The value of data has never been more apparent. Since the last Data Protection Day in January 2018, there has been a significant shift in how data is regarded, utilised and protected. The Cambridge Analytica scandal highlighted the reputational pitfalls that companies face when they attempt to profit from data, while the advent of the General Data Protection Regulation (GDPR) outlined the severe penalties incurred if such companies misused it. Recently, tech giant Google was fined €50 million for failing to be transparent in how it collected data to personalise advertising. Facebook is also facing potential billion-pound fines from the Federal Trade Commission (FTC).
In addition, several high-profile data breaches have highlighted that even companies held in high esteem and who are regularly trusted with sensitive personal data are successful targets of cyberattacks. As a result, companies are entering 2019 with a much warier customer audience, who have a better understanding of how much their data is worth, what their rights are if personal data is collected without their consent, and greater concern that their data will be exposed to bad actors. The financial and reputational impact can be staggering if companies fail to get data protection right, affecting the way they operate in future.
The role regulation plays
One of the biggest impacts of the European Union’s GDPR was that it forced companies to consider what personal data they held and requested, where this data was stored and whether it was really needed. The reasons for holding this information also became important, as organisations now had to prove that they were handling, processing and protecting it properly. The Marriott data breach last year represented a great example of too much data being collected and retained, without a clear business case. Data was requested and stored without proper justification or the appropriate measures in place to protect it. Unfortunately, it was only when this data was exposed that the implications of this mis-management came to light.
Consumer data is too easily sold from one company to the next without the customer’s knowledge. When a company (such as Equifax in 2017) is hacked, it can impact people who are unaware where their data is stored. This business model may be profitable in the short term but can lead to issues further down the line. This is why regulations such GDPR are essential. However, as businesses are forced to control their data much more tightly, they can appear to be fully compliant whilst still not fully addressing security risks. Regulation can only go so far – if businesses focus on best practices for cybersecurity, data protection and combine this with compliance they will be giving themselves the best chance of business success, whilst protecting their customers and their data.
When data gets into the wrong hands
Following a successful cyberattack, username and password combinations regularly end up for sale on the dark web. Recently, 620 million accounts stolen from 16 high profile breaches (including MyFitnessPal) which occurred in 2018 showed up for sale on the dark web.
Nefarious individuals can purchase personal data for as little as $3 and utilise this information to gain network access to an organisation to deliver malicious payload or perform cyber espionage. This perpetuating cycle tends to amplify successful attacks, with effects that reverberate for months or years.
A new perspective
Businesses need to recognise that the events of 2018 have shaped attitudes towards data protection and a comprehensive approach is needed to keep data safe. Rather than view data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of the business to ensure comprehensive coverage and consistency.
To maintain trust and protect reputations, a multi-layered security strategy is needed, which also incorporates transparency. Customers should be aware of how, where and why their data is being used. This year, the recurring theme of data protection should represent both a reminder and opportunity for businesses to ensure that their processes stand up to scrutiny.
In addition, they should strive to have an open dialogue with their customers to educate them on how their data is being used and ultimately protected. A continuous commitment to this approach will go far in maintaining trust and bolstering reputation, even if an incident occurs.
Matthew Aldridge, Senior Solutions Architect at Webroot