Insurance 4 September 2015
Data is a valuable tool but must be sufficiently protected to prevent breaches
The past few months have uncovered a shocking lack of understanding and preparedness for data breaches among UK companies. In March, Experian released a white paper on data insecurity and found that one in five companies had experienced a data breach in the last two years, affecting nearly 40 per cent of British consumers. Worse still, it showed that a woefully small percentage (34 per cent) have a data breach response plan in place. In May, the City of London police revealed that they have arrested three people over allegations that the personal details of customers of LV= insurance were sold for nearly 17, 000. Most worryingly, in June, the Hartford’s survey of midsize business owners and C-level executives, found that the large majority of business leaders (82 per cent) only consider a data breach a minor risk to their business. Each of these incidents highlight a dangerous disconnect between what companies are doing and what they should be doing. They serve as a stark warning of the consequences that data breaches can bring. In the worst case, it can lead to fines of up to 500, 000 and prosecution. At the very best, with consumer confidence in companies? competence to handle their data exceptionally low and the media’s appetite for these stories exceptionally high, brand damage and the consequential loss of business is inevitable. To better protect themselves, insurers must ask themselves some tough questions: How secure are your systems? Firstly, technology. Anti-virus is not enough on its own: multiple layers of security are required. Intrusion detection systems (IDS) are crucial to safeguarding systems, along with firewalls, which must be supported and maintained by qualified and well trained staff. If business leadersfail to deploy hardware and software patches they are leaving themselves open to significant vulnerabilities. Firms should dedicate a trained staff member to monitoring these reports in order to enable the company to react to any potential threats. All staff should be sufficiently trained and educated on threats and causes of potential data leaks so everyone is able to identify any potential issues before they happen. How can accidental data leaks be prevented? Firstly, companies should only keep relevant copies of data. To make sure these are secure, all data should be traceable, and system hygiene should be an incremental part of data management. Data files should also be encrypted to protect them from unwanted access. If a dataset is left on a server somewhere, or worse, stored on a mobile device that is stolen or misplaced, it could have dire consequences for the company. Secure delivery mechanisms can add a layer of safety to data sharing. Rather than emailing data for eavesdroppers to intercept, firms should be using secure FTP files. These are built on client-server architecture and use separate control and data connections between the client and the server, which are auditable. A “least privilege is best policy” system can sufficiently reduce instances of data leakage. This way, only the relevant people are allowed access to only the data they need to do their jobs effectively. If a staff member is granted permission to use the data for longer than required, the individual could (inadvertently or not) tamper with the data and potentially fuel a leak. If the rights to use the data are carefully delegated, the possibility of damaging attacks to the system can certainly be reduced.