The last quarter of 2015 witnessed a series of high profile data breaches which may prove to be a tipping point in public attitudes towards data security. The TalkTalk hack, in particular, defines the new risk normal for 21st century business. Estimates put the cost to the company at £60 million and between 100,000 and 250,000 lost customers.
By chance, this period also saw the release of the final draft of the new European General Data Protection Regulation, which defines the new regulatory normal for any business holding or processing the data of EU citizens.
These events ought to ring alarm bells in boardrooms across the country, because breaches are a regular event in most organisations. The 2015 Information Security Breaches Survey, conducted by PWC for the UK government, found that 90% of large organisations and 74% of small businesses suffered a data breach in 2014-15. In fact, most suffered multiple breaches: the median number for large organisations was an astonishing 14. Most breaches result from human error, but a quarter of large organisations (and one in seven smaller ones) reported that their networks had been penetrated by unauthorised outsiders. Where this had occurred, 80% of respondents admitted it had happened “a few times” or more.
Of course, these figures only account for detected attacks, and detection rates aren’t great. According to the same report, only around 40% of incidents were identified by the organisation’s routine internal security or other controls; over 25% were detected by accident or by notification from outside the business (i.e. the police or the media). This helps to explain the results of a Hewlett Packard and FireEye survey in the US, which found that the median time to detect a breach was 205 days, and that it took a further 31 days to contain it. In other words, the perpetrators of a successful hack can bank on getting an eight month head start on the authorities.
The signs are that consumers are becoming much less tolerant of companies and public bodies that can’t keep their personal information safe. A survey commissioned by the ICO in January 2016 found that over three-quarters of respondents would consider stopping using a company’s services if they received news of a data breach. More recent research by CSID found that 21% of people had already stopped using an online service because of data security concerns. The same percentage of people – surely no coincidence – reported that they had been the victims of identity fraud in the past.
Companies are responding to the increasing threat of cybercrime by investing in technology. Gartner estimates corporates around the world will invest $101 billion on information security by 2018, up from $77 billion last year. However, according to CESG, the information security arm of GCHQ, “there’s no such thing as 100% security and your organisation will probably experience some form of cyber-attack at some time.”
Part of the reason is that the cyber threat has morphed over the last decade. Previous activity was based on cleverly crafted attacks by skilled individuals. In contrast, modern cybercrime has become industrial in scale and approach: cheap, mass-produced and easily accessible. Hacking communities, discussion groups and online walkthroughs are plentiful and easy to find. Tools which were previously the preserve of professional hackers – exploit kits, remote access Trojans (RATs) and crypto-lockers – can be purchased by anyone minded to do so. Ransomware is often provided free in return for a percentage of the bitcoin take. Online marketplaces enable personal information and credit card details to be readily bought. Young, technology-savvy kids looking for kudos, validation or just laughs at others’ expense, are turning to cybercrime to get their kicks. Evidence of this can be found in most high profile recent crimes. For example, the TalkTalk breach and the attack on Sony PlayStation and Xbox systems were all allegedly perpetrated by youths aged 15 to 20.
These trends are common across Europe, which explains why the European Commission is taking steps to standardise the rules for keeping data secure. Under the General Data Protection Regulation, due for adoption in summer 2016 and to come into force in 2018, organisations will be obliged to inform their data commissioner (the ICO in the UK) of any breach, and to inform individuals if the breach could impact their privacy or security. Individuals must be told what has been stolen and provided with appropriate recommendations for mitigating possible adverse effects. In short, organisations must provide victims with protection from all forms of fraud that could result from the abuse of their lost personal data. This is a major change: at present, any ‘identity protection’ offered is typically only aimed at protecting the victim’s credit file.
Changes to the financial penalties for getting it wrong are just as significant. Under current regulations, the ICO can fine organisations a maximum of £500,000. The new EU rules will increase that to €20 million, or 4% of global revenue, whichever is greater.
Organisations are caught between the rising threat of industrial-scale cybercrime, carried out by a generation of semi-skilled hackers employing user-friendly tools; the increasingly unsympathetic attitude of the public; and demanding new regulations with which they have no choice but to comply. Henceforth, they will need to have a response plan in place that can be deployed quickly; that covers all forms of data breach; that provides authoritative information and advice about potential fraud risks; and which helps individuals to successfully resolve any cases that do occur. All businesses that collect and store personal information should make this a central plank of their strategy for 2016.
 ‘2015 Information Security Breaches Survey: Technical Report’, HM Government.
 ‘M-Trends 2015: A View From The Front Lines’, Mandiant; and ‘Global Report on the Cost of Cyber Crime’, Ponemon Institute, 2014.