What do these companies have in common: TalkTalk, Carphone Warehouse, Vodaphone, Ashley Madison, and Touchnote?
The answer is they have all been the subject of relatively high profile data breaches in the last few months. In some way or another their security has failed, and the personal information of their customers has been leaked, broadcast, and exploited – in some cases with life changing (even life ending) consequences.
Sony, Adobe, Target, Home Depot are other well-known events of the last few years, many of which involved records of tens of millions of ordinary people. Yet this is just the tip of the iceberg. The big ones like these are backed up by minor events in hundreds, if not thousands of businesses worldwide.How can companies protect themselves against data breaches?
The big ones, which are the ones that make the headlines, tend to be the actions of cyber criminals hacking into systems with the intent to steal or expose. However lots of little ones happen every day, often through ignorance, or just plain sloppy behaviour.
If your business is collecting and storing personal data, most experts agree that a breach is a matter of when, not if, and it will almost certainly be the case that it has already happened to many organisations that don’t even know about it.
What Can You Do?The most important thing is to realise is that there are no silver bullets, no single solution that will protect you from every possible breach. But there are a number of key actions you can take:
‘You can only understand the potential security risks if you know your data’
- Raise awareness. If you make sure everyone knows about the risks, they can look out for them. Ultimately, data protection has to be everyone’s responsibility.
- Know your data. Make sure you know what personal data you are collectingor using, where and how it is stored, what it is used for, and who has access to it. Only then can you really understand the risks.
- Minimise data usage. It is a core principle of privacy and data protection that you should not collect personal information unless you have a valid use for it, but it is very easy to fall into the ‘just in case’ trap. More data is more risk, and if that data has no use to you, it is an unnecessary risk.
- Encrypt. This is not always easy, but the more of your data you encrypt in your database, the less useful it will be to hackers who get hold of it. In many high profile breaches where the stolen data has been leaked to the public domain, it is frequently reported how a lack of encryption exacerbated the potential harm.
- Plan your breach response. Once you accept that a breach is going to happen, you can minimise the damage it causes, by having a plan you can put into action immediately. A good plan will include technical, legal and communications expertise and actions that are well timed and co-ordinated. You don’t want to be making this up in the middle of a crisis.
Of course every organisation is different, both in terms of the mix of priorities and the available budget/resources. One way to help you figure out what is going to work for you is to use Privacy Impact Assessments; a very useful tool in figuring out what your risks are and how you can best minimise them. They are also likely to become mandatory in many cases under the new EU General Data Protection Regulation, so now would be a good time to start using them.
By Richard Beaumont, Privacy Services Manager at Governor Technology