The data breach landscape in the UK has changed beyond all recognition over the last few years. More than four in ten Britons (42%) have been affected in some way by a breach, and their levels of concern are growing. Jim Steven, Head of Data Breach Services at Experian discusses how these changes could well be just the beginning, and that in reality the data breach issue is likely to accelerate over the next two years.
Cybercrime has become increasingly complex and sophisticated, and unprecedented levels of personally identifiable information are being traded illegally on the dark web. More than 110 million pieces of information were traded in 2014 alone, a 300% increase since 2012 . This is mirrored by the rapid growth in identity-related crimes in the UK; identity fraud now accounts for 52% of all detected fraud attempts.
Data breaches have become far more expensive to deal with. According to research from the Ponemon Institute, the average cost of dealing with a data breach has risen by 26% since 2011, having increased by just 3% in the preceding three years . But these changes could well be just the beginning, and that in reality the data breach issue is likely to accelerate over the next two years.
We’ve recently completed a new paper, Data Breach Readiness 2.0: The ‘Customer First’ Data Breach Response, which assessed the rapidly changing landscape of data breach in the UK. Not only did we survey businesses and consumers we also spoke, at some length, with industry authorities from leading lawyers, insurers, digital forensic experts, customer support specialists and crisis communications experts to assess the true extent of preparedness among UK organisations should a data breach occur.
The next few years will bring a perfect storm of tougher regulation, increasingly negative public sentiment and rising costs that will leave organisations of all shapes and sizes in no doubt that being prepared to respond quickly and effectively is no longer a matter of choice. But to fully understand the true extent of the challenge businesses face, we must look to the US market for a potential glimpse of the future.
The findings highlighted that:
• In the UK, 79% (of British businesses) believe their organisation is prepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators, compared to 51% in the US;
• Two thirds of businesses (with a data response plan) have a data breach response team (65% compared to 73% in the US); the Chief Information Officer (25%) is the most likely to manage this team;
• Seven in ten businesses (69%) say that the IT security department would manage the organisation’s data breach response according to their company’s breach response plan;
• The risk of data breach is higher: 46% of US firms have suffered a data breach in the last two years, compared with 17% in the UK;
• Costs are higher: The average US data breach costs £132 per record compared with £104 in the UK;
• Lost business costs are higher in the US, reaching £2.2 million on average, compared with less than £1 million in the UK.
If the UK follows a similar upward pattern to that which has been observed in the US over the last five years, we can expect to see the incidence of breach rise, and the consequences become substantially more severe. Of course, we have already witnessed the impact of regulation in the USA in the wake of data breach – and since introducing regulation and the requirement for businesses to notify both the regulator and the affected persons by incident, the number of breaches has dramatically increased. It would therefore follow that breaches were always occurring and that consumer personal information was being compromised but not being recorded.
Once EU regulation is passed, it is highly likely that we will see a significant uplift in reported breaches and compromised personal data in the UK and across Europe. So while it is encouraging that UK businesses seem to recognise this link, it is critical that their data breach plans and testing of them is put in place as a standard management requirement. After all, it is understanding what needs to be done following a breach and by who that will be the measure by which businesses recover from an event.
By Jim Steven
Head of Data Breach Services
Experian
About the author:
Jim Steven is Head of Data Breach Services for Experian in the UK, providing remediation services in the form of credit and web monitoring for customers and employees whose data has been compromised, and supporting organisations through the challenge of data breach response planning and management, helping provide reassurance to businesses and those affected in uncertain times.
Prior to joining Experian, Jim worked in the security and risk management industry providing expertise in security risk Management solutions, travel risk management, aviation security and corporate security for some of the world’s largest security companies.