Think your organisation is unlikely to be affected by a data breach? Think again.
A Hiscox study has found that 61% of UK businesses were breached last year, demonstrating just how widespread the threat is.
If your organisation hasn’t yet suffered a data breach, it’s probably only a matter of time.
In fact, you may already have fallen victim and simply not know it yet. The average time to detect a security incident is 197 days.
That’s almost seven months. Consider how much damage is being done in that time. Thousands, if not millions, of records could be be compromised.
How are breached businesses affected?
Organisations suffer in many ways when they fall victim to a data breach, but the most immediately worrying are the financial repercussions.
There are several costs associated with a data breach, such as:
- Compensating affected customers;
- Setting up breach response efforts, like helpdesks for affected customers and complementary credit checks;
- Investigating the incident, which might include hiring a third party or paying your own security staff in overtime; and
- Falling share prices.
There’s also the threat of regulatory penalties following a data breach. The disciplinary powers introduced in the GDPR (General Data Protection Regulation) has made this potentially by far the biggest financial cost of a data breach.
The GDPR gives supervisory authorities – which in the UK is the ICO (Information Commissioner’s Office) – the power to fine non-compliant organisations €20 million (about £17.5 million) or 4% of global annual turnover, whichever is greater.
Don’t overlook the reputational damage of a data breach
After paying off fines, the breached organisation must also deal with the damage to its reputation.
It can be hard for the organisation to retain customers’ trust, particularly if the breach was widespread or caused by basic security errors.
Regardless, you are bound to see people take their business elsewhere after a breach and you’ll struggle to bring in new customers.
According to CISO’s Benchmark Report 2020, the number of organisations that reported reputational damage from data breaches has risen from 26% to 33% in the past three years.
The dangers of collecting sensitive information
Data breaches are more likely to have bigger financial and reputational effects if sensitive personal data is involved.
This includes information relating to an individual’s:
- Political opinions;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
The misuse of sensitive data can cause a lot more damage than the standard things that are involved in breaches, like names, addresses and financial details.
Whereas ‘normal’ personal data is generally used to commit fraud or launch personalised cyber attacks (which, although bad, are a one-off event), a breach of sensitive personal data can permanently disrupt the victim’s life.
For example, it can expose information that the individual wanted keeping private for fear that it would lead to prejudice.
Think of the emotional damage that might occur if became publicly known that a data subject had a health condition or was a member of a controversial political party.
Similarly, consider the effects if biometric data was breached. This isn’t just a privacy breach; it can also have an irrevocable impact on their information security practices.
If they were using the information as a security mechanism (which is the most likely reason to share such information), it’s not as if they can reset their fingerprint, like you do when a password is breached.
The victim will forever know that their biometric data is out there and can potentially be used to access their accounts.
Organisations are therefore expected to take extra care when handling sensitive information. If it’s breached, the victims will be much less likely to forgive you and the ICO will come down much harder when issuing a fine.
Cyber incident response
No one thinks their organisation will fall victim to a security incident until it happens to them – but as we’ve demonstrated here, data breaches are so prevalent that everyone must have a plan.
If you find yourself staring down disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.
A version of this blog was originally published on 9 April 2019.