Protecting data on your own computer is relatively straightforward but what about information that connects to your business, which is out of your IT department's control?
AVG (AU/NZ) Pty Ltd looks at the dangers and costs of data security breaches and what each business, no matter how large or small, should be doing to safeguard themselves.
Did You Know:
- The Australian Government is currently considering legislation to fine companies for failing to safeguard customer data
- Only 28 percent of companies in a recent survey had formal policies on Internet security in place
- 330 million records containing sensitive personal information have been involved in data security breaches since 2005
Lloyd Borrett, Security Evangelist at AVG (AU/NZ), says, “Updating anti-virus protection, keeping up with security patches and assuming that any questionable online link is bad news, are just some of the ways that average business PC users can keep themselves secure.”
But what risks exist to the data that is out of our central control? A whole range of public and private sector companies hold confidential information on various elements of our business, which we trust them to keep safe. Unfortunately sometimes that trust is misplaced.
Incidents when data is lost or stolen from a company are known as data breaches and they are on the increase. A recent study from the United States National Cyber Security Alliance revealed that 65 percent of small businesses surveyed hold customer data, while 33 percent admitted to storing credit card information. Despite admitting that the Internet was critical to their operations, only 28 percent of the companies surveyed said they had formal policies on Internet security in place. More concerning, only 35 percent said they provided any kind of training on Internet safety and security to their staff, and only 14 percent said they had anyone solely focused on IT security within the company.
The size and shape of the typical company most likely to be hit by a data breach is easy to define - it is all businesses. From sole traders and two-man partnerships to government departments and big corporations, the hackers who perpetrate the intrusions that lead to a data breach are not fussy. They don't discriminate among their targets and here's why. A small business may have a good deal of valuable corporate data that cyber-criminals will want to "scrape", yet only have a relatively weak and porous data security layer in place protecting it.
The inaugural Australian Cost of a Data Breach report conducted by the Ponemon Institute and PGP Corporation aimed to quantify the costs associated with public and private sector data breaches. Sixteen organisations participated in the study between September 2009 and January 2010, all of which had experienced one or more data breach incidents during the past year. The incidents that were reported involved between 3,300 and 65,000 compromised records, and were found to cost an average of $123 per compromised record. Malicious attacks and botnets accounted for 44 percent of these data breaches.
The UK's Revenue and Customs Department (HMRC) was subject to one of the most infamous data breach incidents in recent history when records relating to around 25 million individuals were exposed after two CDs went missing. The subsequent fall-out resulted in a legal inquiry into data practices at HMRC and across the government sector and in a positive result for consumers: more powers for the UK's Information Commissioner and the Data Protection Act which he regulates and enforces.
The United States is similarly tightening up legislation to regulate companies that are careless with information. Lawmakers recently introduced two new bills designed to compel companies to be upfront about data breaches - the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139). An enforcement body has also been set up which is known as the Office of Federal Identity Protection part of the Federal Trade Commission. The lawmakers were motivated to tighten up data protection efforts given that some experts estimate that 330 million records containing sensitive personal information have been involved in data security breaches since 2005.
While Australia is yet to introduce similar legislation, it will happen fairly soon. In 2008, the Australian Law Reform Commission (ALRC) made 295 recommendations to the Government on privacy laws and practices, which are being implemented in stages, including a key recommendation that organisations be required to notify the Privacy Commissioner and affected individuals of any serious data breaches, with civic penalties to apply for failure to report breaches.
The message here is that corporate data is as much a part of a company's assets as is its intellectual property, its staff and skills base and its fixed cost assets from the carpets to the photocopier – and it must be treated as such. Failure to realise the gravity of this core tenet of modern business is tantamount to flagrantly posting the entire corporate database on the company's homepage. Businesses have a commercial responsibility to close the door to the data centre, keep it locked and ensure that policies exist to govern who the key holders are.
The Australian Government Stay Smart Online web site (www.staysmartonline.gov.au) advises companies to make sure they have policies in place when it comes to protecting customer data but also advocates a range of measures similar to those that home users should follow when it comes to securing their own information. "Keeping your customers safe requires that your own computer systems are fully protected," the organisation advises. "The best policies in the world won't protect your customers if your network and resources are at risk of attack or preventable failures."
The Australian Government Office of the Privacy Commissioner has helpful information about privacy issues for business on its web site at http://www.privacy.gov.au. You should especially read “Don’t Leave Privacy to Chance… Take Steps to Protect Personal Information” at http://www.privacy.gov.au/materials/types/guidelines/view/6849.
But how do you know if a business which holds information on your company has been breached?
Borrett says, “There are some tell-tale signs to look out for:
• unusual or unexplainable charges on bills;
• phone calls or bills for accounts, products, or services that you do not have;
• failure to receive regular bills or mail;
• new, strange accounts appearing on invoices; and
• unexpected denial of corporate credit cards.”
Based on those clues, if a business suspects that their details might have been exposed by a security attack on the company they should contact the company in question initially by phone and letter if necessary. Contacting the main credit reporting companies - Dun & Bradstreet and Veda Advantage - is also a smart move, as is filing a report with the local police so there is an official record of the incident.
It's also important to consider if a breach in one organisation could have an impact on other confidential information. For example, a thief has access to an employee's Tax File number, then the company should contact the Australian Tax Office. The personnel department or the employee themselves should also contact the Roads & Traffic Authority if any driver's licence or car registrations have been stolen.
There are many organisations and agencies that can help if you think your employee's data or your own corporate data has not been properly safeguarded but, as with many things, prevention is often more effective than a cure. So when it comes to the many channels via which data breaches can target both you and your customers, the best approach is to only share information when you have to and only with companies you trust. If you can standardise this within your company's core operational procedures and ensure that this ethos is carried downwards into the entire staff base, then you will be taking the safest possible corporate steps on the road ahead.
So to finish, let's return to our first question - customers, employees and stakeholders: who suffers as a result of a data breach? The answer should be clear at this stage. Quite simply everybody suffers from hacks that lead to data leakages. Operationally, the business suffers directly from a potential loss of trading profits, so corporate and individual stakeholders are worse off. Employees are compromised and customers lose faith in the company's ability to function at a level even vaguely resembling best practice. It's a vicious circle and a downward spiral, but the shame of it is that it is all so preventable. We urge you to lock down your data now.