Guess who doesn’t consider British Airways “the world’s favourite airline”? If you said the UK Information Commissioner, give yourself a congratulatory pat on the back!
Last week, BA got slapped with the biggest data breach penalty in UK history for leaking the data of 500,000 customers last year, weighing in at a staggering £183million. This is up significantly from the previous largest fine, which was imposed last year on Facebook over the Cambridge Analytica scandal and set at £500,000. I suspect Zuck is counting his lucky stars nobody managed to delay the reporting of their breach. I think he would be financing the NHS for the next decade if they had.
Security Now, Or Sorry Later
If nothing else, it should put companies on notice that skimping on your security and saving a few pounds is going to be a false economy.
My reflection, over the last year, is that since the introduction of GDPR I have seen little real change in the attitude of clients to security. Trying to get simple security measures in place still requires a great deal of persuasion.
Hearing of folk who have been breached is a near daily, if not weekly, occurrence, but almost without exception the issues are simple, easy to fix, known issues that could have been avoided and the biggest reason I see is that IT teams struggle to get the reality of things across to their board of directors.
An Easy (But Effective) Checklist
The real message is board level engagement and there are few questions you really need to be asking if you are on a board of directors.
1. Do I have a password policy (a good one)?
2. Have I multifactored 100% of my user accounts? If not, this is an absolute must.
3. Have I encrypted any data that leaves the company? e.g. USB keys, hard drives, laptops etc.
I’m not suggesting this is everything, perish the thought. However, if you don’t have these done its best to walk before you run. These are simple and very effective. For the more conscientious among you could do worse than look to implement properly the Cyber Essentials or Cyber Essentials Plus accreditation.
· 81% of data breaches were the result of POOR passwords. (See question 1)
· >90% of data breaches are the result of some issue with passwords (See question 2)
If you just made sure that you had questions 1 and 2 done your risk drops by 90%. Those facts are hard to argue with. I wouldn’t even waste your time trying to explain why you haven’t done them to the data commissioner – just get your big boy pants on and get out your cheque book.
As always, we exist to provide IT help and support so if you need it, we would love to help you improve your security.