Why Encryption is Key in the Event of a Data Breach

The summer of 2018 will be remembered for its record-breaking heatwave, England reaching the semi-finals of the World Cup and, for professionals in almost all areas of business, the long-awaited adoption of the General Data Protection Regulation (GDPR) across the EU. In the space of just a few short months, cybersecurity has gone from a tick-box exercise, somewhat far down the list of competing priorities faced by every business, to fighting for pole position amid swirling tabloid headlines warning of huge fines and plummeting share prices for organisations who suffer a data breach.

At the time of writing, the UK has seen 1,750 data breaches self-reported to the ICO (Information Commissioner’s Office) in June alone under the GDPR requirement to report qualifying data breaches within 72 hours of discovery. This compares with a total of 1,500 reported in the months of March, April and May. Data breaches are clearly nothing new - rising consumer awareness means we can all reach for high-profile examples including Tesco Bank, TalkTalk, Dixons Carphone and more - but the requirement to notify the ICO and the general public at large is new, and comes with serious implications.

According to an SAS study, more than half of UK consumers are expected to exercise their GDPR rights within a year and almost two-thirds will retract or review data use solely because of the Facebook-Cambridge Analytica scandal. The study shows UK consumers treat data-sharing as a matter of trust and have a low tolerance for data mistakes or misuse. Almost half (45%) said they would activate their data rights after only one mistake.

But data rights is the tip of the iceberg. A devastating 2016 cyberattack cost TalkTalk £60m, as well as the loss of 101,000 customers. In an attempt to restore their brand image, they also offered almost half a million customers a free upgrade and had to close down its online sales operations thanks to consumer fears over poor security. Pre-tax profits fell by more than half, from £32m to just £14m, and in January 2018, analysts valued the business at just over £1.1bn, down from a peak of over £4bn in 2015.

Post GDPR, however, this picture would be even worse. Once reported to the ICO, within three days, a 4% fine of annual revenue would see them hit with a £71m penalty (on 2016-17 revenues of £1.78bn), dragging investor confidence down even further, and the heightened media awareness around cyber attacks, data breaches and data subject rights would almost certainly inflict reputational damage greater than that which TalkTalk suffered in 2016.

On top of any technology professional’s nightmare scenarios around malicious data misuse post-breach, you’ve now got to consider how to disclose every last detail of your own scandal before you’ve even had time to let the news sink in yourself. As the impact of that public notification settles in and everyone starts looking for a convenient scapegoat, you’ll have to face the board as share prices tumble, your contact centres are flooded with calls, your website crashes and you’re trending on social media for all the wrong reasons.

Unfortunately for most CIOs, the recognition they’ll get for preventing that problem is insignificant to the stick they’ll get for not preventing it, especially if they were aware of a way to prevent it beforehand.

There exists a simple fix - it doesn’t solve all of your GDPR issues, but it might just act as a convenient ‘Get Out Of Jail Free’ card. If your data is encrypted, so that any breach will result in unintelligible data, then you may not be required to notify the ICO. Of course, encrypting your database may seem like another load of work that’s going to have wide and unforeseen implications, but if you’re using Oracle Cloud or Azure (or both) then there are some simple ways of achieving the right level of encryption easily, even when you’ve got a complex environment to protect.

We’ve been helping our managed service clients transition to highly secure, encrypted environments for some time now, and if you’re not already a managed service client of ours, we’re offering a free initial audit with an experienced dsp consultant. To see whether the audit is going to be relevant to you, and discuss next steps, get in touch with us here.