By using our site you accept the terms of our cookie policy

The true cost of data protection and content security complacency.

Image

The Information Commissioner’s Office (ICO) can fine organisations deemed to have failed in properly protecting data against a breach. It did just that in October when it confirmed the £500,000 fine it was hitting Facebook with over the harvesting of user data between 2007 and 2014 which became part of the now infamous Cambridge Analytica scandal. Forgive me for lapsing into Monty Python Four Yorkshiremen sketch territory, but Facebook was lucky. Lucky, that is, in that the incident happened before the 25th May when the EU General Data Protection Regulation (GDPR) came into force. If it had happened after that the fine could have been up to £17 million or 4% of global turnover. You try and tell the young people of today that and they won't believe you...

Seriously though, and this is indeed very serious stuff, it does seem like even with the prospect of stupendously silly figure fines hanging over the heads of the insecure enterprise, people still just don't get the true cost of data privacy complacency. I'm not even referring to the pre-GDPR regulatory fines that, according to research by one law firm https://www.scmagazineuk.com/average-data-breach-fines-doubled-ico-hints-higher-fines/article/1497671, had almost doubled on average between 2017 and 2018. The figures coming out of that research, up from £73,191 to £146,412, somewhat pale into budgetary insignificance when stacked against the bigger impact on your bottom line that now exists.

I mentioned data privacy complacency earlier, and it's not as if there is any excuse for not being ready; "I didn't have time to prepare for GDPR" is something that shouldn't be said by anyone who considers themselves a responsible adult running a business for goodness sake. How many years did you need, eh? The complacency I'm seeing though is specific, and that's in an apparent misunderstanding of the part of the regulation that requires organisations to employ cybersecurity technology and procedures that will be effective in preventing, or mitigating the impact, of a data breach. Compliance checkbox ticking is alive and well, and probably part of the sagging security posture in an enterprise near you right now.

I mean, c'mon, Heathrow Airport was fined £120,000 when it lost a USB stick containing un-encrypted and sensitive data. The BBC reported at the time https://www.bbc.co.uk/news/business-45785227 a Heathrow statement as saying it "regretted the breach." No shit Sherlock, I bet it did. Not as much as it would have done now, of course, with sharper teeth attached to the regulatory fining regime. What I find regretful is that people are still thinking that un-encrypted data, on a non-password protected USB stick, should be considered acceptable. Or even considered at all. The ICO found that there was a "catalogue of shortcomings in corporate standards, training and vision." Did I say no shit Sherlock already

Even those organisations involved in law enforcement don't seem to get it, not really get it anyway. Earlier this year the Crown Prosecution Service (CPS) was fined £325,000 https://www.computerworlduk.com/galleries/data/biggest-fines-issued-by-ico-3679087 after it 'lost' a stack of DVDs containing police interview recordings of child sex abuse victims. Lost? Yep, after they got left in reception for a couple of days and then vanished. DVD's, today, really?

Cost isn't just measured in cold hard cash either, although ultimately it all comes back to bruise your bottom line. It's a lot harder to compensate for the damage to brand reputation after a breach of any kind than it is to adjust the books to compensate for a fine. I guess both Heathrow and the CPS are fortunate in that they don't have a reputation to damage in any meaningful way. Even if people may not like them, they have little choice but to use them. The same is not true for most businesses though, especially in this age where media attention (both social and mainstream) means it is very difficult to escape the negative press of a data breach. Ditto the compensation claims that add litigation costs into the mix; customers are, quite rightly, a very compensation-happy crowd when you've short-changed them on data protection measures.

With Gartner predicting that the worldwide security spend will reach more than £71 billion by the end of 2018 https://www.itpro.co.uk/cyber-security/30122/cyber-security-spending-will-hit-96bn-in-2018 you really do need to get to grips with three words: risk, cost and value. Spend your money wisely or the cost of not adequately mitigating risk will return no value to your bottom line at all. I've mentioned that phrase a lot in this piece, but seeing as this is now literally going to be the bottom line, I'll give you the definitive last word:


Complacency or using inadequate solutions when it comes to securing data and content of whatever form is costlier to your business than you probably realise and that's the real bottom line sunshine...