Data protection services could be at the forefront of the minds of small to medium-sized enterprises (SMEs) in the UK in the future, given new research revealing that the average cost of data breaches is now between £75,000 and £310,800.
Studies by PwC in conjunction with the government have found that 90 percent of bigger companies have had an information security breach, while the same is true for 74 percent of SMEs. And for those firms with over 500 members of staff, the average cost of the most severe incident is between £1.46 million and £3.14 million.
While outside attacks represent a real threat for businesses of all sizes, 75 percent of bigger firms and 30 per cent of SMEs have experienced breaches relating to members of staff.
“With nine out of ten respondents reporting a cyber breach in the past year, every organisation needs to be considering how they defend and deal with the cyber threats they face. Breaches are becoming increasingly sophisticated, often involving internal staff to amplify their effect, and the impacts we are seeing are increasingly long-lasting and costly to deal with,” Andrew Miller, PwC’s cyber security director, said.
There are ways you can limit the risks your company faces. For example, all organisations should regularly audit what data they have, how sensitive it is, as well as the protection systems currently in place. Secondly, adequate policies, procedures and training should be in place, ensuring that all employees are fully aware of the risks posed by breaches as well as their responsibilities in helping prevent them. It is particularly important to have a well documented employee exit procedure to limit the chances of a worker (disgruntled or otherwise) retaining access to company or customer data and limiting the chance of them being able cause damage.
It is also wise to have a data loss protection plan in place so that if and when a breach does occur, you can take immediate action to reduce the impact. Ensuring there is a response team and disaster recovery service already in place, composed of individuals with the skills and knowledge to act, is also necessary. The ensures that appropriate action can be taken quickly, effectively and in line with legal obligations and regulatory recommendations.
Lastly, it’s worth considering that data doesn’t have to be illicitly accessed in order for it to cause harm to customers or the company in question. Loss of data, whether on internal systems or on media and devices off the company’s premises, can result in fines, damage to reputation and loss of business. For these reasons and more, having a good disaster recovery plan is also a must.