For a very long time, many people far smart than me have been regularly predicting a “tipping point” in the public’s tolerance for their personal data being either used with impunity or disclosed as a result of the woeful security infrastructure of its recipients. It’s always been a matter of a misfortune which simply happens to other people., regardless of high-profile hacks involving Sony (both its movie and PlayStation arms) and others.
All that may, however, be about to change as a result of more recent examples of huge swathes of personal and financial data being appropriated by what look to be a number of teenage hackers out to simply cause trouble rather than get rich quick. Having chaired Manchester Law Society’s inaugural Cybercrime Conference today, I can tell you without exaggeration that the scale of the threat which cybercrime and data breaches pose to your businesses is huge, and the speed at which it moves has the potential to outrace and potentially destroy a reputation you’ve worked so hard to build, if not your business itself. It remains to be seen how the anticipated compensation claims against TalkTalk from users whose details have been used in a manner which causes them harm or loss play out, but some commentators believe that they may ultimately bring one of the UK’s biggest telecommunications businesses to its knees.
You may rightly point out that you’re not Sky and that you’re not at anywhere near the same level of risk, certainly if you don’t take payments on line. You’d be half right. If your website is transactional or links into your key systems, it’s a source of vulnerability. Phone-based scams are still leading to millions of pounds being misappropriated from businesses up and down the length of the UK, and even your staff’s social media activity can help increasingly smart hackers to “socially engineer” the very advocates spreading the good word about what you do.
So, where to start and what to do? Plan, train, and review – all in peacetime. Much as you have an IT policy, get a social media policy and educate your staff on what not to overshare. Think about disaster recovery and how you may or may not survive if your whole IT network is the subject of a concerted attack. Most importantly, however, put cybercrime and data security on your agenda. You may think that it’s the new health and safety, but it’s already pervasive and only likely to become more so as a result of legal reform at the EU level which may see the maximum penalty for a data breach rise from £500,000 to a percentage of your turnover. Having a data protection strategy and policy will at least prepare you for what may be a harsh new regime when the debate in Brussels ends.
Data is power, and absolute power can corrupt your reputation if data isn’t treated carefully. Your clients will expect nothing less and will vote with their feet if their trust in your security and use of their data proves misplaced, along with their credit card details.