Another day, another data breach. Rarely has a week gone by in 2017 without media reporting on another threat to cybersecurity.
The latest addition to the list is Uber, which in November 2017 admitted the personal information of 57 million of its customers was compromised – and hidden by the company for more than 12 months.
If businesses weren’t already paying attention to cyber, this latest attack needs to be a warning sign for all organisations.
Uber is not a legacy company struggling with technology. It’s a brand synonymous with the digital age. That it could have its information stolen highlights all businesses face the same threat, and that the continuing threat of cybersecurity is not being taken seriously enough by all.
No one is suggesting it is Uber’s fault it was the target of hackers. It can happen to all companies, of all sizes, in all sectors; in fact 90 per cent of all ASX listed companies have experienced a breach of some kind.
Cybercrime is a booming, lucrative business, increasingly aided by the same technological tools used within many top businesses. More than 700 private sector companies of ‘national interest’ were affected last year and the Australian Government estimates that cybercrime costs the national economy up to $17 billion a year. For companies it is no longer a matter of if their information is compromised, but when.
Data breaches are a lesson for us all
This is a new reality of businesses in the digital age. And with this backdrop, to leave data unencrypted is a negligent act. Whether this becomes a legal reality remains to be seen, but it is certainly the case in the eyes of customers – as seen by the reaction to Uber’s admission.
Consumers are increasingly asking questions about how companies are protecting their data, and if they’re doing enough. It’s an unspoken agreement; “if I give you access to my personal information, I expect you to take care of it.”
Uber’s breach is proof that storing data securely isn’t enough – it needs to be protected in a way that makes it unusable even if a hacker is able to find it. Encryption of sensitive information must be a non-negotiable.
In some organisations this is already the case, but it is far too rare given how significant the threat is. Our recent Australian Encryption Trends Study found the key barrier to encryption for 55 per cent of Australian organisations is even locating where this data resides.
It’s particularly problematic for companies that had not spent the time doing inventory and prioritising their data, leaving critical vulnerabilities in the business. This is especially concerning given the most significant threats to the exposure of sensitive or confidential data are by far employee mistakes, according to 80 per cent of respondents.
The need to address this will be heighted by the government stepping in to ensure compliance with the national data breach (NDB) scheme. Its effect will be to prevent companies behaving as Uber did following the data breach and hiding it from impacted consumers. Instead, cyber breaches will become very public, very quickly.
It means it is no longer the time for complacency. From a reputational, financial and duty of care point of view, it’s important businesses look to exceed, not just meet, the minimum standards with a strong system of data encryption.
Driving this is a shift in ownership for data compliance, as senior leaders realise the impact on their business of failing to get data security right. Our research found the IT department’s influence over encryption strategy has more than halved in the past five years from 59 per cent to 28 per cent.
At the same time, the influence of business unit leaders has risen to 27 per cent. It means responsibility for data security is finally moving out of the IT department and into the boardroom. Thales believes this is a good thing, and a positive step in the right direction.
As we’ve seen over the past few years, the cyber stakes are higher than ever – and they’re only getting bigger. And with so many companies ill-prepared for data threats – whether this stems from an innocent mistake from within the organisation, or malicious third-party hackers – responsibility must sit at board level if attitudes around data security in business are going to change. The needles are moving in this area – but there is plenty more to be done.
Uber isn’t the first or the last company to experience a data breach. But if companies want to avoid being the next caught up in the headlines, they can no longer sit back and watch the news story unfold. Instead, they need to learn from their mistakes.
Kelly Taylor is country manager, A/NZ at Thales e-Security.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.