What are Data Breaches?
Access to personal or business information from cyber hackers is a real and present threat to all businesses in the modern workplace. Data has value, and personally identifiable, sensitive personal and business information can be used or resold for identity theft, to competitors, or for blackmailing purposes. GDPR and other data protection regulations have been created to place the onus of data security firmly with those who store and process the data, as well as giving the data subjects more rights to access and remove their information from companies holding it. Even with these regulations in place for all industries, a large amount of SME businesses do not have sufficient data breach controls or procedures to act upon in the event of a data security breach.
Data Breach Statistics UK 2019
- Only 16% of businesses have formal cyber security incident management processes in place
- 32% of businesses identified cyber security breaches and attacks cost on average £4180 in lost data and assets in 2019.
Source: Sysgroup.
- 88% of UK companies have suffered breaches in the past 12 months.
Source: Carbon Black.
- One small business is hacked every 19 seconds.
- Around 65k SME’s occur every day in the – around 4.5k of which are successful.
Source: Hiscox.
- 33% of UK companies say that data breaches caused them to lose customers.
Source: Redseal.
- 44% of customers say they will stop using a company after a security breach.
Source: Businesswire The UK Government has also done extensive studies into the cause and effects of cyber attacks and data breaches for 2019. The following information comes form the Cyber Security Breaches Survey 2019.
- Around a third (32%) of businesses and two in ten charities (22%) report having cyber security breaches or attacks in the last 12 months.
- As in previous years, this is much higher specifically among medium businesses (60%), large businesses (61%) and high-income charities (52%).
- Among this 32 per cent of businesses and 22 per cent of charities facing breaches or attacks, the most common types are:
- Phishing attacks (identified by 80% of these businesses and 81% of these charities)
- Others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities)
- Viruses, spyware or malware, including ransomware attacks (27% of these businesses and 18% of these charities).
Over four in ten businesses (44%) and six in ten charities (61%) say that staff in their organisation regularly use a personal device such as a non-work laptop for business purposes. This is known as bringing your own device (BYOD).
Information Security and Data Breach Policies
Having detailed Information Security policies after implementing your data protection measures is an important step in educating your staff on where and why data is stored in your organisation and what to do in the event of a data breach. You staff should also be given training in what data breaches are and how to prevent data loss as well as what to do in the event of an attack. Understanding the impact of data breaches should be reinforced with refresher sessions and reminders of company procedures. Examples of the Information Security related policies and procedures:
- Data Classifications and GDPR/CCPA
- Organisational Structure
- Third-Party Due Diligence
- Internal Data – Listing
- Human Resources
- Governance and Security
- Joiners, Movers Leavers Security
- Client Leads – Sales and Account Management
- Network Administration
- Support Systems Used (Office, CRM etc
- System and Support Systems Data Landscape
- Infrastructure
- Data at Rest and In Use Security
- Data in Transit Security
- Environments and Access Controls
- Product Environments
- Cloud Services and Security
- Cloud Service Locations
- Disaster Recovery and Business Continuity Planning
- Server Hardening and Configuration
- Malware Protection and Vulnerability Management
- Penetration Testing
- Hardware Devices
- Configuration
- Tracking
- Lost Devices
- Disposal
- Mobile Devices and Acceptable Use
- Physical Security Policy
- Remote Working
- Networks/Mapping/Access
- Wi-Fi
- Firewalls/Other
- Data Breach Incidents and Reporting
- Data Breach Procedure
- Identification and Assessment
- Containment and Recovery
- Risk Assessment and Investigation
- Incident Log
At Policy Pro’s we can undertake a gap analysis of your data storage and system landscape and produce the relevant Information Security and data breach policies and procedures to ensure your staff are prepared to prevent and manage any cyber-attacks. If you would like more information on how we can help with your data breach related policies, please contact us.
