Falling victim to a cybercrime is bad for business – no surprises there. Between the disruption, the effects on reputation, the loss of sensitive company data and regulatory fines, the costs can run into hundreds of thousands or even millions. In some cases, the company involved never recovers. With the arrival of GDPR (General Data Protection Regulation) in May 2018, however, there’s potential for those costs to rise even further. With this, many companies fear that an attack might be all it takes to bring them down for good.
In today’s business environment, the threat of a data breach is a daily problem faced by the boardroom. However, until now, the issue of responsibility has been glossed over. Impending data protection laws, like GDPR, are aiming to tackle the subject of corporate responsibility in line with growing threats posed by cyber-attacks and subsequent data breaches.
Back in January last year, the Information Commissioner’s Office (ICO) fined the Horsham based business, Royal & Sun Alliance Insurance PLC (RSA), the sum of £150,000 following theft of a hard drive which contained 59,592 customers’ names, addresses and bank account details including account numbers and sort codes. The device also held limited credit card details of 20,000 customers.
Steve Eckersley, ICO Head of Enforcement said: “When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure, and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”
The fact of the matter here is simple - BitLocker device encryption would have overcome this problem, a feature that’s both native and included for FREE with Windows 10 Pro, and something that all companies should have in place and enforced as part of their IT Security Strategy.
IT Security Strategy, I hear you say…?
You would be both shocked and surprised if you saw the state and lack of IT security measures that many south coast SMEs have in place. In some cases, I would go so far as to say that IT security was non-existent with a complete negligence to the topic by senior management. You would also be surprised by the number of businesses that think it’ll all be ok and they’re bulletproof because they have basic anti-virus. Well, I am afraid that anti-virus is one of the last layers of protection and if a threat has got that far, arguably it’s too late!
In today’s world of hackers, malware, viruses, ransomware, exploits, phishing and spoofing to name but a few threats, I’m afraid that burying your head in the sand is just not a viable option.
Gone are the days of keeping sensitive data in a locked filing cabinet. We are living in the Digital Era, and sensitive data is now stored on servers, cloud services, PCs, laptops, smartphones, tablets, USB sticks… the list goes on. With this however there are risks - who has ultimate control over company data? It’s no longer Janice the secretary who keeps the key to the filing cabinet that’s for sure.
Mobile Risks
Gone are the days also of being given a BlackBerry on your first day in a new job. In most cases, a new employee can walk out on day one with their company email account setup on their smartphone and own personal laptop; they perhaps might have access to a DropBox or OneDrive or SharePoint account on these devices too. That’s all very good and promotes flexible working, however what controls have been put in place for when the smartphone gets stolen in the pub on Friday night or the laptop gets left on the train. Are devices encrypted? Is there Mobile Device Management in place? Is Remote Wipe setup? What are the password complexity requirements? Is Multi-Factor Authentication setup? What’s the company policy in the event of a lost device? Or what if that employee was to work from an unsecure WiFi hotspot? What Network Policies are in place to prevent this? Is sufficient End Point Protection in place? Have monthly vulnerability scans been carried out?
It doesn’t take an expert to work out that in both above scenarios the statement ‘But I’ve got anti-virus’ just doesn’t cut it.
Ignorance is not bliss when it comes to GDPR, and organisations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect.
To download our three-stage GDPR IT Security Readiness Checklist, visit: www.lms.group/checklist
For more on GDPR visit
It may sound a lot to prepare for by May 2018, when GDPR compliance becomes mandatory, but as I said at the beginning, there’s no need to panic. Working with a trusted security partner can greatly ease your GDPR compliance journey and bring benefits that extend well beyond compliance alone. LMS Group offers a pragmatic and holistic guidance to GDPR data security readiness through its three-stage methodology and through a wide range of services, from early warning systems, minimising risk of data breaches, to delivering actionable security solutions to prevent, detect, rapidly respond and predict cyberattacks on sensitive data in scope of GDPR.