Earlier this month, payday lender Wonga was the latest in a line of British firms to suffer a major security breach, with around 270,000 customers thought to have been affected across the UK and Poland.
With so many bank account details and personal information put at risk, this incident was one of the largest attacks against a British company regarding financial information. Two weeks down the line, the firm has now been in touch with all its customers who may have been affected, and has set up a help page on its website for those concerned that their details are no longer secure.
Although Wonga insists that its security was of the “highest standard”, something – or more likely, someone – clearly slipped through the cracks. Businesses in any industry must take note of these high-profile breaches and commit to regular reviews of their cybersecurity strategies to ensure their organisations are as protected as possible.
Prevention is the cure
Businesses are continuing to face increased regulatory burdens when it comes to the protection of their customers’ data. All UK businesses need to comply with the Data Protection Act, but each sector faces its own regulatory pressure for cybersecurity. Wonga, for example, must comply with rules set out by the Payments Card Industry (PCI) and Information Commissioner’s Office (ICO) when it comes to data protection, but any sector-specific regulatory body can take enforcement action and fine an organisation for not keeping its customers’ personal information safe.
Aside from keeping regulatory compliance in mind, firms must also continue to modernise their systems to ensure that their data is kept under lock and key. For those unsure of where to begin, a good starting point is the ISO 27001 standard. As a recognised industry standard for IT security, it gives firms the opportunity to assess their vulnerable assets – this could be customer information, company data, and even the firm’s reputation itself. Once these have been reviewed, controls are then assigned to ensure that these assets are protected, and processes are continually monitored to keep them secure.
Another preventative element for businesses to consider is the creation of an Information Classification Policy, or ‘ICP’. Using this model, firms can assign a risk level against any sensitive information on their systems and clearly lay out the controls and appropriate internal resources for securing this data. The ICP route also allows firms to see where any requirements for data encryption, storage, or transition onto new systems may be needed.
Looking outside of technology
Tools such as the ISO 27001 standard and an ICP policy can go some way towards boosting IT security within an organisation, but do not by any means complete the cybersecurity puzzle. When it comes to improving cybersecurity, employees also have a vital role to play.
There are two sides to this coin, however. One concerns the human vulnerabilities associated with cybercrime – as efficient as a firm’s cyber strategy may be, one simple mistake from an employee can render these defences useless.
By responding to a phishing email or falling for a convincing scam phone call for example, staff can provide hackers with all the information needed to access their firm’s internal systems. Once inside, hackers can effectively steal whatever information they need, safe in the knowledge that the server believes their actions to be carried out by a trusted member of staff.
Firms can go a long way in strengthening their cyber defences by making employees aware of the potential threats, and educating them on how they can spot, block and report any suspicious activity before it inflicts significant damage.
The second part involves internal threats, as many cyberattacks are carried out by a disgruntled employee within the company. Again, education, as well as systems, is important here, as these internal breaches can often be avoided if employees are able to recognise when a colleague is acting and working oddly.
Firms should consider promoting a culture of self-regulation in this regard, so that rogue workers can be identified and reported before their breach efforts are successful. Managed effectively, this would bolster a company’s cybersecurity by reducing the strain on its defences and ensuring the focus is on external threats.
Given the potential for cyber threats is continually evolving, firms not only need to consider the resources and strategies for tackling a cyber-attack, but also their business continuity plans for getting back on track if the worst should happen. In order to achieve this goal, an organisation’s senior management team must take responsibility for its IT security and take steps to understand the security risks facing the business, as well as the impact that a breach could have.
Cybersecurity and business continuity both require on-going attention. By considering these strategies in tandem, firms can help to mitigate both the cost and impact of data breaches, enabling a business to take immediate action if its IT system has been compromised.
There are three key elements of a business continuity plan: resilience, recovery and response. To guarantee the first, firms will need to ensure that their critical business functions will be largely unaffected by a cyber-attack.
For many businesses, day to day activity can continue in the wake of a data breach, but further arrangements must be put in place to recover data and restore less critical business functions as quickly as possible. Most importantly, organisations will need to ensure that their employees are ready and able to cope effectively with a cyber breach – again, this comes down to effective staff education.
As with any high-profile data breach, the Wonga hack has demonstrated the clear effect a cyber-attack can have on a firm’s reputation, not only with its existing customers, but also with potential customers in the future. For this reason, it’s vital for firms to have robust cybersecurity and business continuity plans. Failing to take these precautions can have a major impact on a company’s finances, reputation and future business development should a regulatory body decide to take action.
Robert Rutherford, Chief Executive Officer, QuoStar
Image source: Shutterstock/Ai825