With the growth in new technologies and data availability has come the growth in new opportunities and ways of working. New risks, however, have also grown in parallel and made themselves known in 2016. Data breaches, political uncertainty, recession, rising cyber-crime – it would be easy to think that 2016 has been far too turbulent for most organisational leaders.
Risk One: The data breach
Experian’s research, SMEs Under Threat, found that three in four businesses suffered a data breach in 2015, but a third did not have a data breach response plan. There are many effects of a breach, with the most immediately obvious being risk from fraud and attack, potential regulatory fines, and the negative attention of the press. Many well-known banks, businesses, service providers and public sector institutions have felt the pain of data crises.
Data breaches result from several sources. The most readily associated cause is deliberate theft, perhaps perpetrated by malicious computer users (present or former employees) or external hackers, who use phishing to gain access to company systems. This is where very targeted electronic communications are shared with a particular person with a view to tricking them into revealing sensitive data or get them to assist the criminal in some way, such as by inadvertently installing malware.
The hackers that employ these tactics are often skilled criminal gangs that have moved to the lucrative world of cybercrime as a less risky venture than other more dangerous ways of making money illegally. This means that some phishing attacks are very sophisticated and hard to spot, so it’s vital that organisations ensure that their staff are educated and have the right skills, expertise and education.
Simple loss is also a very regular occurrence. Memory sticks dropped, devices left in cabs, even paper files left on trains – all are very easy to do. Sometimes this happens through overlooked reasons, like media not being erased when devices are sold or scrapped.
- All of the above can be mitigated with a focus on better organisation and information technology practices
- With the right policies and tools in place organisations can embed best practice into the fabric of the organisation
- New data protection regulations will mean organisations would need to notify their regulatory body (the UK’s ICO) and affected individuals within 72 hours if it’s deemed there’s a risk to the rights and freedoms of individuals
- The ICO (and other data services companies) provide assistance to organisations to better manage their data requirements
After breaches come frauds: When personal or business data is accessible to criminals, fraud is often the result.
Experian’s research discovered that for those SMEs that have data breach plans in place
- 60% of plans contained no provisions for customer remediation
- 48% of plans contained no insurance measures
- Any organisation should have strong governance structures in place including fraud management plans
- Such plans and the risks they manage should be regularly assessed
- Tools, services and processes for the avoidance of fraud and its mitigation should be implemented and assessed for effectiveness
- A second line of defence through detection tools is needed to uncover sophisticated or novel techniques that get through the first line of fraud avoidance
- Programme evaluation and reporting is the final element in the defence mix, serving to ensure lessons are learnt and the organisation changes with the lessons it learns
It’s important to crack down on fraud as an unacceptable business risk, but it’s easy to over-secure and then frustrate and delay customers and employees alike. If, due to overzealous fraud controls and security procedures, customers or staff find their experience degrades then they will switch off.
When the identity checks deployed take too long or too much effort to navigate it adds friction to the journey and can lead to abandonment of the interaction. And when advanced procedures are deployed there can be a risk of false positives that can cause havoc. No organisation wants to spend time and money investigating when it’s not needed. And those users flagged incorrectly will feel aggrieved.
- Make password policies clear, don’t make users guess they need an uppercase letter and then punish them for not choosing one
- Give ways to get in touch with an expert – or at least an FAQ – at any time
- Make the length and involvement of the process clear from the start
- Apply right-sized policies to the risk: Not everyone needs the greatest level of scrutiny
From Experian’s research it’s evident that SMEs believe they are better prepared for a data breach than they really are. It is important that companies of all sizes prepare to expect the unexpected. Taking the time to understand what a robust data breach response plan looks like, who should sit on the data breach response team and what external resource might be needed to call on, will help SMEs mitigate damage to their customers and their reputation.
By Jim Steven, head of data breach services, Experian