Being known as the source of the largest data breach in history is probably not how Yahoo would like to be remembered. The reputations of eBay, Linkedin, MySpace, Talk Talk and Ashley Maddison also took a hit in recent years. Yet these high profile cases are just the tip of the iceberg. A new survey by the British Chamber of Commerce (BCC) reveals that 42 per cent of big businesses have been the victim of cybercrime. The figure for smaller companies is lower with only 18 per cent being attacked which probably reflects the current priorities of hackers.
No one should be complacent, however. In the BCC survey only 24 per cent of the businesses questioned (regardless of size) said they had security measures in place. This means that three quarters have no defence against a data breach. The impact of these, even to smaller companies, cannot be underestimated. Even more worrying is that fact that the vast majority of companies that have suffered a data breach were not aware of it until they were notified by either their customers or industry bodies.
Adam Marshall of the BCC says ‘cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity’.
We know this to be the case. But while a Government spokesman has used the BCC report to advise companies to take advantage of its Cyber Essentials scheme to protect against attacks, we do not believe this goes far enough. Cyber Essentials accreditation is certainly an extremely useful starting point and is now a requirement of any business bidding for a new Government contract. But the rules for the protection of customer data will soon become significantly stricter with the arrival of the General Data Protection Regulation in May 2018. And, besides, protection is not just about compliance; it is about having a robust defence in place as well as a considered strategy to minimise the impact of any potential breach.
This is where we come in. When a data breach occurs that involves payment card data the Payment Card Industry (PCI) calls in a forensic investigator (PFI) to identify and resolve the situation. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out these investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.
We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.