Cybersecurity: What You Need to Know and Do to Avoid a Breach

“Despite these hefty financial costs, lessons are still not being learned. The lack of accountability and responsibility from big firms seems to be a recognizable trend.” are fast approaching the second anniversary of the enactment of the European Union General Data Protection Regulation (GDPR), yet businesses are still dragging their heels when it comes to cybersecurity.

A recent report by insurance firm Gallagher found that 82% of UK businesses do not have specialist insurance in place to indemnify them for the cost and impact of a cyber-attack. Midsize businesses were found to be particularly exposed, with nearly half (46%) believing that cyber-attacks are “mainly an issue for bigger organizations”.

Unfortunately, this isn’t true. Any business, no matter its size, can fall victim to a data breach and find itself dealing with a reputational and financial crisis.

How Cybercriminals Operate

As a result of the increased digitization of personal information, and businesses failing to invest in and/or maintain adequate security, it can be easier for cybercriminals to breach systems. Any defense is only as good as its weakest link, and hackers only need to break through the weakest barrier to gain access to highly sensitive data.

This is exactly what happened during the Equifax data breach in 2017. In this instance, the consumer credit giant was initially hacked via a customer dispute portal, with the attackers targeting a widely known security vulnerability that should have been patched. After this, the attackers were able to move from the portal to other servers and proceeded to steal highly sensitive data from Equifax’s network for months until they were detected. The fact that they went undetected for so long is another failure on Equifax’s part.

The results were catastrophic. More than 147 million Americans (roughly half the U.S. population) and 15 million Britons had highly sensitive data stolen, including driving license data, email addresses, passwords, and home addresses. Equifax was handed a GBP 500,000 fine from the Information Commissioners Officer (ICO) – the maximum that could be issued at the time under the Data Protection Act (DPA) 1998 – but the cost of litigation in the UK and the United States will dwarf this figure.

The Mindset Businesses Must Adopt

If there’s a lesson from the Equifax data breach, it’s to constantly update your cyber defenses and make sure that any weak link is strengthened before an attack takes place.

In the aftermath of the breach, Equifax bolstered its security to make the platform more secure, but you have to question why they weren’t secure in the first place. Their lax attitude to basic security measures has resulted in the identities of over 150 million customers being exposed, and the reputation of the credit giant has been tarnished.

For businesses to avoid the financial and reputational costs associated with a data breach, they must prioritize cybersecurity. They should have effective defenses in place to prevent third-party threat actors from gaining access to their systems, networks and information. It should be thorough: from basic protocols such as the enforcement of solid passwords and encrypted storage to the use of professional tools like antivirus protection and firewalls.

What Consumers Must Do

Until businesses prioritize cybersecurity, consumers will need to take steps to protect themselves. The use of strong passwords that are unique to each platform can help, and when information is exposed, passwords should be changed immediately. Consumers can also keep an eye on their accounts, be vigilant for suspicious activity and secure their devices with the most up-to-date anti-virus software.

If a consumer is the victim of a data breach, they can be entitled to bring a legal case for compensation against the organization. The GDPR and the preceding Data Protection Act (DPA) 1998 in the UK give victims the right to claim damages for any distress caused by the loss of control or misuse of personal information, and financial losses suffered as a result of a cyber-attack can also be recoverable.

A Big Price to Pay

In the first GDPR Group Litigation Order against British Airways (BA), almost half-a-million BA customers affected by two data breaches in 2018 have just one year left to claim compensation for an attack that exposed customers’ financial information. Consumers need to know that they have the right to pursue the financial compensation they are owed after their personal information is exposed to cybercriminals. In the British Airways case, average compensation pay-outs for the distress suffered could potentially reach GBP 6,000 each, rising to GBP 16,000 each in cases where psychological injury is extreme. This means that the airline could be facing a possible GBP 3 billion total payout to add to the record intention to fine issued by the Information Commissioner’s Office of GBP 183 million.

It’s clear that, despite these hefty financial costs, lessons are still not being learned. The lack of accountability and responsibility from big firms like Equifax, Travelex, Dixons Carphone and BA seems to be a recognizable trend. Businesses need to adopt a proactive approach to cybersecurity and understand the financial and reputation repercussions of not protecting consumer data.

Image Source: Deposit Photos
Image ID: 113265454
Copyright: Rawpixel 


Warning & Disclaimer: The pages, articles and comments on do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of Read more.

Join the Discussion

One comment so far.

  • [Avatar for Ternary]
    February 26, 2020 12:29 pm

    Nice article Aman. It has been surprising how much of our life is now being spent on-line. The protection of on-line data should be a priority for all. I agree that common sense measures should be taken both by users and providers. Ultimately, it should be new technology that provides cybersecurity. Novel cryptography and novel threat detection and defense applications are badly needed.

    In that context patent law should be adapted to stimulate and better protect cyber-security inventions. Right now almost any cybersecurity invention is subject to some 101 rejection or potentially to functional claiming rejections. Even when a patent is issued it is unclear if an asserted patent will survive invalidation efforts.

    There is also a strong anti-patent bias in the IT community related to cybersecurity. Which by itself is surprising, because almost all novel encryption methods (related to lattice based cryptography for instance) are being patented by companies.

    A good first step would be to get rid of “abstract idea” and “functional claiming” rejections/invalidations related to cybersecurity patents and patent applications. The assumption that data, data transmission and data-processing are less real than tangible devices and materials is countered by the devastating effects of security breaches.