Data breaches are a looming danger for business, but most are doing too little, too late

 
Randhir Shinde
Chaos Computer Club Annual Congress
Hackers are stealing data either because they enjoy the challenge, or for more nefarious reasons (Source: Getty)

The dark web is a strange and confusing place – but it is not that hard to access. After a bit of poking around, it becomes all too easy to find companies that have had their data breached.

It is easy to buy access to information, such as hacked credentials, or even rent a hacker to break into systems or deny access to systems.

Many of these breached companies are high profile FTSE100 businesses, and go beyond known cases like Facebook and Carphone Warehouse.

Read more: Russian hackers target critical UK national infrastructure

These high profile cases and, importantly, the large fines attached to the imminent General Data Protection Regulation (GDPR) are making board members aware of data’s importance. At last, data discussion has moved from the server room to the boardroom. However, most businesses are doing too little, too late.

Until this changes, the breaches will keep on coming. Hackers treat data like Pokemon cards: they swap and trade their data breaches with each other, while the outside world remains unaware.

Known cases just about scratch the surface, however, the publicly unknown breaches go far deeper, either because companies are not aware they have been breached, or because they are hiding it.

It’s time this changed. GDPR is many things beyond opting in and opting out of spam emails. It demands that companies take all reasonable steps to protect their data and, should they be hacked, report any breaches. Scores of large businesses are not fulfilling either of these requirements, and are at risk of substantial fines. They must start taking data management seriously.

So, what to do? The easiest way to avoid having to report breaches is to stop them from happening.

Start by reviewing the data you hold, and why you hold it. Then, take measures to ensure that it is handled with protection and precautions. Encryption is one part of this, but the data also needs to be held securely, and collected properly.

As the chief executive of Galaxkey, a data protection and data life cycle management company, I help businesses to overcome their data protection challenges by providing a full-service option.

Whatever you choose, these efforts need to be underscored by employee education. There’s no point in investing in a smart, responsible approach if staff ignore it. Data compliance needs to be led by senior management, but enacted by everybody.

Finally, consider where you could be hacked. Most people think hacking takes place online, in the vague world of the internet. However, hardware, such as printers, are equally vulnerable. Applebee’s, the American restaurant franchise, suffered a major breach last year thanks to its credit card machines being hacked. Similar breaches likely exist, they are just not known about.

Too many businesses are currently breached. This matters: it means that your data – your most personal information – is being shared by hackers, who are either enjoying the sport of hacking, or who are obtaining data for more nefarious reasons.

It is a good thing that business has woken up to the importance of the data they hold. GDPR is the first step, as it means tough decisions are being made. GDPR – and regulations like it – will motivate business to better protect data, hopefully meaning that the breaches will start being countered.

Read more: You’re right to be fed up of emails from firms getting ready for GDPR

City A.M.'s opinion pages are a place for thought-provoking views and debate. These views are not necessarily shared by City A.M.

Related articles