With penalties for breaching data protection laws now stricter than ever before, Bureau Veritas says the recent string of high profile cyber-attacks should serve as a ‘wake-up call’ for businesses to prioritise information security.
Since the introduction of GDPR in 2018, information security has been brought to the forefront for many duty holders, outlining what is acceptable and the responsibilities the business has when it comes to protecting data. This comes as a number of recent high profile businesses in the leisure sector have received fines in excess of £1million for failing to keep its customer’s data secure.
In addition, the Ministry of Defence also recently came under fire, as its annual report noted an 18% rise in data breaches last year, with 546 reported incidents. Seven incidents were so serious that they were reported to the Information Commissioner’s Office (ICO) for further investigation.
Bureau Veritas highlights these recent examples as a ‘wake-up call’ and that it is no longer acceptable to simply pay the fine and move on, but rather prove that the business has assessed its systematic vulnerabilities and taken steps to address them.
Basilio Vieira, Lead Auditor at Bureau Veritas, said: “GDPR was the enforcement stick which brought data protection into focus and after its inception the number of cyber-attacks reported grew exponentially, as voluntary reporting of data breaches was introduced. With this came stricter penalties for businesses which failed to protect data. The fines imposed upon firms are now so significantly higher, businesses can nil-afford to simply pay the fine and ignore the problem. Proactive steps must be taken to firstly, mitigate the risk of a data breach, and secondly if an information leak does occur, assess how it was attacked and work to resolve the problem quickly.”
Another risk to data protection is the swift move to working from home as a result of the coronavirus pandemic. The majority of offices or work buildings will function off a central, protected network, whereby there are systems in place to detect viruses and possible cyber-attacks. However, with many now working from private home networks, this adds an increased risk of attack.
Basilio continues: “When the coronavirus pandemic struck, we were forced overnight to switch to a routine of home working – with many businesses simply sending employees home with a laptop and told to continue working. However, this attitude of wishful thinking is risky, with statistics showing a rise in the reporting of cyber-attacks since March, as personal networks are much easier to hack than protected business systems.
“What’s more, while many may think cyber-attackers are getting smarter in their techniques, this is simply not the case. The tactics they use are age-old – such as spam emails, computer viruses and chat bot hacking, but they have certainly become more efficient and are making the most of the working from home scenario. Thus, it is the responsibility of a business to ensure employees working remotely are well-equipped with the knowledge and infrastructure to mitigate potential attacks.
With regards to the Ministry of Defence breaches, there were 49 reports classified under ‘loss of inadequately protected electronic equipment, devices or paper documents from secured Government premises’, in the most recent financial year, with an additional 19 incidents reported from outside of government premises. There were also 454 incidents logged under the general category of ‘unauthorised disclosure’.
Cyber security expert Tim Sadler, CEO, Tessian, notes: “Time and time again we see how simple incidents of human error can compromise data security and damage reputation. The thing is that mistakes are always going to happen. So, as organisations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.
“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”
Basilio adds: “The good news for businesses is Bureau Veritas can help to assess your systems for vulnerabilities and recommend steps to make your information security systems tighter. While compliance to ISO 27001 is a voluntary certification, it can no longer just be seen as a ‘nice to have’ but rather central to demonstrating best practice and could be looked upon favourably were an attack to occur.”
