Paul Holland, CEO of Beyond Encryption, discusses how to protect your company from cyber attacks
In recent months, there has been an unprecedented focus on digital security and cyber-crime that’s largely been fuelled by regular reports of high profile incidents.
Household names such as TalkTalk, Tesco and Yahoo! have been hit in very public incidents and suffered reputational and financial damage. In each of these cases, customer information was accessed by an unwanted third party.
No organisation, regardless of market cap, is immune from hacks.
The business world continues to see ever-spiralling costs associated with cyber crime, and while the best estimates are that cyber-attacks cost UK businesses £30billion a year, a recent US incident reportedly amounted to $100million in losses.
With over 220 billion emails sent worldwide every day, the risks associated with unwanted third party interception of sensitive data can be extraordinarily high. Whilst significant financial penalties can be imposed, huge reputational damage is likely to have a greater impact on businesses.
Watch now: In an exclusive interview with Financial Director, Andrew Bonfield, CFO of the National Grid and Chair of the 100 Group, discusses cyber security.
Companies, business directors and individuals can be held financially responsible for failing to take adequate measures to prevent data loss.
The Information Commissioners Office (ICO) is empowered to impose fines of up to £500,000 per incident in the event of contravention of the Data Protection Act (DPA), which would have a notable impact on any organisation.
However, the quantum of this penalty may fade into insignificance when the General Data Protection Regulation (GDPR) is introduced in May 2018. The British government has already confirmed that Brexit will not affect the introduction of this ‘far reaching’ legislation.
The new law will allow the government to impose fines of up to 4% of an organisation’s global business revenue if it is deemed to be in breach of its data security requirements. Should another household name find itself in the line of fire, the value of the fine could be astronomical.
The ICO has provided some clarity over the information firms should seek to protect in order to ensure consumers are not exposed to fraud or identity theft risk. However, the differentiation between information that is deemed ‘sensitive’ and information that is considered to be in the public domain is not always commonly understood.
For accountants, information deemed ‘sensitive’ includes bank details and any identifiable financial data. However, in dealing with an individual’s or company’s financial affairs, great care must be taken not to indirectly expose other ‘sensitive’ topics, such as physical or mental health, medical details, political opinions, religion, trade union membership, or racial and ethnic origin. The transfer and storage of this information is occurring on a daily basis within the professional services sectors.
Certain personal data does not necessarily need to be treated in the same manner, including name, address, date of birth, and phone number, but is still information that a client expects to be managed in a responsible manner.
In a world of online transactions and tax return submissions, breaches of the Data Protection Act are happening much more regularly than might be expected, as individuals and businesses continue to send emails containing ‘sensitive’ consumer information without adequately protecting it.
HMRC are amongst the most popular targets for fraudsters trying to lure people into sharing information and consequentially they have published precautionary words of warning on this subject:
“HMRC will never send notifications of a tax rebate/refund by email, or ask you to disclose personal or payment information by email. Do not visit the website contained within the email or disclose any personal or payment information.”
The UK seems determined to continue its Bletchley Park code breaker heritage as a leader in cyber, evidenced in Chancellor Hammond’s recent announcement that £1.9billion worth of funds will be allocated to the National Cyber Crime Centre, which will be opened by the Queen.
Despite this large scale national investment, much of the burden remains with companies and individuals to organise their own security and processes.
Because of this, it is important that the whole company understands the risks and policies that should be adhered to. Every individual that uses email, whether personal or whilst at work, faces the same security risks.
The senior leadership teams within companies must understand that in acting to protect the business they are also protecting themselves – the recent Yahoo! hacking saw CEO Marissa Mayers’ bonus docked and head lawyer Ron Bell sacked.
Securing email communication is a good place to start, and applications exist that seamlessly integrate with the most popular email clients and devices, employing encryption to ensure that such messages cannot be intercepted by fraudsters.
Encryption utilises sophisticated mathematics and keys to render information almost unreadable in the absence of the correct key or keys. By way of example, typical military grade technology scrambles such information to such an extent that if every atom on earth were a computer, each capable of trying ten billion keys a second, it would take about 2.84 billion years to reach the right key.
As well as investing in suitable technology, security awareness programs will continue to play an important part in helping individuals understand the challenges associated with an increasingly online world.
These programs must ensure that individuals are comfortable that they are transacting and sharing information securely, and that they are familiar with the tell-tale signs when communication is not from the party they are pretending to be.
Protecting our cyber health requires the same attention as that associated with our physical health – prevention remains better than cure.
Paul Holland is the CEO of Beyond Encryption, a secure email messaging platform.