Why would someone steal my data?
Data breaches. The very thought of them strikes fear into the hearts of business leaders and IT professionals alike.
Beaming research shows that bosses rank data theft as one of the biggest security threats their businesses face and that cyber security breaches cost UK organisations £34.1 billion last year.
The list of infamous incidents of this kind grows longer each year. We won’t detail them here (Techworld already has); suffice it to say that malware, hacks and the actions (or inaction) of rogue employees have resulted in huge fines and reputational damage for those affected.
Almost a quarter (22%) of UK businesses table cyber security matters at board level now and it is a subject we discuss regularly with our clients. But while huge quantities of personal and financial information make large consumer facing organisations obvious targets, leaders of small and medium sized businesses frequently ask why anyone would be interested in their data.
Fear of data breaches is greatest amongst large companies and rightly so; our research shows that 16% of large UK companies suffered successful attacks last year. It is far from being an exclusive big business concern though, 12% of medium sized firms and 4% of small businesses were also victims, with the average cost of managing the impact of each attack estimated at £16,264.
Why would someone steal my data? Don’t be fooled into thinking that your small business’s customer, client or supplier information is “insignificant” or “uninteresting”. Any organisation with customers or financial information is a potential target, and smaller businesses, especially those operating in the supply chain of large organisations are particularly vulnerable.
Even though they may not be required to name an information handler by the Information Commissioner, any organisation with employees will hold payroll data and other sensitive information that is covered by the Data Protection Act. Businesses have an obligation to protect any data they hold that they wouldn’t want to publish publicly on their websites.
Protecting your intellectual assets, customer details and financial information is vital for many reasons, not least because identity theft remains a significant threat for individuals and businesses alike, and fraudsters rely on the information they can harvest from unsuspecting organisations to perpetrate these kind of attacks at scale.
Professional services are themselves particularly vulnerable here. Accountants hold huge amounts of financial information and solicitors are privy to sensitive personal or commercial information that could seriously embarrass their customers if it were to be compromised.
These organisations tend to be highly trusted by their business customers and welcomed with open arms into their boardrooms. Data breaches seriously undermine the credibility of such companies.
Again the main risk is the people element. When you have people carrying devices and pieces of paper containing potentially sensitive information around the outside world the risks of disclosure grows exponentially.
Whether through complacency, manipulation or malicious intent, the weakest link in the cyber security chain is people. Employees were believed to be involved in around half of the breaches suffered by businesses last year and warnings suggest social engineering is becoming an increasing concern.
When it comes to information security, social engineering refers to the manipulation of people into divulging information or performing actions that puts company assets and confidential data at greater risk of theft and disclosure.
Professional services firms have found themselves particularly vulnerable to this kind of attack. In September the head of a fraud ring was sentenced to 11 years in prison for a £113m scam targeting law firms and other businesses. Action Fraud, the national fraud and cyber-crime reporting centre,has warned solicitors and estate agents to be wary of fraudsters using social engineering techniques designed to trick victims out of money destined for house purchases.
Criminals now study companies and the networks they interact in to find a weak link in the supply chain. By understanding how an organisation operates and presents itself, it is then relatively easy for criminals to perform personalised attacks on bigger and more valuable targets.
9% of businesses we surveyed said that they had fallen victim to phishing attacks in the last year. They aren’t being taken in by classic requests for help transferring millions out of war torn locations, but by personalised requests purporting to come from key business partners and suppliers. Leaders should expand their consideration of risk beyond the boundaries of their own organisations.
Protecting your business and its partners
Even if you run the very smallest of companies, there are many reasons why criminals would be interested in your data. Businesses must do everything they can to ensure their cyber security defences are up to date to reduce the risk of this information falling into the wrong hands and being used to harm your business, employees, customers and suppliers.
All businesses have a responsibility to protect their assets and ensure that their IT systems are not used for criminal activities. Being ignorant to the existence of botnets on your IT systems is no defence if they are used to perpetrate cyber-attacks on other businesses.
Getting the technology piece right is one consideration. Spam filters, anti-virus software and firewalls must be maintained. Business fibre connections tend to have more sophisticated firewalls than older forms of connectivity, making these networks stronger and more secure. Single broadband routers also need to have their firmware regularly updated to prevent breaches.
People remain the weakest link. The best firms reduce the risk of information taken outside of the office being lost or stolen by hosting it securely in a data centre or the cloud and accessing it remotely using an encrypted internet connection while at their customers’ premises.
Protecting yourself, your information and your partners requires sound information security policies and procedures, solid training and a commitment to ensuring you constantly live up to standards required to keep an increasingly sophisticated enemy at bay.