8 things you can do to prevent data breaches
46% of all UK businesses have identified at least one cyber security breach or attack, according to a 2017 UK Government survey, and it’s not just large businesses being targeted. In 2016, a nursing home in Northern Ireland was fined £15,000 after an unencrypted laptop containing patients details was taken home by an employee and stolen in a burglary.
A data breach is a security incident in which sensitive, confidential or otherwise protected data is lost, destroyed, corrupted or disclosed by an individual unauthorised to do so. Although criminals cause the majority of data breaches, it is important to understand that data breaches are also caused by individuals in everyday life due to lack of training, inadequate processes and carelessness.
Top tips to protect your business against data breaches:
1. Make everyone accountable
It’s essential for everyone to understand that data security is a shared responsibility across every function and level of an organisation, not just the duty of the IT department. From day one, ensure that you establish clear lines of responsibility with your employees.
Ensure that teams are mindful of how data can be breached, how to avoid this and are attentive when carrying out daily tasks, not rushing emails or incorrectly using the “bcc” function. Gloucestershire Police were recently fined £80,000 for accidentally revealing the identity of child abuse victims in a bulk email.
Organisations who collect large volumes of data over time are at greater risk of a major breach. Last year, 57 million Uber customers and drivers had their personal data stolen, indicating the immense magnitude of information stored by global companies. Evaluate and reduce the amount of sensitive information held, encrypt inactive data and make sure your retention policies are adhered to.
4. Refresh and update
Upgrading your technology and ensuring that all the necessary antivirus and anti-malware software is installed will maximise the security of sensitive information. The British and Foreign Bible Society were recently fined £100,000 for having an insufficiently secured network that enabled the personal data of 400,000 supporters to be stolen.
Have you checked that old or unused laptops and mobile devices do not hold personal or sensitive data? In 2006, 25% of data breaches were due to stolen mobile phones, well above breaches caused by hacking and unintended disclosure. Dispose of old devices properly and ask third-party suppliers if they have a procedure in place for erasing personal data.
If possible, using encryption is a good method of protecting sensitive information. In the event of a data breach, encryption makes customer data unreadable, therefore useless. 465,000 customers had their personal information exposed by a cyberattack on JPMorgan Chase due to unencrypted temporary files.
Ensuring passwords are complex and frequently changed will significantly reduce the chances of credentials being compromised. According to Verizon, 81% of hacking-related breaches used stolen or weak passwords to take data.
8. Change behaviour
Encourage employees to be extra vigilant when using data storage devices, ensuring that they are protected and not left lying around. Heathrow Airport were recently fined £120,000, when a USB stick belonging to a Heathrow employee which wasn’t encrypted or password protected was found.
Reporting data breaches
GDPR has introduced compulsory reporting if there is likely to be a risk to people’s rights which cannot be mitigated. This breach has to be reported to the ICO within 72 hours. As well as reporting the breach, you must make efforts to contain it and minimise any effects. It’s important to make sure you have a good procedure in place to deal with a potential breach quickly and efficiently.
How can we help?
iCaaS – Our bespoke compliance tool will provide you with all the policies, procedures and tools you need to tackle these 8 points and many more.
Support – Our team of certified GDPR practitioners will guide you through a data breach and assist you with reporting to the ICO or your customers.
Virtual Data Protection Officer – Your vDPO will guide you through the GDPR, including preparing for and dealing with a data breach, with a programme bespoke to you.
Training – To get all your staff ready for a breach or other personal data incident, we offer training solutions, either classroom-based or online.