Not more than a month goes by before another major data hacking scandal is thrust into the public domain. A recent report from Symantec revealed that, last year, the number of reported data breaches increased by 23%. Sector by sector, the largest penetration of breaches occurred in health services.
Meanwhile UK businesses seem worryingly unprepared to protect the personal data of their customers.
Both in the UK and across the globe very few companies are addressing the major issue of organisational insiders – “Insider Threats”- taking advantage of access to sensitive data.
A survey conducted by cyber security specialists Imperva showed that 36 percent of companies had experienced security incidents involving malicious employees in the past 12 months.
The Insider Threat problem is widespread, too; thousands of businesses in retail, health, insurance, travel and education have all becoming victims in the last 12 months alone. The Cyber Claims Study by NetDiligence reported that insider involvement accounted for 32 percent of the claims.
The recent data breach at Three Mobile is a prime example of a credential-based attack through the Insider Threat route. Hackers accessed Three’s customer upgrade database using an employee login to fraudulently acquire mobile handsets.
With impending changes to data protection regulation coming into force from 2018, in the event of a breach the EU General Data Protection Regulation means that UK companies like Tesco Bank, which recently suffered an estimated £2.5 million loss through hacking of their customers’ bank accounts, could face fines of up to €20 million, or 4% of their global turnover.
Tesco Bank had a turnover of £955m in the year to the end of September 2016, but Tesco PLC, the bank’s parent company, filed a turnover of £48.4bn. That could subject the company to a fine of as much as £1.94bn had the new EU regulation been active today.
It’s clear then that the prevention of data breaches should be a primary concern for organisations, with Insider Threats a serious risk that companies need to be equipped to protect against.
But Insider Threat is not new. According to its CEO Noel Biderman, a disgruntled ex-contractor was responsible for the well-documented Ashley Madison data breach in 2015 where 37 million of its members’ personal details and sexual fantasies were stolen and published online.
In an article published in the International Business Times, John McAfee, former founder of the McAfee antivirus company proclaimed, “Ashley Madison was not hacked… [it was] an inside job”.
Symantec estimates that over half a billion personal information records are stolen or lost each year. The total reported identities exposed were reckoned to be 429 million in 2015, representing an increase of 23% on 2014.
Customer data, employee information, intellectual property and financial information are amongst the main targets for deliberate data theft, with most thefts being carried out using a range of file formats – Word documents, spreadsheets, images and PDFs – to extract the sensitive data.
Organisations need to increase their focus on data security and data loss prevention (DLP).
To implement a DLP strategy, organisations need first to identify their most important data and classify it according to its sensitivity. Data classification is widely regarded by data security experts as the foundation for a solid DLP strategy, providing protection against both insider and external threats.
This data-centric approach sets controls for not only who can access the data, but when, why and to what level, as well as providing a foundation for employee education and a culture shift towards better data management and improved protection of sensitive data.
John Ward, Marketing Manager from data classification experts Boldon James comments: “Increasingly we are hearing about data breaches not only originating from malicious intent on access to data that should otherwise be restricted, but also through an individual’s error. With recent news highlighting what the associated fines would equate to for these breaches through the forthcoming General Data Protection Regulation, organisations are waking up to severity and implications of such breaches. Through the education of the workforce on the handling of data, increasing data security awareness organisation wide and implementing a solid data classification strategy, the likelihood of these data breaches happening is significantly reduced.”
Company Name: Boldon James Ltd
Contact Person: David Langton
Country: United Kingdom