The Proportion of Businesses That Have Had Breaches in 2017
||Admin/ Real Estate
|% experiencing a cyber security breach or attack in 2017
Businesses that invest more in cyber security have more breaches than businesses that invest less. This may seem counter intuitive but it’s partly due to businesses that realise they are more at risk such as finance operations then investing more whereas businesses where the online presence is minimal feel less at risk and invest less. There is also the assumption that businesses that invest more in cyber security will be better at identifying such breaches.
Types of Breaches/Attacks
|Viruses, spyware or malware
|Other impersonating organisation in emails or online
|Denial of service attacks
|Money stolen electronically
|Breaches from personally owned devices
|Personal information stolen
|Breaches from externally hosted web services
|Unlicensed or stolen software downloaded
|Money stolen via fraud emails or websites
|Software damaged or stolen
|Breaches on social media
|Intellectual property theft
You can see that attacks of various kinds are very common. All businesses must take steps to protect against data breaches and all common forms of cyber-attack
Do you have an opinion on this matter? Please comment in the box below.
Not all organisation data breaches get reported to the Information Commissioner’s Office (ICO).
ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:
- The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.
Ways in which detriment can occur include:
- exposure to identity theft through the release of non-public identifiers, eg passport number
- information about the private aspects of a person’s life becoming known to others, eg financial circumstances
The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.
Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.
- The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
- The sensitivity of the data lost / released / corrupted:
How to Report a Breach
Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the DPA security breach notification form, which should be sent to the email address email@example.com or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.
- Record the breach and take no further action, or Investigate the circumstances of the breach and any
- remedial action, which could lead to further action;
- Set a requirement on the data controller to undertake a course of action to prevent further breaches;
- Start formal enforcement action which could lead to a fine of up to £500,000
For further information see https://ico.org.uk
Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.
Hackers break into company computer systems and steal confidential information. i.e. they make copies of it for their own purposes.
The hackers might then ransom the data back to the owner or sell it to a competitor or sell it to other scammers or might make us of it in phishing scams i.e. to get more confidential information which they can then sell to fraudsters.
This is big business and usually it’s the customers of the hacked business that suffer.
We give our private and financial information to companies to do business with them but we expect they will do everything necessary to keep that data secure.
Many companies do have excellent data security but some fall short.
The cost to a company of a data breach can include:-
- Creation of contact databases
- Regulatory requirements
- External experts
- Postal costs
- Communications set-ups
- Audit services
- Legal expenditures
- Reimbursement for customers
- Cost of cleaning up data
Besides the material costs, there may be reputation damage.
Recent research shows:-
- The average cost of a data breach is $3.62 million
- The average global total cost per record stolen is $141 but there is huge variance across incidents.
- Companies in South Africa and India have the highest chance of data breaches whereas companies in Germany and Canada have the lowest.
- The mean time to identification of a data breach is 191 days
- The faster the breach is recognised, then generally the lower the total cost
- The increasing use of mobile platforms is increasing the chances of data breaches.
For information on how to recognise a cyber attack see https://fightbackonline.org/index.php/business/102-do-you-know-if-your-business-has-been-cyber-attacked
[facts taken from 2017 Cost of Data Breach Study]
If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.