The expert opinion of Cedric Mermilliod , co-founder of Oodrive and Senior VP
Several scandals involving data theft have made the news in recent years. In 2015, for example, data belonging to users of Ashley Madison, a site enabling extramarital affairs, was made public. And further back, in 2014, Sony Pictures was the victim of theft involving personal information relating to employees and unreleased films. In the same year, the contact details of over 1.3 million Orange customers were leaked. And in 2013, Adobe was also hacked, with the personal data of 130 million users being stolen. These are just a few of many examples, and the conclusion is simple. Last November, a Skyhigh Networks study revealed that enterprises are subject to 16 security incidents and 2.4 data thefts on average per month. The recurrent nature of these issues shows the extent to which data is a tempting target. But what is the impact of these data thefts? And how can we avoid them?
Data theft: a threat in numbers
Data theft can represent a colossal expense for enterprises. According to the IBM/Ponemon Institute study of 350 enterprises in 11 countries; the average consolidated cost of a data breach is 3.8 million dollars, an increase of 23% since 2013.
This cost varies greatly depending on the nature of the issue causing the loss of data: human error can cost up to 134 dollars per piece of data to repair, with this figure increasing to up to 142 dollars for a system failure and 170 dollars for a cyber attack.
Beyond this direct financial impact, data theft also has indirect consequences. The enterprise’s reputation can be seriously and lastingly damaged, impacting both image and finances (drop in share price, etc.).
And that is not all. The disclosing of confidential data can cause an enterprise’s competitive advantage to be lost or reduced. And the enterprise may also have to compensate the employees and clients affected. Finally, in legal terms, a European enterprise is responsible for the data it collects. Under EU law, “personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organizations which collect and manage your personal information must protect it from misuse.”
Europe has made this topic a priority and is currently working on establishing a specific legal framework: the General Data Protection Regulation (GDPR). This aims to take into account the specific problems posed by technological developments like the cloud and social networks, which were not included in the current legal framework established in 1995.
An enterprise that puts its employees’ or customers’ data in danger may therefore be held liable if it has not taken the appropriate protective measures. And this principle applies in many other countries. In Canada, for example, some members of the Ashley Madison site affected by the leaking of their personal data filed a class action for a total of over 567 million dollars in damages and interest.
How to ensure the safety of data in 7 steps
Almost half of all data thefts are caused by cyber attacks, 28% are connected to system failures and human error is responsible for 24% of issues. Good data protection is not limited to preventing intrusions, but implies a more global approach, that also looks at the data itself.
- Ensuring the security of the infrastructure
Many enterprises take this step first, installing firewalls, anti-malware software and carrying out the required updates.
- Use encryption
Data should be encrypted throughout its life cycle, when being transferred and when being stored. For the most sensitive cases, an HSM (Hardware Security Module) is an effective means of encryption.
- Ensure traceability and integrity
It is essential to control access to data and actions carried out in order to guarantee optimal traceability. A strong authentication with an electronic certificate can help with this, as can two-factor authentication (2FA) (combining log-in/password with a text message). Where required by the level of confidentiality, the enterprise must have greater control of the data, for example by completely isolating it from the company network using the cloud, preventing documents from being printed or modified.
- Back up data
Backing up data can act as a safeguard against human error, equipment failures or malicious acts. Today, cloud-based back-up software not only ensures the configurable, automatic backing up of data, but also implements redundancy, i.e. making a second copy on a secure infrastructure, so even if the first fails, the data is preserved.
- Raise employee awareness
The enterprise should inform its employees of the risks of practices such as shadow IT (installing software without the prior approval of the IT department) or BYOD (Bring Your Own Device). Similarly, it is important that everyone within the company is aware of the risks involved in printing files; transporting sensitive documents, exchanging confidential data using insecure means (emails, USB drives, etc.) or working away from the office.
- Evaluate risks (or have them evaluated)
The enterprise should implement processes in order to evaluate the company’s vulnerability to cyber attacks and other threats that could affect data. But beyond internal evaluations, security management can also be attested to with certifications. For example, the internationally recognized standard ISO 27001, awarded following regular external audits, guarantees that the enterprise manages the security of its information and information entrusted to it by third parties.
- Don’t neglect the legal dimension
The notion of security can also include the legal dimension, by means of using a European service provider that hosts data in Europe. This solution means that the enterprise benefits from a strict legal framework regarding data protection.
In conclusion, and to once again quote the IBM/Ponemon Institute study, an enterprise takes on average 256 days to realize it has been the victim of a cyber attack. With this in mind, we can really understand how essential it is to adopt a global approach to security. Digital data is increasingly the cornerstone of an enterprise’s business. It is now an absolute necessity to have the appropriate tools and processes in place to protect it.
Co-founder - Senior VP