Almost daily now we hear about new data breaches in the news putting individuals at risk of identity theft, fraud and distress and damaging the reputation, market and financial position of businesses large and small. It is one of the top 5 things to keep Execs, business owners and shareholders awake at night.
Following analysis of 2,013 data breaches, the latest 2019 Verizon Data Breach report shows that 43% of data breaches analysed involved small business victims, followed by the public sector, the healthcare industry and the financial services sector. Not surprisingly the majority of these were perpetrated by outsiders, however, 34% involved internal actors through errors in infrastructure management, systems development, end users etc. which is likely attributed to the absence or weakness in process, control or governance.
The cost of data security breaches
The cost of data breaches can be felt by businesses, shareholders and affected customers/data subjects for years following the actual breach through loss of consumer and investor confidence hitting share prices, market share and ultimately the bottom line. The cost of the Talk Talk breach in 2015 is estimated to have cost the company over £77million. Of course, this was before the General Data Protection Regulation (GDPR) came into force and would be significantly higher if it happened today due to increased fines from the ICO and claims from data subjects.
Equifax received the maximum penalty from the ICO under the Data Protection Act 1998 of £500,000 which again would have been significantly higher had it occurred post 25 May 2018. The total cost to Equifax is not known however the company is still feeling the impacts of the breach, no doubt along with some of the data subjects whose sensitive data was exposed. Just last week, Moody’s downgraded Equifax’s credit rating which will have a major financial and further reputational impact on the company, largely due to the 2017 breach.
Now these are high profile cases exposing millions of customer records, but if we look at the research conducted by the Ponemon Institute sponsored by IBM in their report on the 2018 cost of data breaches, they estimate a data breach involving 1 million compromised records yields a total cost of $39.49 million and at 50 million records, they estimate a total cost of $350.44 million. This was based on the data from 11 companies who experienced a data breach using Monte Carlo simulation and includes the costs of detection and escalation, notification, post response expenses and lost business.
Although there is no silver bullet, there are a number of things you can put in place to safeguard personal data, protecting your business as much as reasonably possible and providing some assurance to your shareholders, clients, customers and regulators about the safety and security of the data you process.
I’ve helped many organisations with their information risk governance over the past twenty years, including Citigroup, Co-operative Bank and Royal London Group and my advice is to implement a robust risk management framework, suitable operating model with skilled resources, comprehensive training and awareness programme for all staff, effective data governance model, operational processes and logical and physical controls.
A good place to start is to look at implementing an Information Security Management System (ISMS) such as ISO 27001 which covers all these areas.
What is an Information Security Management System?
An Information Security Management System is a combination of resources, policies, procedures and controls to protect the confidentiality, Integrity and availability of information. The ISO 27001 standard is a flexible standard which will fit any organisation, small or large, in any industry and is business risk based.
What are the benefits to businesses of an ISMS?
There are many benefits to implementing and operating an Information Security Management System (ISMS) such as ISO 27001, including:
- Competitive advantage
- Protection of shareholder value
- Client and consumer confidence
- Cost reduction
- Contractual compliance
- Regulatory compliance
- Legal compliance
- Protection of brand and reputation
- Predictive and effective response to security incidents
- Protection of people and assets
- Better understanding of the business
- Maintaining business continuity
- Respect for interested parties/stakeholders
If you really want to provide assurance to your shareholders, clients and customers, have the ISMS certified by an independent body. The certification process is straightforward as outlined below:
- Implementation of the management system – before being audited the management system should be in operation for a period if time, usually a minimum of 3 months.
- Internal audit and review by top management – before a management system can be certified it must have had at least one internal audit report and one management review.
- Select a certification body (Registrar)
- Perform a pre-assessment audit of the management system to identify any gaps against the standard (optional)
- Stage 1 audit – A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard and the objectives of the organisation.
- Stage 2 on-site audit – to evaluate whether the management system conforms to all requirements of the standard and is being implemented in the organisation and can support the organisation in achieving its objectives. Stage 2 takes place at the site(s) of the organisation’s sites(s) where the management system is implemented.
- Follow up audit – to follow up on any non-conformities raised in the audit before being certified.
- Confirmation of registration by the registrar and publishing of the certificate, subject to meeting the conditions of the standard.
- Continual improvement and surveillance audits – Once registered, surveillance activities are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1/year) that allow verifying the conformity of the certified client’s management system.
Where do I start?
Benchmark where you are now against the standard and determine where you want to be and by when. Obtain stakeholder buy in and secure your funding and then develop your implementation and resource plan. Get in touch with a specialist to help you through the process.
Don’t feel you have the skills to implement an ISMS in your organisation?
You have options! Either you can train a member(s) of staff in your business to develop and implement an ISMS or you can look to a specialist organisation to do the development and implementation for you and to provide ongoing advice and support once implemented.
How can The Specialists Hub help?
The Specialists Hub consultants are experienced practitioners who can help your business through any or all the stages described above either by leading the implementation or supporting and guiding you through the process.
The Specialists Hub is also an authorised training provider of PECB certified ISO 27001 courses and can train your staff members to provide them with the knowledge and skills to support your business going forward with the implementation, operation, audit and ongoing improvement of your management system.
Author: Beverley McGowan, Founder and Consultant, The Specialists Hub Ltd
References: 2018 Cost of Data Breach Study: Impact of Business Continuity Management, Ponemon Institute LLC; 2019 Data Breach Investigations Report, Verizon