The data breach suffered by eBay in May, in which 145 million customers’ personal details were stolen, shows that even a tech giant can fall prey to hackers. But cyber hackers don’t discriminate, no matter whether you’re a big company such as eBay or a two-man startup. Indeed, in a government report issued earlier this year, 60% of small businesses surveyed said they had suffered a data breach in the past year.
According to the report, even though the number of breaches had dropped slightly, the average cost of the worst attack was between £65,000 and £115, 000, from between £35,000-£65,000 in 2013, while 59% of those surveyed said they expected to see more cyber security incidents next year.
The government is taking steps, especially when it comes to protecting SMEs. As well as launching a cyber streetwise campaign, they’ve also a developed a Cyber Essentials accreditation scheme in conjunction with the industry that’s aimed at encouraging businesses to reach a basic level of cyber hygiene.
But even with training, it’s still possible to suffer data breaches, even if you take steps to mitigate this.
Is your firm’s data secure?
One data breach from last year struck me as a particular interesting case. Jala Transport, a small North London moneylender, were fined £5,000 by the Information Commissioner’s Office (ICO) for a data breach.
This case was particularly unfortunate, as the breach occurred when the owner’s briefcase was stolen from his car when he stopped at a junction. This contained the unencrypted personal details – including names, addresses, phone numbers and passport numbers – of approximately 250 company clients.
Even though Jala were victims of a crime themselves, the ICO’s message from the fine was clear – if you endanger customers’ personal information by not taking basic security measures, then you will get fined, whether this is for transporting unencrypted data or leaving your company’s severs open to a hack. And any cost of the fine won’t take into account the reputational damage that your firm could suffer by receiving an ICO judgment.
Tough new European law on horizon
While there’s a carrot and stick approach in this country, as shown by the government support combined with ICO fines for those who don’t take basic security measure, the landscape for all business will change next year when new EU regulation comes in.
It’s expected that these laws mean companies will have to report every breach to the data commissioner no matter how small, which will have a significant impact on all businesses. We’re increasingly seeing cyber issues in the press but one expert in this area of the law recently told me that, in his opinion, just a fraction of the data breaches that occur are currently being reported to the ICO by the companies involved.
The EU regulation is one of several big changes the European Data Protection Regulation are proposing to introduce – a sweeping measure that radically changes the continent’s data protection laws, which, if passed, companies of all sizes should prepare for, or risk heavy fines.
The hope is, firstly, this will encourage businesses to take cyber risks more seriously, but also that it will promote the EU as a safe environment for data and offer it a competitive edge over less secure areas. However, this is all underpinned by strict obligations for all companies.
Government and EU endorsed schemes are just the first steps, though, in an issue that’s growing and won’t go away. Cyber security insurance is available and offers a certain level of peace of mind, but it doesn’t override the need for any business, no matter how large, to ensure their data is secure.
The cost to any business that suffers a cyber attack goes far beyond the repercussions outlined above. They’ll also need to take time to investigate how the breach occurred as well as handle the reputational fallout. For a small business especially, this takes time and money.
It’s worth emphasising that there’s no such thing as a risk-free firm, particularly when it comes to cyber security. If eBay can fall victim to a hacker attack then so can any business.
Security measures are easy enough to put in place. They might cost your business a little more to do but those costs are likely to pale into comparison with a regulatory fine or the impact on your firm’s reputation if you do suffer a data breach.
For more information on Hiscox’s new cyber and data insurance product, click here.
How has the cyber risk changed for small businesses in recent years? Let us know how this issue has affected your business in the comments or via Twitter @HiscoxUK.