Data breaches are a growing threat

With cyber breaches a growing threat to data security we look at the impact they are having on UK businesses and the new data protection legislation coming into force next year.

“We’re in the stone age of cyber security. Real learning will only come after the first major incident.”

These chilling words from 2016 are those of Dr Christopher Frei, Secretary General of the World Energy Council.

The frightening thing is that while most of us are in the stone age, the hackers are in the space age. As a result, the cost of data breaches has never been higher. According to a damning security report released by Cisco at the end of January, a third of organisations that suffered a breach last year lost more than 20% of their revenue.

The report also revealed:

20% of organisations lost customers, and 40% of these lost more than a fifth of their customer base
38% lost more than a fifth of their revenue
23% lost business opportunities

Cisco claims that a lack of budget, poor integration of systems and a shortage of sufficiently trained staff are the main reasons for security lapses. Despite more than half of organisations using between six and 50 security products, most are struggling to defend threats to their networks.

More worrying still is the fact that the UK is at the bottom of the list of countries that are effectively managing threats, way behind the leaders Mexico and India.

Classic methods of attack such as adware and email spam continue to be effective as hackers slip through security gaps.

A look at three of major recent data breaches to have affected UK companies makes unhappy reading:

Tesco Bank

Top of the tree of shame must surely be Tesco Bank. In November last year, 20,000 customers of Tesco’s online bank had money stolen from their accounts. The breach caused chaos, with Tesco forced to suspend all online transactions by its 136,000 current account holders. Tesco agreed to bear the cost of the attack but no details have been revealed about how much this was. On top of this, Tesco faces a multi-million pound fine from City regulators.

Three Mobile

Last year, hackers used an employee login to gain access to Three’s customer upgrade database. Names, addresses, phone numbers and dates of birth were obtained. Three say no financial data was compromised.

Sage

FTSE-100 accounting software company Sage suffered a data breach last year that may have exposed employee details for 280 UK businesses. Sage’s shares fell 4.3% when the news was released.While organisations grapple with how to prevent these types of attacks, the authorities are putting greater pressure on them to do so.

From May 2018, UK data protection will be governed by the new European General Data Protection Regulation (GDPR).

The fines for breaches of GDPR are significantly more onerous than under the current regime. These can be as much as the greater of €20 million or 4% of a business’s worldwide annual turnover.

To put that in perspective, had the Tesco Bank breach occurred after May 2018, it would have faced a fine of £1.9bn. If that’s not an incentive to tighten security, nothing is.

The GDPR will impose more stringent obligations on organisations in relation to:

The maintenance of records and documentation
The ability of the data subject to withdraw consent to their data being held
The right for data subjects to have their data forgotten.

The timeframe of GDPR is such that it will come into force in the UK regardless of when Brexit goes ahead. Organisations are advised to take steps now to ensure they comply with the new regulations.

For our part Opus Telecoms has begun work towards attaining ISO 27001 certification, by gaining certification for the Government-backed and industry supported Cyber Essentials scheme. Cyber Essentials aims to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. It is an independently verified self-assessment scheme, in which we have had to assess ourselves against five basic security controls and have a qualified assessor verify the information provided.