Since GDPR came into place last May, data breaches have been at the forefront of many companies’ focus. Breaching GDPR could cost a company vast sums if the appropriate actions are not taken following a breach. The fine for breaking these rules currently stands at €20 million or 4% of the company’s revenue, whichever is higher.
Whether it is carried out by a cyber-criminal distributing malware or an employee mistakenly sending out email addresses, data breaches are becoming increasingly common. What many companies are unaware of is the steps that they need to take once they have fallen victim to a data breach.
The financial world is no stranger to data breaches. According to the Financial Conduct Authority, the UK saw a fivefold increase in data breaches in 2018 compared to the year before. In April 2018, seven retail UK banks, including Royal Bank of Scotland, Santander, Barclays and Tesco Bank, had to shut down or limit their systems after hacks that cost them hundreds of thousands of pounds to fix.
In October, Tesco Bank was fined, by the FCA, £16.4 million as a result of their 2016 cyber-attack that saw £2.26 million be stolen from 34 current accounts.
What is paramount for corporations and consumers, when it comes to avoiding a data breach, is education for all employees. If one email address gets penetrated by a hacker then the whole company is at risk. Once an employee’s email is breached, they can then be impersonated by the perpetrator in an attempt to phish for as much information as possible from any contacts that employee may have.
This information, in the wrong hands, can obviously have monumental monetary repercussions when it comes from banks and financial institutions. For example, if someone has the details of a regular payment that an individual makes, they can send a legitimate looking letter or email that falsely claims that this regular payment needs to go a new account.
For a high net-worth individual, they will know what their investment portfolio looks like and can present them with a scam hiding behind the façade of a promising new investment that fits their investment patterns. Not only is a high net worth individual a more attractive victim for a scam, but they are also less likely to be stopped by a bank when large amounts of money are moved. As opposed to the average bank customer who will get a phone call when they move substantial amounts of money, it is unlikely that a bank will find it out of the ordinary when a multi-millionaire moves large sums of money to a different account.
The following are the steps TransWorldCom recommends that all businesses should take after they have found themselves victim of a data breach:
Education is imperative for both stopping with a data breach and also in dealing with one. There are five important tasks that need to be completed following a data breach in order to remain complicit with GDPR legislation.
Firstly, the breach needs to be located and stopped. Similar to finding the leak that leads to a flood, when it comes to a data breach you need to find the source. This could be due to the fault of an employee or a peripheral device that has been penetrated by hackers.
It then needs to be understood how the breach occurred and the scale of the breach. Due to increasingly creative cyber-attack methods, a data breach can happen in a variety of ways. Whether it is via a phishing email that has been mistakenly opened, malware that has been downloaded or a simple GDPR breach where a client’s details are mistakenly sent out, it is important to identify where and how the breach took place.
Thirdly, the business needs to notify all those who may have been affected by the breach, take advice from compliance and, where necessary, the ICO. As a company, you have a duty of care to any and all clients or employees who have been affected by a data breach. For example, if sensitive information has been sent out whether it is something relatively innocent like a list of email addresses or something more serious like banking details, the company has a duty to notify every individual on what information has been potentially leaked.
Following this, internal security procedures need to be looked at and the current estate needs to be audited for existing and further vulnerabilities. Without going through your data systems meticulously after a data breach, you could leave yourself open as a target for more attacks from cyber-criminals, especially if the initial data breach attracts any publicity. Going through your network’s defences should be a routine activity for any company’s IT department, however it becomes even more pertinent after a breach has taken place.
Finally, the company needs to change and update the processes for the preparation, control and recovery from future attacks. As with every aspect of business, it is vital that mistakes are learnt from. This could take the form of installing new anti-virus software and firewall security or it could be a case of educating all employees on how to ensure that they keep their data safe and avoid potential data breaches.
In the era of frequent hacks, you can now hire professional hackers to test your cyber-security by attempting to penetrate your system. This may sound extreme, but it could be the difference between a safe data system and a breach resulting in a €20 million fine.