The power of memorywww.crownrms.com

Records Management Perspectives: Why 2015 is set to be a record year for data breaches – and how to prepareBy Ann Sellar

intRoduction

When it comes to the number of data breaches and how much they cost, the trend is only going one way in 2015: and that’s up.

We can be pretty certain that 2014 was a record year for high-profile breaches and that 2015 will beat it, especially with the EU General Data Regulation on the horizon.

Moreover, recent research suggests every single breach costs a company 3.5m USD on average; and only recently the Information Commissioner’s Office (ICO) reported there had been a ten-fold increase of breaches in the UK during the last five years.

In the past it is clear here weren’t a lot of breaches reported, not least because people weren’t required to. They didn’t understand what a data breach was. But now, especially since the ICO brought in fines of up to £500,000, it has all changed.

The public demands to know if personal information has been compromised and, even more than the fines, companies fear the reputational damage that a breach brings.

When US store Target suffered a major breach late in 2013 for instance (hackers stealing 40 million credit card numbers) it was not only fined but the following year its profits dropped dramatically. Consumer confidence in the business just disappeared, so in a way the company paid twice for the breach – and continues to pay to this day.

The situation is only going to grow in intensity in 2015. The EU Data Protection Regulation is likely to bring in even bigger fines when it is passed – up to 5 per cent of global turnover – as well as requirements to report breaches quickly, perhaps within 24 hours.

But the bottom line is that the amount of data is growing so fast it can sometimes be hard to cope, and legislation is struggling to catch up.

What is most alarming is that the hacking industry is growing as fast at the digital universe. Some reports say hacking now makes more money for criminals than even the drugs industry; and that really brings it home.

So if companies are not protected, that is what they are leaving themselves open to in the year ahead. Even so, anecdotal evidence shows that, even in this modern age, many companies are not protected – in fact some smaller businesses still have nobody in charge of protecting their data at all.

This is a concern because when you look at the list of biggest data breaches in the world in the last seven or eight years, not all of the companies affected are giant conglomerates. You don’t have to be a big company to have a lot of data – or to have sensitive data. It’s not only AOL that has a customer’s address, telephone number, email and bank details on file. A solicitor, accountant, internet provider or even a supermarket or coffee shop may have the same information.

So what is important is that companies take basic steps to avoid a breach no matter what their size. A lot of businesses may feel in limbo as they wait to see how the EU General Data Regulation shapes up. But the bottom line is you don’t protect the information you have then something bad is going to happen – financially or reputationally – eventually.

Setting up an information audit is crucial to set the tone for the year ahead; and implementing stringent processes, such as those detailed below, will ensure companies’ data is managed and disposed of securely in a fully compliant manner.

Data breaches may be on the up in 2015 but this isn’t the time to sit back and give in. Now is the time to prepare for what lies ahead.

Why 2015 is set to be a record year for data breaches – and hoW to prepare

2

3

Why 2015 is set to be a record year for data breaches – and hoW to prepare

1. human error – ensure all staff are educated

A recent Department for Business Innovation and Skills (DBIS) survey on data breaches in 2014 indicated 47 per cent of breaches last year were incidents caused by staff. These included loss or leakage of confidential information (35 per cent of cases), unauthorised access to data (32 per cent) breach of data protection laws (25 per cent) and misuse of confidential information (16 per cent).

But these breaches can be mitigated by ensuring staff know what is expected of them and understand the consequences of failing to protect sensitive data – it’s about reducing human error. This responsibility extends to temporary staff as well as permanent staff.

Make training fun and simple to encourage engagement. Check each employee has understood by running a short quiz and asking staff to sign a document to confirm they have understood. Appointing information champions who have a good understanding of the field can also be helpful, so that individuals within an organisation know who to go to with any queries or concerns.

The DBIS survey suggested almost a third of companies failed to continue staff training beyond an initial induction; and that is simply not enough.

HOW TO AVOIDDATA BREACH

Why 2015 is set to be a record year for data breaches – and hoW to prepare

4

HOW TO AVOIDDATA BREACH

Data protection policies should be up to date and comply with current legislation – especially with an eye to the EU General Data Protection which could be passed in 2015 and in place by 2017. Policies should be reviewed in line with business changes, for example, following accreditation to 27001. A regular programme of training which includes frequent refresher sessions is vital as the legislation and rules on handling data begin to change.

2. data protection – review your policies regularly

5

Why 2015 is set to be a record year for data breaches – and hoW to prepare

Ensure all paper files and media devices containing sensitive information are stored securely either on site or with a third party. Take regular back-ups of information stored on your computers and keep in a secure separate location. It is prudent to restrict employees’ access to sensitive data, giving access only to the information they need to do their jobs whether online or in paper form.

3. sensitive data – store safely and restrict access

Why 2015 is set to be a record year for data breaches – and hoW to prepare

6

Implementing a “shred all” policy will remove any confusion staff may have over what is classed as confidential material, and eliminate the risk of human error. Data on electronic devices such as computers, laptops and USBs should not only be ‘wiped’ – there is now a fear in the market that wiping is not 100 per cent guaranteed. Instead the devices need to be professionally destroyed – and should be stored in locked containers or rooms while awaiting secure disposal.

4. data disposal – remove risk of confusion

7

Why 2015 is set to be a record year for data breaches – and hoW to prepare

Passwords should be changed on a regular basis and staff aware of when to do so. It is best practice to ensure passwords contain a minimum combination of six to eight letters and numbers, using upper and lower case, in order to reducing the risk of the password being compromised. Encryption adds another level of data privacy. Encryption should be placed on all devices including mobile devices, back-up tapes and laptops.

5. encryption and password protection – safeguard all electronic devices

Information management has moved up the agenda of corporations, governments and institutions in the modern world. So senior managers should establish stringent procedures governing the handling and secure destruction of information, as well as ensuring all employees are aware of their obligations and the potential consequences of data losses.

In this way, corporate data will no longer be viewed with fear but instead seen as a carefully protected corporate asset. It’s all about being aware of the power of memory.

Why 2015 is set to be a record year for data breaches – and hoW to prepare

8

This article was authored by Ann Sellar of Crown Records Management. If you have any questions about this article or would like to find out more about other services provided by Crown Records Management, please contact Ann Sellar at asellar@crownww.com

154 Millionuser records compromised

76 Millionaccount holders affected

6 Millionprivate emails and phone

numbers of friends was given to facebook members erroneously

70 Millionrecords compromised

5 Millionpasswords leaked

20 Millionbank and credit card users

affected

4.5 Millionpatient records in US

compromised

Biggest data BReaches 2014