Regulation & Reputation

How your business could be the victim of cybercrime and still get fined.

The weakest link.

Anyone can be a victim of cybercrime without any of their own systems being breached. When you share your data with others, in order to receive products or services, your ability to keep your data safe is only as strong as the weakest company holding your data.

This is why when the GDPR took over from the Data Protection Act and others, the emphasis was placed on businesses to adequately protect customer data or be deemed liable themselves if that data was lost.

As such, even if you are a victim of a deliberate hack, if you are not deemed to have adequately protected customer data, you could face fines.

In the world of cyber security, you are only as strong as your weakest link.

British Airways fined £20m for inadequate cyber security.

In October 2020 the Information Commissioner’s Office (ICO) who enforce the GDPR, fined British Airway £20,000,000 for failing to protect the personal and financial details of over 400,000 customers:

British Airways were themselves the victim of a cyber security attack in 2018, which it did not detect for more than 2 months. In that time the hackers were believed to have gained access to the personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

The ICO fine reflects both the seriousness of the breach, and the lack of seriousness with which BA treated their cyber security responsibilities.

Information Commissioner Elizabeth Denham said:

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

And it’s not just big international brands that are falling foul of ICO fines. Law firms, builders and pizza restaurants have all recently fallen foul of ICO fines.

How can I better protect customer data?

In their ruling against British Airways the ICO unearthed a number of inadequacies, but focused in on three main areas of failure:

• protecting employee and third party accounts with multi-factor authentication.
• limiting access to applications, data and tools to only that which are required to fulfil a user’s role
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;

Let’s take a look at these in more detail:

Multi-factor Authentication.

Multi-factor authentication (MFA) makes it much, much harder for hackers to gain access to your systems simply by having, or guessing the password.  The implication is that BA did not have MFA enabled, so it was easy for the hackers to gain access to their customer’s data.

Many providers, like Microsoft, will only allow access via MFA, whilst others allow it as a choice.

We advise where MFA is available you should always use it. If MFA is not available systems you use that hold important business or company data, take a look at other ways to provide extra security, or reconsider using that service.

User Access Controls

The implication of the ICOs ruling on BA is that they were not properly managing who had access to what, and in particular, were granting full access privileges to people who didn’t need them as part of their everyday job.

Put simply, the more people you grant data access to, and the longer you give them access for, the greater the risk it will be breached.

All businesses should have a defined policy, with actions, that controls who is allowed access to critical data and, most importantly, reviews that access and revokes it when it’s no longer needed.

This can be manual, but there are tools available to help you to manage Role-Based Access Control (RBAC).

Penetration Testing

Although BA’s cyber security controls were clearly lacking, we’re pretty sure they didn’t deliberately design them to be easy to hack. Companies are complex, as are security systems, so problems can slip unnoticed (until it’s too late).

That’s why regularly testing your security systems is so important.

This is called Penetration Testing and it probes your systems in the way hackers would for weaknesses.

NOTE: Because Pen testing involves potentially exposing your customer data it’s vitally important you only use authorised Pen Testers. CHECK is the UK Government’s authorisation scheme for Pen Testers – read more.

Encryption

This wasn’t one of the main areas highlighted by the ICO in the BA case, but encryption can offer a quick win when it comes to protecting your and your customer’s data isn’t exposed. Not only this, but even under the Data Protection Act the ICO brought fines for the loss of data in circumstances where encryption would have kept that data safe.

Encryption makes data incredibly hard to access and view for anyone who have not been granted specific access.

Protecting data when it is stored is called Encryption At Rest, and encrypting it when it is being transferred, such as over the internet, is called Encryption in Transit.

Depending on how you store your business data, it may be that your data is already encrypted. Providers like Microsoft provide a number of tools to help with data encryption.

If you’re unsure as to whether your data-at-rest is encrypted, quiz your IT team or cloud service provider.

Encryption in transit is a different matter, and we’ll cover this in more detail in other modules.

I now understand…

• How my business could be fined even if we’re the victims of a cyber security attack
• 4 ways to reduce the likelihood of this happening to my business.