When it comes to data protection, and the requirement under UK GDPR to process and store personal data securely, you might not immediately think of Estate Agents, and for that matter financial advisors, solicitors etc. But Estate Agents hold large amounts of information on their clients, including their financial history, bank account details, copies of passports and other identifying documents, much of which they are required to hold for 7 years, under financial services legislation. So the scope for a data breach is huge.

Some examples include:

A London estate agent has been fined £80,000 by the ICO after leaving the personal data of more than 18,000 customers exposed for almost two years. The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data between March 2015 and February 2017.

The exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

Writing on its website, the ICO said its investigations had uncovered a ‘catalogue of security errors’. The Agent had failed to take appropriate technical and organisational measures, in addition, only alerting the ICO to the breach when it was contacted by a hacker.

Lack of adequate data security is an important basis for imposing fines. Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need?

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law. Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch. For example, financial data which under other legislation, they must keep for 7 years. I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.

Despite a greater emphasis being placed on data security, data breaches are on the increase.  Whether through sophisticated social engineering techniques or more technical attacks, cybercriminals are trying every available tactic to profit from this sensitive information.

According to one report, within the first nine months of 2019, 5,183 breaches were reported, exposing over 7 billion compromised records. Up 33.3% on the previous year with records exposed more than doubled, up over a 100%.

In a recent study, more than half of the recipients (57%) said they do not have a Cyber Security policy in place, rising to more than two-thirds (71%) of medium-sized businesses (250 to 549 employees).  This is somewhat shocking considering the potential consequences, exposing companies to significant risk and placing them under the microscope with both customers and regulators.

This week we will publish a significant potential consequence of this daily, starting with:

Financial Loss

The financial impact of a data breach is one of the most hard-hitting consequences that organisations.  It is estimated that the cost of a data breach has risen 12% over the past five years.  If as a result of a ‘scam’ via phishing for example, the loss may not even be noticed for some time, perhaps not until the next financial audit.

The hit can include compensating customers, responding to the incident, investigating the breach, investment into new security measures, legal fees, not to mention the eye-watering regulatory penalties that can be imposed for non-compliance with the DPA 2018 and GDPR.

Tomorrow we’ll take a look at reputational damage.

Reputational damage

The reputational damage resulting from a data breach can be devastating for a business. It is estimated that up to a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached. Additionally, the majority will tell others about their experience, and 33.5% will post on social media.

It todays world of instant communication organisations can become a national, even global, news story within a matter of hours of a breach being disclosed. This negative press coupled with a loss in consumer trust can cause irreparable damage to the breached company.

Consumers are all too aware of the value of their data and if organisations can’t demonstrate that they have taken all the necessary steps to protect this data, they will simply leave and go to a competitor that takes security more seriously.

Reputational damage does not go away and can impact an organisation’s ability to attract new customers, future investment and eveb new employees to the company.

Legal Action

Under the DPA 2018 and GDPR, organisations are legally bound to demonstrate that they have taken all the necessary steps to protect personal data. If this data is compromised, whether it’s intentional or not, individuals can seek legal action to claim compensation.

We recently posted a piece on a UK Legal Firm offering a no win no fee service for anyone who suspects their data may have been compromised.  There has been a huge increase in UK as victims seek monetary compensation for the loss of their data.

Equifax’s 2017 data breach affected more than 145 million people worldwide and the company has paid out more than $700 million in compensation to affected US customers. Whilst this is at an extreme end, SMEs could find themselves risking compensation of around £5k per person whose data is compromised.  As it rarely only affects one individual, how many SMEs would be able to withstand such claims in the hundreds, followed by action by the ICO could see a fine in 6 figures.

As the number of breaches continues to rise, we can expect to see more of these group cases being brought to court.

Operational Downtime

Business operations can be heavily disrupted in the aftermath of a data breach. Organisations will need to contain the breach and conduct a thorough investigation into how it occurred and what systems were accessed. Operations may need to be completely shut down until investigators get all the answers they need. This process can take days, depending on the severity of the breach. The knock-on effect on revenue can be substantial.

Loss of Sensitive Data

If a data breach has resulted in the loss of sensitive personal data, the consequences can be devastating. Personal data is any information that can be used to directly or indirectly identify an individual, whether held electronically or on paper. This will include everything from a name to an email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.

If a critical patient had their medical records deleted in a data breach it could have a serious effect on their medical treatment and ultimately their life. Biometric data is also extremely valuable to cybercriminals and worth a lot more than basic credit card information and email addresses. The fallout from breaches that expose this data can be disastrous and exceed any financial and reputational damage.

Regardless of how prepared your organisation is for a data breach, there is no room for complacency in today’s evolving threat landscape. You must have a coordinated security strategy in place that protects sensitive data, reduces threats and safeguards your brand’s reputation.