A recent report from Symantec revealed that the number of reported data breaches increased by 23% in 2015. Sector by sector, the largest penetration of breaches occurred in health services.
Both in the UK and across the globe very few companies are addressing the major issue of organisational insiders – “Insider Threats”- taking advantage of access to sensitive data.
The Insider Threat problem is widespread; thousands of businesses in banking, health, insurance, travel and education have all becoming victims in the last 12 months alone. The Cyber Claims Study by NetDiligence reported that insider involvement accounted for 32 percent of the claims.
A recent data breach at Three Mobile is a prime example of a credential-based attack through the Insider Threat route. Hackers accessed Three’s customer upgrade database using an employee’s login details to fraudulently acquire mobile handsets.
With impending changes to data protection regulation coming into force in May 2018, in the event of a breach the EU General Data Protection Regulation means that UK companies like Tesco Bank, which recently suffered an estimated £2.5 million loss through hacking of their customers’ bank accounts, could face fines of up to €20 million, or 4% of their global turnover.
Tesco Bank had a turnover of £955m in the year to the end of September 2016, but Tesco PLC, the bank’s parent company, filed a turnover of £48.4bn. That could subject the company to a fine of as much as £1.94bn had new EU regulation been applicable today.
Symantec estimates that over 500 million personal information records are stolen or lost each year.
With this figure growing annualy, it’s clear that organisations need to increase their focus on data security and data loss prevention (DLP).
To implement a DLP strategy, organisations need first to identify their most important data and classify it by sensitivity. Data classification is widely regarded by data security experts as the foundation for a solid DLP strategy, providing protection against both internal and external threats.
Data classification provides controls for not only who can access the data, but when, why and to what level, as well as providing a foundation for employee education and a culture shift towards better data management and improved protection of sensitive data.
For more information on how data classification can support you through the impending changes to EU GDPR regulation download our fact sheet.