How does the fact that British Airways, DSG or Facebook are being fined for security breaches affect your customers? The fact that GDPR fines can now extend to 4% of global revenue will be top of mind, (Did BA get away with £180m at 1.5%?), but we know that it doesn’t end there. Yes, your customers probably don’t want the adverse publicity, the loss of brand equity or a drop in customer loyalty, but are some of them still thinking 'it will never happen to us’?
Along with an increasing number of fines from The Information Commissioners Office (ICO) during 2019, we also saw a 40% increase in the number of staff they have to deal with enforcement; and according to their annual report, the plan to increase this to over 800 staff in 2020 will allow them to target a much broader audience in the future.
Follow the money
One of the best ways to learn in this situation is for us to follow the money. If you delve deeper into the fines issued, you’ll see that the breach was only one element of the underlying focus from the ICO investigation. Most involved a basic lack of safeguarding, when it comes to personal data, and the absence of controls or ongoing security checks.
Rather than building the fear of being fined with our customers, we’d recommend helping them to learn from the experience of others. For example, with credit card breaches we can help them to understand the basis of the fine in relation to PCI compliance- what similar data they hold; and the controls they need to have in place to manage it going forward.
Look out for our Q&A next week with Marathon GDPR expert Peter Speck, for a more detailed analysis. In the meantime, here are just a couple of ways you could kick things off:
Get started with Security principles
Remember that the ICO does not define the security measures that your customer should have in place. They require you to have a level of security that is ‘appropriate’ to the risks presented by your processing. The ICO agrees that there is no ‘one size fits all’ solution to information security. This means that fines will look at what’s ‘appropriate’ for the customer and will take into consideration their circumstances, the processing being done, and the risks that operation presents to their organisation.
We at Marathon, continue to use GDPR assessments to help clients define this in the context of their own organisation, as this is one of the best ways to map controls and policies- not just for the ICO, but also to other appropriate regulations.
Add definition the problem through Certification
Resellers can also help customers to add definition to their approach through Cyber Essentials. The certification process that this involves is recognised by the ICO as an established framework for basic technical controls. It can also go a long way to promoting the value of a Security First approach as part of a multi-layered security strategy, such as that delivered by our OneSecure service.
Call us on 020 8329 1000 or email email@example.com to book a meeting with one of our consultants. We can give you specific guidance on the right approach and help position our ICO analysis, with your customer at your next meeting.