Data Breaches: The Good, The Bad and The Solution

We all know that data breaches have smothered the press over the last couple of years, and for good reason too. Cyber attacks such as hacking, viruses, malware and fraud are real threats that face millions of businesses throughout the world every single day. So how do we minimise these threats and reduce the damage a data breach can incur?  And most of all, how do we combat cybercrime altogether?

The Good

Now, you may be thinking there isn’t any good to come out of suffering a data breach, but RSA disagree. Tom Heiser, president of RSA (security devision of EMC) claims that suffering a data breach made their company stronger. Since an attack on their IT systems occurred last year, RSA have become more focused and experienced when dealing with data protection and information security. As a result, they claim that their company is now a lot stronger.

But is suffering a data breach the only way to recognise cyber threats and act against them? Surely it would be better to take action before the data breach occurs and reap the rewards of a secure IT business?

The Bad

Following a data breach, your business is likely to suffer severe damages. Breaching the Data Protection Act will have 3 main side effects which could mean the end of your company as you know it:

  • Brand damage: More and more data breaches are now being reported to the police and Information Commissioner’s Office (ICO). These reports are made public, meaning that your customers and clients will hear of the data breach. No matter how much work you do to try and cover up the breach, your reputation will be damaged and, depending on the extent of the breach, it could take years to recover (and even that is unlikely). Customer loyalty will diminish and you will struggle to get your feet back on the ground.
  • Forceful fines: Suffering a data breach will mean that you are likely to be penalised by regulatory bodies, such as the ICO. These fines can run up to £500,000. And if you are found to be in breach of the Payment Card Industry Data Security Standard (PCI DSS), you may find that your merchant facilities will be taken away, rendering your business incapable of accepting payment from the customers that have stayed with you.
  • Relationships ruined…with customers, clients, distributors, investors and the press. Do you really think any of your stakeholders will fully trust you 100% again? Sony is still suffering a  backlash from the media and its customers from its breach back in April 2011.

The Solution

In order to protect yourself against data breaches, you should follow these steps:

  1. Comply with your country’s Data Protection policies. For example, in the UK, all organisations are required to comply with the Data Protection Act (DPA). This Act is comprised of 8 principles to guide you throughout securing your data. Simple in principle, the DPA can mean a lot of policies and procedures. Use a toolkit, such as the Complete Data Protection Toolkit to simplify your DPA journey.
  2. Implement an Information Security Management System (ISMS). This is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact), encompassing people, processes and IT systems. An ISMS can be (and is advised to be) drawn in line with ISO 27001 – the best practice specification for developing  an ISMS. Again, there are toolkits available to simplify this process, such as the Standalone ISO27001 ISMS Documentation Toolkit, available from IT Governance.