British Airways Breach Shows the Need for Firms to Understand Their Data Risk.
Chances are that just a few years ago, anyone whose personal data might have been compromised as part of a corporate attack may not have found out about the threat posed to their security for weeks, sometimes longer.
In many instances, the media might have been the first source of information on such a breach rather than the company itself, with many firms choosing secrecy over transparency.
But the world has changed: companies now have to be open and react to intrusions fast.
In the United Kingdom, for example, data breaches must be reported to the Information Commissioner’s Officer (ICO) within just 72 hours – with the clock starting as soon as a firm becomes aware a breach has been made.
The high profile attack on British Airways last month, which saw data hackers steal sensitive personal and financial information of nearly 400,000 people, once again highlighted the threat all firms face in this regard. The drop in share price of BA’s holding company, IAG, also showed the very real financial implications of data breaches making their way into the news cycle.
But foremost, the BA saga highlighted the need for speed in dealing with any kind of data intrusion.
While clearly a matter of huge regret, the BA attack was a lesson in how regulation, in this instance the recently introduced GDPR rules, can be positive. While facing criticism for the breach itself, BA took plaudits for acting fast, handing its customers much-needed insight into the threats they faced. It ensured customers could act to protect their private information.
The BA attack was also a lesson in the value of preparing for such attacks, no doubt forcing maybe organizations, from the small to the very large, to consider their own readiness for such an invasion.
Today, many companies will be trying to understand whether they would have been able to report the extent of such a breach and the information exposed, within the new onerous time frames.
Similarly, many companies will be assessing whether they have sufficiently robust processes in place to ensure they are able to meet their responsibilities to the Information Commissioner’s Office, in a measured and structured way?
For many firms, though, the questions they need to pose themselves might be altogether simpler. For example, do you know what data and information your organization holds? Is your organization keeping hold of emails, communications, personal information that it does not need to?
These are important questions, the answers to which may have a direct impact upon a firm’s ability to react speedily and effectively.
It’s also worth remembering that firms need to look beyond simple regulatory requirements, when considering the data they hold. Is your firm doing everything it can to supervise employee communications, ensuring they are behaving in a responsible and ethical manner?
Smarsh works with thousands of companies around the world, helping them to answer these difficult but critical questions about their communications data.
We ensure that firms have the right policies and innovative technology in place, empowering their workforce with the latest productivity enhancing communications platforms and channels, while staying compliant and mitigating risks in the face of ever greater data scrutiny.
Smarsh® delivers a comprehensive and integrated suite of information archiving applications and services that help companies protect themselves and manage risk. Its centralized platform provides a unified compliance and e-discovery workflow across the entire range of digital communications, including email, social media, websites, instant messaging, mobile text messaging and voice.
Founded in 2001, Smarsh helps more than 20,000 organizations meet regulatory compliance, e-discovery and record retention requirements. The company is headquartered in Portland, Oregon, with offices in New York City, Boston, Raleigh, N.C. and London.
How can we help!