The number of data breaches divulged to the DPC (Data Protection Commission) soared by over 70% in 2018 with the introduction of the new data protection rules across Europe. In total, the DPC was notified of 4,740 breaches during 2018, with 3,542 of those made in the months after the GDPR came into force in May.
These figures were contained in the first annual report of the DPC since the name changed from being the Office of the Data Protection Commissioner to the DPC in the middle of last year. The largest number of these complaints were related to the right of access to personal data held by others, with unfair processing of data and disclosure among the other biggest offences.
The BIG Offenders
The DPC has also opened 15 new statutory investigations between May and December last year into issues around whether large technology multinational companies were compliant with GDPR.
Seven of these investigations were focused on Facebook alone, with two looking at its subsidiary company WhatsApp and one examining an issue with Instagram, which is also owned by the social networking behemoth. After a year of data breaches and privacy scandals which have impacted the company’s share price and reputation, Mark Zuckerberg has stated that he wants Facebook to become a “privacy-focused” social network. Twitter and Apple are also subject to two ongoing inquiries each, while LinkedIn is the focus of one.
As data collection continues to become a greater part of the public conversation owing to the recent MNC scandals, GDPR regulations and privacy protections are beginning to occupy a more important place in the minds of top data manager’s alongside predictive analytics, analysis, data collection and other priorities that give data its value.
Data breaches aren’t just a problem for big business
When data breaches make the news, it’s usually because they occurred at a major company as with the above example of facebook, however, the reality is that cyberattacks are much more likely to be carried out against small businesses.
This can be particularly problematic as the majority of small business owners don’t even realise how much personal information they have stored about their clients, employees, and suppliers. The average small business possesses a significant amount of data that is valuable to hackers, including:
- Employee birthdates and Social Security numbers
- Client names, email addresses, and phone numbers
- Banking information & Credit/Debit card numbers
While data breaches at large MNC may yield a bigger payoff for hackers, small businesses tend to have fewer security protocols in place which makes them much easier to hack. Therefore, it is vital that these small businesses follow strict protocols to lessen the probability of a data leak.
Code of Ethics
One mooted change to improve data security is the introduction of a code of ethics such as those applied in professions such as accounting, medicine and law. Many of the ethical principles used in these professions are cross-discipline and could be applied to data storage, corporate governance and data use also.
Many organisations plan to initiate annual reviews not unlike accounting audits to ensure compliance with these ethics guidelines and managers will also be on the lookout for bias on the behalf of data controllers.
Drawing inaccurate conclusions from data can be as harmful as having no insights at all and is a major reason for the need for a code of ethics when it comes to data usage. As one senior business intelligence leader in Google put it, “the practice of ethics helps professionals to take a step back and evaluate situations from an ethical perspective.”
According to a 2018 data security report published by the Wall Street Journal, 30% of data breaches last year in the United States were caused as a result of employee error.
As such a remarkable portion of data security breaches are directly caused by employee oversight, your company’s number one priority needs to be to train employees regarding how to deal with and prevent data security breaches as the best way to counter such accidental data breaches caused by uneducated employees is to educate them. With a comprehensive retraining program in place, your business can greatly reduce the risk of a data breach as a result of employee mistake. Elements which should be included to ensure a comprehensive understanding of how to maintain data security include;
- Data Security Awareness: From the importance of using strong varied passwords to checking email links before you click them, every employee needs to have a basic understanding of the protocols which need to be followed.
- Employee Responsibility: Each employee should have a clear understanding of what their role is in protecting the company’s data security. Instituting a list of responsibilities for each employee regarding what to do will help to eliminate confusion and enhance each employee’s understanding of how they can protect data security.
- Specific Risks: After assessing what your company’s biggest data breach risks are, it is vital to add training elements that address specific risks specific to your company.
If you want to learn how to upskill your team with the help of an industry expert and university professor CLICK HERE
Preventing Insider Abuse
Disgruntled former employees are one of the most dangerous data breach risks a company can face. Insiders possess the ability to bypass many of the security measures meant to stop outside attacks with ease because of the access credentials they possess. While stopping a data breach caused by a committed attacker with inside access can be tough, there are ways to diminish the risk and scope of the damage;
Delete unnecessary User Accounts: These can include all accounts meant for temporary workers, ex-employee’s or special extra accounts to give a permanent employee access to a specific system for a one-time job. Whatever the reason they exist, unused accounts are a data security risk that needs to be eliminated.
Restrict Employee Access: Not every employee needs to have total access to every database. By restricting access, you can limit the scope for an insider attack.
Monitoring User Accounts: Tracking account use helps to increase the traceability of the origin of a breach for compliance purposes. Using alerts to signal the security team when malicious activity is registered helps enable faster response times and can even allow you to stop a breach that’s currently in progress.
Choosing The Right Cloud Storage Provider
The majority of companies rely on cloud storage providers to back up their business data. However, you may not understand exactly how these cloud service providers are protecting your data. Checking out your cloud storage providers service agreement will enable you to understand the security measures that they have in place and whether these measures align with what you need to protect your customers
Security measures to look out for include the steps taken to safeguard your business data, who is authorised to access this data, and what happens to the data if you decide to terminate the agreement. The robustness of these cybersecurity measures should be a major factor when deciding on a cloud storage provider for your data.
Developing A Comprehensive Response Plan
Developing a comprehensive response plan empowers both employees and the employer to understand the potential impact of the breach. Employers should be transparent concerning the scope of the breach as both employees and customers want to know the truth. A well-thought-out response plan can help to limit lost productivity and prevent negative publicity.
Your response plan should begin with a thorough evaluation of exactly what was lost and when. It should also focus on finding out who is responsible. By taking swift, decisive action, you can limit the damage caused by the breach and restore your company’s public image in the event of a breach.
To learn more about how to build privacy-first websites, please CLICK HERE
About the Author
Mark O’Connell is a digital expert working at Digital Strategy Consultants. He has a passion for strategy and for assisting organizations achieve their online goals through best practice techniques and priming them to drive competitive advantage through early adoption of emerging digital technologies. Mark holds a LL.B (BS) (Hons) in Law & Business (TCD), MSc in Data Intelligence (Fordham University, New York) and a MSc in Marketing Strategy (Antwerp Management School). His current research interests are in the field of analytics and strategy and how these disciplines can be used to drive competitive advantage.