Data – The new business risk

Date published




A common phrase now used in business is that “data is king”, with businesses being encouraged to collect data and spend time and money interpreting it. I wonder why?

Is it to provide insights into the business or of customer behaviour and help predict future performance? The collection of data can, however, create as many negative issues, as it might create positive opportunities if it is not handled securely and appropriately. According to the 2018 Cost of Data Breach Study, the average cost of a data breach is around £2.95m, with an average cost per lost or stolen record of around £113. So what are these costs made up of? As well as significant fines, there are costs associated with reputational damage, customer loss, a fall in share price and the general costs associated with returning to business, as usual. Small or medium-sized enterprises (SMEs) often think they are immune from these costs and risks and that their size means they will not be on the radar of would-be hackers and cybercriminals.

The importance of protecting data

This is not correct and some of the most high profile recent hacks, resulting in data being leaked, have been found to have occurred via access through the SME supply chain. Cybercriminals have learnt that it is much easier to gain access to much larger businesses, who may have sophisticated IT systems and protections in place, through their supply chain. In 2019, it will become increasingly important for businesses to be able to demonstrate what safeguards and controls they have in place and how they manage and protect data.

It is anticipated that in the modern fast-paced business world, criminals will take advantage of technological developments for their own ends. This may include the increased use of robots (bots) for data extraction and reporting, which may result in the bot securing unchecked access to critical systems and data. So the potential commencement and proliferation of cyber attacks by bots is something we should all be aware of in the year ahead. Such attacks are not just limited to private businesses. On 20 December 2018, the Government said that a group known as APT10 acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign, targeting intellectual property and commercial data in Europe, Asia and the US. It said that the campaign focused on large scale service providers and warned that the group is continuing to target global companies in a bid to steal business secrets.

The Foreign Office commented that it was clear that in some cases, basic cybersecurity measures had still not been taken, enabling the cyber intrusion to take place, targeting trade secrets and economies around the world. So it is important for businesses of all sizes to properly assess where the risks are in their business and what steps they can take to protect against cyber attacks. The reality is, no matter what the size of the business, it is a potential target. In the same way that health and safety have been prioritised as a key business risk, business owners need to look at where the exposures lie in their business and what the current cyber risks are. This needs to be done on a very regular basis and the review of these assessments needs to be directed to and undertaken by the Board. Handling a cyber attack will be something that more and more businesses will have to encounter in the coming months.

Taking necessary steps

It is essential that the threat of a cybersecurity attack is built into disaster recovery plans so that a business can act quickly and effectively in the event of an attack. This should ensure that the business can demonstrate everything possible has been done to protect data and particularly the private data of clients, customers and staff, which in turn will help minimise any reputational damage at the risk of fines.

Taking these two vital steps will mean that if your business suffers an attack, it will be able to react immediately and put its disaster recovery plan into action, with all of the company’s Board and senior management team being clear, as to the steps that need to be taken. Most damage is done in the first twenty-four hours and so the ability to react decisively and immediately is critical.