Target breach reminder of importance of data security

January 28 is Data Privacy Day, which seeks to raise awareness of the need for everyone – but particularly businesses – to protect the personal data that is entrusted to them. The deepening crisis created by hackers’ theft of 110m (and possibly more) Target customers’ payment card PIN numbers, offers a sobering reminder to all firms of the growing danger of data breaches.

The American retailer is the latest big firm to be targeted in recent years by cyber thieves, after Sony, Adobe, TJ Maxx, Global Payments and Valve, among others. But small businesses shouldn’t think they are too small to be targeted. Small firms don’t present the same high-profile target as large corporations, it’s true, but SMEs don’t necessarily have the same robust defences either, potentially making them more vulnerable to attacks.

There is a particular class of malicious code (malware), known as ransomware, which has swept the internet recently called Cryptolocker. It specifically targets computers running Microsoft Windows and tests firms’ systems, in the same way as a car thief tries vehicles in a car park to see if any are left unlocked. It infects any vulnerable PCs it finds, encrypting all the files that are held on them. A demand will then appear, offering to solve the problem in return for a ransom of two bitcoins, which is the equivalent of several hundred pounds.

Small firms can be big targets

According to the 2013 Information Security Breaches Survey, conducted on behalf of the UK government, 87% of small businesses suffered a security breach in the past year, up from 76% in 2012 . The average number of breaches they had also increased during the year, up to 17 from 11 the previous year. The average cost was between £35,000 and £65,000.

Barely more than half of small businesses (54%) surveyed in the report have a formal, written information security policy, even though 57% reported they had suffered security breaches involving their staff – normally misuse of the internet or email. Companies without a security policy, or where the policy isn’t well understood by staff, have a much higher likelihood of experiencing a security breach caused by an employee.

But the right tone has to be set at the top of the business, the report states. If a company’s senior management takes data security seriously, its defences tend to be stronger. Yet the report found that few small businesses have implemented the government’s “Ten Steps” advice on IT security.

New European regulation on way

European lawmakers have proposed a new European Data Protection Regulation, which aims to force companies to tighten up how they store and process customers’ personal information.

The new regulation, which is due to come into force in 2015, would require data protection safeguards to be built into all products and services and make privacy settings the default, rather than an option. It will also force companies to get explicit consent from people to use their personal information, and, if there are no legitimate grounds for retaining it, then they should delete their details from databases.

Furthermore, firms would also have to notify their national information regulator of all data breaches they suffer, and to inform its customers quickly if their personal data may have been lost. Under the new regulation, the fines for any company found guilty of poor security that lead to a data breach would also be much higher – up to €100m or 5% of global turnover.

The potential extra embarrassment – and expense – involved in admitting a data security lapse under the new European rules is likely to be a powerful incentive to firms to tighten up their data security. But every company should already be making sure that the data they store is safe and their systems secure, rather than when the law is implemented in a couple of years’ time.