Home » The Art of Data Protection » Reporting security breaches – are UK businesses prepared to meet customers’ expectations?

The recent high profile security breaches highlighted the significant reputational and financial damage organisations with poor data security practices are exposed to. With cybercriminals increasingly targeting soft social data, enforcing stricter protection of users’ personal details and privacy has become a top priority for businesses and regulators alike.

The European Commission’s plan to introduce mandatory reporting of security breaches for banks and businesses is one of the first steps in this direction. Such a move will inevitably lead to a rise in the number of reported incidents but will also force businesses to be more transparent about internal security policies and about how they handle customer data.

The PCI security standards are a good example of how market regulations have driven the adoption of encryption in credit card data protection resulting in 100% adoption of PANs encryption.

However, the question is whether stricter regulation on its own will be sufficient to ensure high security standards across organisations. Many enterprises have only basic information security protection in place which often covers only firewall protection and antivirus software. Without regulation businesses will not have the incentive to improve their security strategies unless they are the victim of a breach. It is another question as to what extent regulatory standards can determine internal security policies across different business sectors and if this is going to lead to better security practices.

To ensure the highest security standards are met, organisations need to address the security vulnerabilities throughout the whole information lifecycle. One of the most effective ways to achieve that is through data encryption.

Encrypting all data, wherever it resides, is a safe harbour as it leaves cybercriminals with little or nothing to take advantage of. Needless to say, to make data unviewable by cybercriminals, organisations need to ensure decryption keys are stored securely outside the data centre and that only authorised users can view security sensitive information. This would leave little space for bad publicity in the press and for facing ICO scrutiny.

Although enforcing mandatory reporting of security breaches will not stop data from being stolen, this new transparency required to businesses will drive them to re-think their data protection policies and look at the best practices to prevent data breaches.

This entry was posted in Compliance, Data Breach and tagged authentication, compliance, cyber security, data breaches, data governance, data protection, encryption, key management, PCI, security breach, UK by Nicki Wallace. Bookmark the permalink.