The data breach landscape in the UK has changed beyond all recognition over the last few years. More than four in ten Britons (42%) have been affected in some way by a breach, and their levels of concern are growing.
Cybercrime has become increasingly complex and sophisticated, and unprecedented levels of personally identifiable information are being traded illegally on the dark web. More than 110 million pieces of information were traded in 2014 alone, a 300% increase since 2012 . This is mirrored by the rapid growth in identity-related crimes in the UK; identity fraud now accounts for 52% of all detected fraud attempts.
Data breaches have become far more expensive to deal with. According to research from the Ponemon Institute, the average cost of dealing with a data breach has risen by 26% since 2011, having risen by just 3% in the preceding three years .
But, as Jim Steven, Head of Data Breach Services at Experian discusses, these changes could well be just the beginning, and that in reality the data breach issue is likely to accelerate over the next two years.
We’ve recently completed a new paper, Data Breach Readiness 2.0, which assessed the rapidly changing landscape of data breach in the UK. Not only did we survey businesses and consumers we also spoke, at some length, with industry authorities from leading lawyers, insurers, digital forensic experts, customer support specialists and crisis communications experts to assess the true extent of preparedness amongst UK organisations should a data breach occur.
From the research, there is no doubt that businesses understand the importance of having strong data security safeguards in place for their organisations. This traditionally takes the form of firewalls, secure sites, compartmentalisation of data, etc. – effectively the walls that are put up to stop unauthorised personnel infiltrating their systems.
However, less time is spent in terms of understanding the threats and vulnerabilities that are not IT-specific. Insider threat and the advancement of cyber-criminals’ techniques mean that businesses have to face the fact that a data breach can and will happen despite the safeguards they put in place from an IT perspective.
The findings highlighted that:
– Four fifths (79%) of businesses claim that their organisation is prepared to respond to the theft or loss of sensitive information that requires notification to victims and regulators. The same proportion say they can respond to a data breach involving confidential information and IP (79%);
– However, somewhat less (66%) have an actual data breach response plan in place, with it most likely to cover communications plans (73%), legal (73%) and insurance (60%);
– Of those who do not have a data response plan in place, this is primarily because it is not seen as a priority (51%), as well as lack of budget (19%) or it being outsourced (19%);
– Of these, only 37% of those with a plan say it covers forensics – meaning UK organisations could be leaving their customers at risk of falling victim to breach again;
– Businesses recognise the risk of customers losing trust in their organisation following a data breach. 84% say they are concerned by this, yet their budgets and plans still focus on insurance and legal rather than forensics and anti-intrusion.
In this rapidly-evolving data breach landscape, businesses have to recognise that strong policies, processes and plans are a key requirement to making an organisation more resilient. We have already seen that business continuity plans have dramatically impacted the speed of recovery within business – and, as such, breach response and disaster recovery plans are no different.
Being prepared makes the impact of a data breach more manageable. Having plans not only in place but tested regularly in line with staff training provides a clear path to recovery and helps to mitigate the financial and brand impact of a data breach event. We have found that where companies have a clear plan with senior stakeholder responsibility within the organisation, speed of recovery is quicker, but also the impact to the brand is minimised, demonstrating clear proactive communicated steps to those affected, which will allay concerns and – in some cases – enhance brand loyalty.
There is no escaping the fact that the UK data breach landscape is going to change rapidly over the next two years. The customer must be the number one priority in breach response planning because the financial and reputational consequences of a data breach flow from its impact on customers, and from the business’ effectiveness in managing those impacts.
As a result, the customer response must be embedded through the overall response, not devised as an afterthought. A focus on customer response, reassurance and recovery must drive every aspect of the overall breach response. Ultimately, it must sit at the heart of a comprehensive response plan and act as a vital guiding principle for legal, forensic and crisis communications activity.
By Jim Steven, Head of Data Breach Services for Experian in the UK. Jim helps support organisations through the challenge of data breach response planning and management, helping provide reassurance to businesses and those affected in uncertain times.