The past few months have uncovered a shocking lack of understanding and preparedness for data breaches among UK companies.
In March, Experian released a white paper on data insecurity and found that one in five companies had experienced a data breach in the last two years, affecting nearly 40 per cent of British consumers. Worse still, it showed that a woefully small percentage (34 per cent) have a data breach response plan in place.
In May, the City of London police revealed that they have arrested three people over allegations that the personal details of customers of LV= insurance were sold for nearly 17, 000.
Most worryingly, in June, the Hartford’s survey of midsize business owners and C-level executives, found that the large majority of business leaders (82 per cent) only consider a data breach a minor risk to their business.
Each of these incidents highlight a dangerous disconnect between what companies are doing and what they should be doing. They serve as a stark warning of the consequences that data breaches can bring.
In the worst case, it can lead to fines of up to 500, 000 and prosecution. At the very best, with consumer confidence in companies? competence to handle their data exceptionally low and the media’s appetite for these stories exceptionally high, brand damage and the consequential loss of business is inevitable.
To better protect themselves, insurers must ask themselves some tough questions:
How secure are your systems?
Firstly, technology. Anti-virus is not enough on its own: multiple layers of security are required. Intrusion detection systems (IDS) are crucial to safeguarding systems, along with firewalls, which must be supported and maintained by qualified and well trained staff.
If business leadersfail to deploy hardware and software patches they are leaving themselves open to significant vulnerabilities.
Firms should dedicate a trained staff member to monitoring these reports in order to enable the company to react to any potential threats. All staff should be sufficiently trained and educated on threats and causes of potential data leaks so everyone is able to identify any potential issues before they happen.
How can accidental data leaks be prevented?
Firstly, companies should only keep relevant copies of data. To make sure these are secure, all data should be traceable, and system hygiene should be an incremental part of data management.
Data files should also be encrypted to protect them from unwanted access. If a dataset is left on a server somewhere, or worse, stored on a mobile device that is stolen or misplaced, it could have dire consequences for the company.
Secure delivery mechanisms can add a layer of safety to data sharing. Rather than emailing data for eavesdroppers to intercept, firms should be using secure FTP files. These are built on client-server architecture and use separate control and data connections between the client and the server, which are auditable.
A “least privilege is best policy” system can sufficiently reduce instances of data leakage. This way, only the relevant people are allowed access to only the data they need to do their jobs effectively. If a staff member is granted permission to use the data for longer than required, the individual could (inadvertently or not) tamper with the data and potentially fuel a leak.
If the rights to use the data are carefully delegated, the possibility of damaging attacks to the system can certainly be reduced.
How do insurers manage data security in their supply chains?
Most crucially, insurance firms must know who they are working with, and these companies must be used to handling and storing large amounts of sensitive data.
Due diligence is fundamental. Insurers should be auditing every supplier and firm they partner with to reduce the threat of any potential data leaks.
Every system is at risk of glitches. What is crucial is that insurance firms routinely test and monitor their systems for any risks and potential threats. By spotting warning signs early and by tightening up internal procedures, insurers can protect themselves against, and significantly reduce the chance of, a data leak.
This vigilance will certainly go a long way in proving to suppliers and consumers that your firm takes the responsibility of holding vast amounts of data seriously.
In the same way, by partnering with data-centric businesses that don’t just meet the industry standards but exceed it, insurance firms can remain assured that their data is also in the safest of hands.
Jon Cano-Lopez is the CEO at data communications business REaD Group.