Risky Business – The importance of reducing your exposure
Being a business owner is now riskier than it was in past, why is this?
The simple answer to this is that there are more threats to your business than there has ever been. I am not going to cover the current commercial risks facing businesses as these are outside of my scope of expertise. However it is clear that these are also increasing especially with the current cost of living crisis that we are having to manage.
What I am going to discuss in this blog are the risks relating to the business and its data, risks that are ever increasing based upon the threat landscape and the increasing levels of compliance.
What are the key business data breach risks?
There is an ever increasing risk that your business will be subject to a successful cyber-attack from an external source
Cyber-attacks are on the increase across the UK and EU.
The technical complexity of Cyber-attacks is increasing, with traditional methods of defence are becoming less effective
Well over 50% of organisations suffered a successful Cyber-attack in the last three years
Many of these attacks resulted in both significant financial loss and business disruption
Most executive boards now insist that cyber security objectives are included in ‘c level’ job descriptions, according to a recently published Gartner report
If the cyber-attack involves personal data, then there is a strong likelihood that the attack may have to be reported to the required regulatory authorities. This then may subsequently lead to a breach of data protection legislation and potential fines of up to £20m or 4% of your global turnover
Organised crime are extremely active in this space, becoming better organised and collaborating on technology and methods of distribution
The risk of successful cyber-attack isn’t a case of ‘if’ it will happen, it’s a case of ‘when’ it will happen
The Insider Threat
There is a growing risk to business operations and data due to the possibility of an internal resource becoming an insider threat actor and committing activities that will damage business operations and access to data and systems.
Typically, the insider threat is based upon internal resources who are for whatever reason inclined to commit acts that can do harm to the organisation
Their inclination to commit damaging acts can be based upon:
General discontent with their job role
The potential for financial gain
Coercion from criminals, in the form of threats that have been received towards them, their family and friends
The insider threat is often undertaken by individuals in roles of authority or where they have privileged access to key business systems
Such activities can be very hard to detect and therefore this type of activity is often seen as low risk to the individual undertaking it. That said, there is a perception that they will ‘get away with it’
The resulting damage is often resulting in:
The disruption to key business services and access to data and systems
Financial loss due to the impact on business productivity
Financial loss due to the payment of ransoms
Reputational damage due to all of the above
Breach of Compliance
It is now harder than ever to operate a fully compliant business. Most businesses are now operating within the boundaries of an acceptable level of Health & Safety compliance, this is well established and understood. However, data protection compliance and the impact of new legislation is far from clear to most businesses, even the larger ones.
Stronger data protection laws were introduced across Europe in May 2018
These changes meant that businesses and their Owners / Directors could be subject to litigation and excessive fines, in the region of millions
The chances of being found to be non-compliant are ever increasing due to reasons below:
Cyber-attacks are on the increase in frequency and potential success rate
Employees are using data protection legislation as a tool in grievance cases, especially when they know that their employer isn’t compliant
Data subjects, i.e. individuals whose data the business processes and controls, have increased rights under the new legislation
Brexit is causing a diversion of data protection legislation and its consistency. This is resulting in confusion, with the strong likelihood that UK based organisations will be found non-compliant by our EU partners
Customers are legally required to undertake due diligence on the compliance status of their suppliers
The impact of being found to be non-compliant is serious, heavy financial penalties, loss of reputation and potentially direct litigation against any individuals found to be negligent
It’s a difficult business environment. However, not accepting these business data breach risks is not only against the law but it is highly likely to result in some form of damage.
Data Privacy Services takes a pragmatic approach to risk mitigation. There are many ways to do this as outlined on our website. To start with undertake our self-assessments to see where you are currently positioned. We are happy to arrange a free consultation with one of our experts.
Risk mitigation is vital in reducing your business risk exposure!