce this breach by GDPR.
Once you’ve announced a breach publicly, prepare yourself for a long battle. This is where the true cost starts to become apparent as you’ll begin to fight for the survival of your company. Clients will start approaching you with questions, fines may come into play, prospects and clients may walk away, and the long nights of working to get your company back up and running to its previous standard are always ahead of you.
Most people will tell you that moving property or going through a divorce is one of the most stressful events that will happen in your life, but any business owner/director that has gone through a data breach will likely tell you otherwise.
Why recovery is as important as prevention
You can have all the cybersecurity tools in the world, all the policies in place, and all of the DLP kits up and running, but nothing can prevent someone inside from causing a data breach, be it accidental or intentional. Two scenarios:
- Employee accidentally clicks delete on the file above the one they meant to delete but does not realise. 2 weeks later, the HR manager needs access to someone’s info and realises they can no longer find it. If they can’t recover it, it’s classed as a data breach.
- Employee is in the pub and is approached by a hooded man. He asks for 10 minutes of remote access to his machine in return for £10,000. The employee can’t turn that amount of money down so helps the man access it. 2 minutes later, ransomware starts to encrypt the company’s IT infrastructure.
That’s why companies need to focus on recovery as much as they do prevention. It can be the difference between a slight blip and a full data breach where they have to announce it. How can you recover? You can:
- Use offsite backups
- Disaster recovery
- Continuity planning
Make sure you are prepared for a breach, both before and after it happens.
How to prevent a data breach and become GDPR compliant
What GDPR UK suggest
You need to remember there isn’t a one-size solution that fits every company. If you are in a heavily data-reliant industry like staffing or legal, you’ll need more security than an industry that’s less reliant such as florists.
GDPR UK suggests several methods are needed to help prevent data breaches, all of which need to be considered based on your work and how you manage and use your data.
How auditing can prevent breaches
Cybersecurity and business auditing are becoming more common for all businesses. Obtaining audit certifications such as ISO27001 shows that a business has the right processes in place to keep its data protected (ISO27001 is the information security audit). Also, businesses can now try to achieve Cyber Essentials and Cyber Essentials Plus which is another way of proving businesses have the essential security in place to stay secure against cyber-attacks.
It is also worth auditing your staff and their permissions every few months. It’s not uncommon for staff to change roles in a company, which means they may be left with access to files/data which they should not be able to access. Running an audit like this would prevent unauthorised access, which would result in (you guessed it) preventing a data leak.
The importance of patch management
The NHS, Travelex, KP Snacks. These are three of the most recent data breaches caused by old systems not being updated. All of these could have easily been prevented. No one likes doing their updates, it wastes time, and it always comes when you’re too busy right?!
That’s why having a patch management system in place solves these issues. Having your IT company run the updates automatically in the evening (with a warning) ensures your systems stay up to date and avoid any old vulnerabilities being used by hackers to access your network.
Why do you need testing externally and internally?
Penetration testing, internal testing, phishing simulations, and other types of simulations are all recommended or required by GDPR. If you want cyber insurance most brokers will insist that you have a penetration test! Not only does it make you aware of your vulnerabilities on your IT network, but it will also help you understand if your employees are also equipped to deal with a potential threat like a malicious email.
If they’re not, all you need to do is introduce some cyber awareness training. It may cost a little bit in the short term, but it will save your company in the long term.
How backup and disaster recovery can be a major benefit
I’ll keep this short and refer you to the “why recovery is just as important as prevention” section. Most people avoid backup as they have never needed it. But you have to think of it as insurance. Buy it hoping to never use it, but if you need it you’ll be very happy you have it.
Also, backup isn’t as expensive as it used to be. Especially if you’re data is kept within certain cloud infrastructures like Microsoft 365 or Apple!
The majority of businesses are starting to think more about protecting their data, but not many are thinking about how to recover it should something go wrong. This could be caused by not understanding what a true data breach is, or not considering how a data breach will affect a business.
Educating businesses about the true cost of a data breach is key and can be the difference between them surviving and them being forced into bankruptcy. Once they understand this the business can start implementing the right steps to stay secure.
If you’re reading this and think “my company is not prepared for a potential data breach”, reach out to your IT partner. They’ll be able to guide you on what to put in place and help you set up your policies and procedures. If you aren’t using a trusted IT partner, get in touch and let us help you today.
This blog was written with the expert advice of Ben Godsell from ACS