Jim Steven on why no data-handling business should operate without a response plan for data breaches that is internally understood, policed and practised.
You don’t see it coming and you may never know who’s behind it or exactly how badly you’ve been affected… until it’s far too late. UK SMEs are under threat from data breaches, and this is a significant problem which is set to scale outwards as criminals find new ways to digitally delve into organisations for increasingly valuable personal information.
A recent study by Experian UK revealed that British SMEs are unclear about the risks and subsequent costs of a possible breach, indicating small businesses are unprepared for growing cyber crime threats. A surprising statistic highlights almost 30 per cent of businesses have no plans in place to deal with security threats.
Experian’s SMEs Under Threat study highlights further areas of concern for businesses, highlighting that many UK SMEs would not survive a data breach due to underestimating the true financial impact. According to government statistics, a data breach costs a small business around £310,000, but SMEs surveyed believed the cost to be £130,000 less, at only £179,990.
Given the potential impact of the effect of a data breach, and the limelight major cases receive, it seems surprising that businesses are not massively invested in planning and combatting the effects of all too regular data breaches.
So why are businesses not planning for such events in a world which is so dominated by cyber-crime, which is rarely out of the headlines?
“It’ll never happen to us”
Among those without a plan in place to deal with such security measures, 51 per cent didn’t consider a response plan to be a priority, while 39 per cent believed they weren’t at risk.
This has uncovered a highly evident ‘it’ll never happen to us’ mind-set among Britain’s most vulnerable businesses, highlighting a lack of awareness of just how much they are at risk. Many small businesses are often time and resource starved, indicative of the pressures facing them which will only escalate should a breach occur.
Furthermore, despite increased media coverage of high-profile breaches, many top executives are still under the impression that their organisation has no valuable data and will not be targeted. This false belief could have devastating consequences, as just simply being connected to the internet makes any company of interest to cyber criminals.
To the crooks and fraudsters any accessible company is a resource that could be exploited and discarded, simply because it is there. And once they are in, they will take whatever they can or hold the organisation to ransom in order to make a return on their time investment.
The issue of cost
Financially, some companies are facing difficulty, forcing them to remain without a proper plan in place, as the research found that 20 per cent of companies just didn’t have the budget to create one. While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they are also likely to be among the most vulnerable, as they won’t have the expertise and budget to gold-plate their security.
The true cost of a breach, whether due to sophisticated cyber crime or basic human error, is far higher than the cost to design and implement a plan – and generally far worse than companies tend to imagine.
Many firms are still struggling to put in place or identify exactly what their response to this ever-increasing threat should look like. They feel overwhelmed by the threat, and given the size of the problem, end up underplaying the value of the clear solution – a data breach plan.
Although companies may understand why they are attractive to cyber criminals, it’s clear that a data breach plan can seem overwhelming to some. But businesses plan for all sorts of eventualities, like fire, theft or employee grievances. As with other risks, it’s sensible to assume that a business will be targeted at some point, potentially even breached, and so there is every incentive to plan ahead accordingly.
Pre-empt the catastrophe
Part of the trauma of data breach disasters stems from the lack of preparation. Plans become reactive, when really they should be proactive. As the saying goes, spend less time trying to close the door after the horse has bolted. Lock that door first!
Focus on training employees around cyber awareness and the potential risks and scams they could face. Make sure they understand that they play a vital role as the ‘first line of defence’ for any organisation. After all, over 70 per cent of the time, successful data breaches have been the result of something an employee has inadvertently done. Just as vital to this is the task of raising awareness among your customers. Make sure they understand the ways fraudsters might get hold of their data and what they can do to protect themselves.
And finally, test the plan. This is just as important as having one in place.
A detailed data breach response plan is not only instrumental in decreasing the likelihood of attack, but also can substantially reduce the amount of organisational chaos and the valuable time wasted in dealing with the confusion. With the ever increasing threat of data breach, it is essential to employ a proactive data breach plan in order to prevent significant damage to not only a company’s finances, but their operations and reputation too.
No business would not put a fire drill plan in place, and soon no data-handling business will operate without a data breach plan that is internally understood, policed and practised.
Jim Steven is head of data breach services at Experian.