The amount of data stored by companies is growing exponentially day-by-day. But what is not always understood is that the value of this data, and especially the value of losing it, is at an all-time high.
In recent months, millions of credit card details, private personal records and confidential corporate documents have been lost, stolen, sold or used for extortion. This is costing the economy billions. Although cyber security is slowly rising up the corporate agenda, many misconceptions still exist. Notable among them is the one about hackers being mostly 17-year-old students messing around. Hacking is big business now. It has moved mainstream to the point that it has become a “modern mafia”, with government-funded hacking units and corporate cyber espionage.
Data is not only vulnerable to malicious hackers, we are now seeing the emergence of intrinsic coding flaws. We saw this last year with the “Heartbleed” bug, which was a flaw in a piece of open source software which is over a decade old. A good proportion of websites rely upon this software and the flaw, which had been present since its creation, was only discovered when the attack happened.
Furthermore, 32 per cent of all data breaches were attributable to an insider, according to the NetDiligence Cyber Claims Study 2014. Granted, this can be malicious, where an employee is unhappy with their employer and decides to steal information for personal gain. Most of these employee caused breaches (58 per cent) were, however, caused by honest mistakes. Who hasn’t sent an email to the wrong person? Or lost a mobile phone? Or clicked a link on the wrong email which infects your computer?
Employees are often targeted as the weak link - hackers target them with phishing or social engineering attacks to trick the employee into handing over information, such as their log-in credentials, thereby giving the hackers full access to the data in a manner which does not alert their IT security. Even if a company does get its IT security perfect, it may all be made irrelevant by one simple mistake and, with the new EU Data Protection Regulation set to come into force, the costs could be difficult to swallow. These can include:
So how can you take control of your risk? First, understand your exposure. Utilising something like the Data IQ RADAR™ programme can identify weaknesses in all aspects of data security and recommend improvements. Then, ensure your cyber risk management trifecta of the CEO, the head of risk management and the head of IT have regular dialogue on this issue. Data risk is not just an IT issue and this must be understood by all levels within the company.
Make sure all staff, from top to bottom, go through annual cyber risk management training to ensure they know the warning signs and basic preventative measures. Lastly, to make sure you are covered even if all the above fails and that silly mistake you couldn’t prevent happens, purchase cyber insurance. This is readily available and it will pay potentially all of the costs noted above. More than this, it can provide specialists to help you through every step.