Following the recent news that British Airways has been fined £183 million for a security breach that took place last year, the airline said it was ‘surprised and disappointed’ by the penalty issued by the Information Commissioners’ Office (ICO), according to a BBC report.
The fine is apparently the biggest one ever handed out by the ICO and comes in the wake of 380,000 transactions being affected – the airline states data did not include travel or passport details. What it did include, however, were names, email addresses, credit card information such as credit card numbers, expiration dates, and the three-digit CVV code found on the back of credit cards, although British Airways said it did not store CVV numbers, according to a story published by Berry Smith Lawyers.
If a cyber-attack of this scale can happen to an established international company, then it raises the question of the upheaval and chaos it can potentially cause to an SME bearing in mind that cyber-attacks appear to getting worse and are certainly not going away anytime soon.
According to comparitech, global cybercrime could cost up to $6 trillion a year by 2021 with over 50% of devices that got infected once becoming re-infected within the same year (2019 Webroot Threat Report.) If you are affected by a data breach, the first step you need to take is to keep a record of the following in order to inform an Information Technology forensic team, and your in-house IT team, if appropriate:
- What was affected?
- What type of attack did you suffer?
- When did it take place?
- Make a list of the victims of this attack
- How does it affect your database of customers?
IT and communications
At this point, your in-house IT team will probably start by resetting all logins and encrypting all banking or login information (if this hasn’t already been done.) Meanwhile, your communications and PR team should be on full alert and ready to go into crisis communications mode to deal with any reputational management issues that could affect your customers. Drafting key messages for the media, lawyers, and your customers is essential at this point as you seek to reassure clients that you have the situation under control.
Disconnect your servers from the web but keep them on. This will prevent highly sensitive data from being transferred while also keeping access from the outside away from your data. The reason for keeping your servers switched on is to ensure your IT forensics team can assess the full extent of the damage caused by the hackers and they’ll be able to gain a better picture of what needs to be done moving forward to help you stay better protected.
Talk to your employees about the security breach and report the incident to the police. Don’t forget to review and log any credit reports and check for any signs of identity theft through way of suspicious debt collection letters about unpaid loans that you don’t have, utility bills that suddenly stop being sent and credit card bills for cards that you don’t have.
Who needs cyber insurance?
As we’ve discovered in recent years, the impact of cybercrime can have a devastating effect on businesses. Business interruption, loss of income, the potential loss of business reputation, as well as damage and repair costs to IT infrastructure can cost a business thousands of pounds to fix.
SMEs may not have the upfront cash to get all of these issues fixed immediately which is why cyber insurance is vital. Other insurance policies may provide elements of cover against cyber-attacks – but not all of it – and businesses need to ensure a specialized cyber insurance policy backs up existing insurance arrangements.
Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points to create this article and the information provided is for general informational purposes only. While we try to keep the information up-to-date and correct, there are no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information, products, services, or related graphics contained in this blog for any purpose. Any use of this information is at your own risk.