The financial world is no stranger to data breaches, according to the FCA, the UK saw a fivefold increase in data breaches in 2018 compared to 2017.
In April 2018, seven retail UK banks, including Royal Bank of Scotland, Santander, Barclays and Tesco Bank, had to shut down or limit their systems after hacks that cost them hundreds of thousands of pounds to fix.
This article from Financial Director recognises that since GDPR came into place last May data breaches have been at the forefront of most companies’ IT focus. A breach could cost a company dearly if the right actions aren’t taken – the fine for failing to comply with GDPR is €20 million or 4% of the company’s revenue, whichever is higher.
Whether resulting from an attack carried out by a cyber criminal using malware or an employee mistakenly sending out email addresses, data breaches are becoming more common. What a lot of firms don’t know is what steps they need to take after they have fallen victim to a data breach.
What is vital for when it comes to avoiding a data breach is education for all employees. It only takes one mistake to let a hacker in and once one employee’s email is breached, they can then be impersonated in an attempt to phish for even more information from any contacts the employee may have.
This information can have vast implications when it comes from banks and financial institutions. For example, if someone has the details of a regular payment that one of your customers makes, they can send a legitimate looking letter or email that claims that this regular payment needs to go a new account. If they know what your customer’s investment portfolio looks like they could can present them with a scam hiding behind a promising looking new investment that fits their investment patterns.This may also bypass other security measures, if a standard customer transferred ten thousand, a hundred thousand or even a million pounds the system would likely trigger a hold and ask you to call them. If a multi-millionaire with a large investment portfolio moves that kind of money into a new account, it may look far more like business as usual.
The following are the steps Finance Director recommends that all businesses should take after a data breach:
- The breach needs to be found and stopped.
Similar to finding the leak that leads to a flood, when it comes to a data breach you need to find the source and close it fast. - Understand how the breach occurred.
Increasingly creative cyber-attack methods mean that a data breach can happen in a variety of ways. Whether it was via a phishing email that had been mistakenly opened, malware that had been downloaded or a simple error where a client’s details had been mistakenly sent out, it is important to identify where and how the breach took place. - Notify all those who may have been affected by the breach and the ICO.
You have a duty of care to any and all clients or employees who have been affected by a data breach. If information has been accessed inappropriately, whether it’s something like a list of email addresses or something more serious like banking details, the company has a duty to notify every individual on what information has been potentially leaked. You must also inform the ICO within 72 hours of a data breach. - Check for any other vulnerabilities.
Internal security procedures need to be looked at audited for existing and further vulnerabilities. Failing to go through your data systems meticulously after a breach, could leave you open as a target for more attacks, especially if the initial breach attracts publicity. Going through your network’s defences should be a routine activity for your IT department but it becomes even more important after a breach has taken place. - Review the process.
Finally, you need to change and update the processes for the preparation, control and recovery from future attacks. It is vital you learn from any mistakes that have been made. This could take the form of installing new anti-virus software and firewall security or it could be a case of educating all employees on how to ensure that they keep their data safe and avoid potential data breaches.
In the era of the cyber criminal you can now hire professional hackers to test your cyber-security by attempting to penetrate your system. This may sound extreme, but it could be the difference between a safe data system and a breach resulting in a €20 million fine.
Back to Blog