Skip to main content

Avoiding the little mistakes that lead to huge data breaches

(Image credit: Image source: Shutterstock/Ai825)

When GDPR was finally put into motion earlier last year, and the reems of emails associated with it from online retailers finally stopped, many hoped that for EU citizens a new era of improved personal data security was around the corner. The regulation was very much a watershed moment in the overall debate that has been dominated by increased worries around data misuse and breaches in recent years.

But even in the post GDPR era, data breaches have continued to dominate the headlines. Most worryingly, these significant data breaches are continuing to happen at major companies that boast huge customer databases. GDPR is a positive regulatory action by politicians to further secure personal data, but organisations now must take practical steps to prevent the simple but common mistakes that cause huge data breaches.

A period of data security dominating the headlines

In October last year, Heathrow Airport was fined £120,000 by the Information Commissioner's Office (ICO) following a data breach that left sensitive personal information exposed. The breach happened after a member of Heathrow’s staff misplaced a USB stick containing folders of personal data. On top of this, the USB was not encrypted, or password protected. The ICO added that out of Heathrow’s 6,500 strong workforce, only two per cent had been trained in any kind of data protection. This breach could have easily been avoided by encrypting, and then securing physically, a device that contained large amounts of personal data. It is also highly questionable to have a process that requires and allows the use of an external device to store and transport personal data.  

One of the most notorious data breaches of a British organisation in recent memory, the NHS WannaCry attack, has something in common with this one. They were both caused by mistakes and vulnerabilities that could have easily been prevented. The NHS data breach happened after innocent-looking phishing email attachments were opened, flooding networks with malware that encrypted files containing sensitive personal data of patients. This coupled with not updating NHS systems to have the latest security patches is hard to comprehend and certainly sub optimal.  

The incident laid bare just how destructive a data breach can be and ignited fierce debate around data and IT security amongst politicians and in the media.

Despite the WannaCry breach, a recent Freedom of Information request revealed that a quarter of NHS trusts in England and Wales are still failing to give staff specialist cybersecurity training. On average, trusts have just one member of staff with professional security credentials per 2,628 employees. The fact that the NHS is continuing to neglect cyber and data security is truly worrying to see. Even after a data breach that crippled its entire network, the NHS is still failing patients by not putting enough of an emphasis on securing personal data.

Fresh approaches to data handling

The NHS and Heathrow breaches are both examples of breaches caused by common mistakes that could have been avoided. However, the reason that these organisations were targeted in the first place is because of the vast amounts of data they store. Large databases essentially equate to a large target for hackers who are increasingly seeing the value in exploiting personal data. As our society increasingly becomes more data centric, the risk of a breach happening to organisations, big or small, shows no signs of lowering. The savviest of organisations will move beyond traditional measures like investing in cybersecurity training for their staff and re-evaluate entire overall approaches to data handling.

To really put into perspective the sheer volume of personal data being handled by a company today, let’s look at what happened to Uber last year. The breach saw Uber pay out $100,000 (£79,000) to hackers to make them delete data that had been stolen from the ride hailing app. The incident affected a staggering 57 million people, made up of both customers and drivers, and showcased what a breach of a modern digital economy business looks like. For these organisations, where entire business models are centred around amassing and applying personal data, steps to enforce more secure data handling must surely be taken.

But what do these steps look like? Pub chain Wetherspoons raised eyebrows when it made the decision to erase its entire customer email database, thus ending all kinds of mailing list activities. This may have been an unconventional move, but an understandable one given the huge repercussions a data breach today can have. All organisations going forward must evaluate the areas of data storage that can be cut down in volume to reduce holding of personal data, and thus overall risk.

Large companies can also take advantage of third-party vendors that offer solutions to help in outsourcing and improving overall data storage. There are platforms on the market that can assist in handling both data orchestration and compliance. Some of these platforms can work alongside already established legacy systems, potentially mitigating not just the risk of keeping all data handling in-house, but overall operational costs as well.

Shifting cultures

Awareness is growing amongst the general population around the importance of securing personal data. Headline-grabbing scandals has made data breaches a hot topic, and all eyes are on what individual companies are doing to keep personal data more secure. For companies to prevent falling victim to the next data breach headline in 2019, reflections must be made on overall approaches to data handling and internal cultures for the sake of not just customers, but also for the sake of maintaining trust and loyalty.

There are practical changes organisations can make to improve overall data security, but to really counter the risk of a data breach happening, the correct internal culture needs to be set. It’s often the simplest mistakes that cause data breaches, and ones that can be prevented by those that have data security measures high on the agenda. A collective company responsibility and awareness for data security might have stopped the Heathrow employee leaving an important USB lying around, or indeed having data on a USB drive  or stopped NHS employees from falling victim to classic email phishing scams that opened the door for the WannaCry attacks. Not to mention basic housekeeping in regard to keeping operating systems and virus scanning software up to date.

Creating an internal culture with good data security awareness requires management to clearly articulate security procedures to all employees, and to emphasise how preventing data and security breaches is a collective effort and one that requires all hands-on deck.

Clive Hannon, CCO, Engage Hub
Image source: Shutterstock/Ai825