In 2019, British Airways were ordered to pay a fine of approximately $230 million for a data breach that occurred in 2018. This has been the most substantial penalty that an organisation has had to pay for lapses on data security under the new European data protection law. The data breach at British Airways occurred when hackers diverted over 500,000 of the airline’s customers to fraudulent sites where customer credentials, including financial information and travel data, were stolen. The new General Data Protection Regulation, also known as GDPR has enabled European policymakers and regulators with added bite, to issue penalties of up to 4% of an organisation’s global revenue for a data breach.
Currently, Google and Facebook are other large organisations under investigation over data breaches of the GDPR law, even though they have already paid a sum as a penalty towards the disclosed breaches.
The threat of hefty penalties looming large over companies can be considered as a motivating factor for companies to examine cybersecurity across their departments more carefully.
Policymakers find that the GDPR law could help companies become more cautious about client and customer data that these organisations collect and store. User information gathered by almost every organisation today uses customer data to improve their marketability and sell more products and services; but, given the importance of that data, it is just as crucial for hackers and cybercriminals.
In most cases, it is seen that in spite of cybersecurity and best practices in an organisation, data breaches take place. This can happen if employees click on fraudulent websites, infected attachments, phishing emails and malware that are rapidly spread throughout the company. And while British Airways has been charged about 1.5% of the airline’s annual revenue as a penalty, policymakers have stated that they would consider responses from the airline before issuing the final penalty decision.
At around the same time that British Airways was charged, the Marriott hotel chain too was imposed with $124 million for a data breach that took place in 2014.
Large international chains such as the Marriott hotel have customer data from across the world, and hence policymakers opine that they should have been monitoring their security more effectively. However, cybercriminals were steadily breaching data from the Marriott group of hotels for four years consecutively, which is an alarming factor to consider. The four-year-long breach that involved personal and financial information of over 500 million guests was a colossal intrusion that went undetected without a whimper.
This points out that there was a failure in adopting the most critical principle of cyber security defence, which is assuming there has been a compromise. It is vital for every company to accept this principle, which means that they are no longer safe and secure, regardless of the cybersecurity technology or policies they have in place. Assuming this notion can bring about increased alertness among employees and management to look into all forms of basic and advanced defence mechanisms, such as applying software patches, employing the latest anti-virus and malware technologies and using cutting-edge technologies such as Digital Rights Management (DRM) to protect documents and data.
It is crucial for decision-makers to implement DRM that is a proven technology in safeguarding intellectual property, client information and confidential data.
In the case of the Marriott data breach, the incident came to light, when they discovered that a company that they had acquired had been breached.
Essential activities for any company conducting mergers and acquisition activities must have robust cybersecurity assessment and solutions in place such as DRM, to understand and cover all vulnerabilities. Modern business acquisitions these days are prime fodder for hacking and cybercriminal activity. Confidential information within the company, including personally identifiable data, payment card information and other critical data must be securely safeguarded with data loss prevention tools such as DRM that can ensure that information does not reach unintended users, while at the same time permitted access is stringently controlled and monitored.
It can help to have an adversarial and proactive approach in protecting data through third-party resources such as DRM to uncover and protect all kinds of organisational data vulnerabilities.
Although employing training tools, instruction modules to office staff and implementing data breach attack simulations can be best security practices for preventing data breaches, it may still not be enough to understand the specific flaws that can lead to a data breach. However, they are still worthwhile endeavours in preventing hacking or data intrusions.
At the end of the day, having in-depth defence mechanisms and varied layers of cybersecurity tools, including Digital Rights Management, can well be the answer to safeguarding data in an organisation.