In the digital age, data security is more important than it ever has been. Just a few decades ago, an attacker would need to physically break into your premises in order to steal your personal possessions; now, they can do so remotely – often from the other side of the world. Moreover, businesses are now carrying more of their clients personal data than ever before, making them tempting targets for nefarious third parties.
So why, exactly, should business be concerned about personal data breaches?
There now exists robust regulation, designed to allow victims of this kind of crime to take action against organisations who fail to keep hold of their data. The most famous of these is the European Union’s General Data Protection Regulation, which was implemented in the UK via the Data Protection Act 2018. These obligate companies to use information fairly and transparently, and to hold it for no longer than necessary.
They also mean that companies have to report breaches to the people whose data has been stolen. This means appointing a data protection officer, whose job it is to provide more information to the customer, who needs to be kept apprised of the action being taken. Companies might also have to pay out data protection breach compensation to customers who’ve suffered as a result of a failure to keep the data secure.
What data is at greatest risk?
Data of all kinds have a monetary value. It might be used for identity theft, discrimination, or fraud.
Names and addresses might be sold for a profit. Bank details and other sensitive financial information might allow an attacker a means of extracting money more directly. Medical information might be attractive for much the same reason – it might be sold to third parties, or used to blackmail the victim directly. Similarly, a large-scale breach might result in a ransom demand; the company might find itself having to pay the attacker to return the data. Ransomware is software designed for exactly this purpose.
What constitutes a data protection breach?
Any event which results in unauthorised third parties gaining access to data constitutes a data breach. A hacker might gain access to an internal database by first gaining control of a given computer, or using a trojan horse program. Data might be inadvertently sent to the wrong recipient, whether mistakenly or as a result of a phishing email. Data might also be simply lost or destroyed, because there wasn’t any backup storage in place to protect against disaster.
How can I protect my business?
Your business is at risk of being targeted, and the best defence is education and vigilance. Staff and customers should be trained, and regularly reminded, to be aware of scams which involve putting personal data online. Software should be kept updated, as should antivirus definitions; but it’s people who can effectively protect your data.