Our data is everywhere. Collected and archived on the paper or in a digital format and stored in some external environments.
What happens to our data? Do we know how our data is secured on paper or in digital form? And why does it matter to those who control and process our data?
To create common bases for the further analyses, let us clarify some definitions first.
Data protection describes the protection against the improper processing of personal data and the protection of the right to informational self-determination.
Data security addresses the protection of data, regardless of whether it is personal or not. It refers to all technical and organizational measures to protect information and systems of all kinds against manipulation, interception, loss and other dangers. Data security is therefore ensured by a variety of measures at different levels, such as procedural instructions for critical processes, firewalls, backups and penetration tests.
Data security is being seen as part of information security. Information security not only protects information in technology, but information in every form. It encompasses technology, organization, and processes. It is based on three protection objectives: Confidentiality, availability and integrity.
This means that sensitive data is protected from unauthorized access by third parties but is always fully and correctly accessible to authorized users.
Another sub-area of information security is the IT-security. This relates to electronically stored information and IT systems. Information that is increasingly stored and transmitted digitally these days is exposed to many possible threats: from unauthorized access to data by third parties, espionage and sabotage to hacker attacks.
Quite often you would hear the argument: "Why should anyone be interested in hacking me. I have nothing valuable in my systems."
Well, every organization is in the possession of valuable assets – the data. Data is the new currency. The companies collect sensitive personal data from employees, customers, service providers, and in health care from the patients. In the context of data security, the valuable data concerns also business strategy, customer data, innovation data, financial data, operational data, and so on.
To understand why the companies should take care of their information security, incl data and IT security, let’s have a look what the hackers do with the stolen data and what are the consequences for a company.
Attackers can use stolen personal information to steal identities. This can lead to them carrying out fraudulent activities, taking out loans or other illegal activities in the name of the victim. Stolen financial information, such as credit card or bank details, can be used to commit financial fraud. This ranges from online purchases to larger transactions aimed directly at the victims. Attackers could sell stolen data on the black market. This includes information such as credit card numbers, online account credentials, national insurance numbers and other personal data. Attackers could attempt to blackmail companies or individuals by using sensitive information to damage reputations or make financial demands. State-sponsored or criminal groups could use stolen information to conduct industrial espionage. This could include the theft of trade secrets, research data or other sensitive information.
By using the stolen data, the attackers can launch further attacks:
Even though everyone knows that there is no such thing as 100% security and that anyone can become a victim of a cyber-attack, this is not always understood when one is affected as a business partner.
Customers and partners trust that their data is being held secure. A cyber-attack that leads to data leaks or other security issues can severelydamage confidence in the integrity of the organization. Which leads to the risk of losing customers and business partners.
A cyber-attack can result in sensitive companydata being lost or damaged. This can not only have a financial impact but can also – again – jeopardize the trust of customers and partners.
Many companies are heavily dependent on their IT systems. A successful cyber-attack can lead to significant business disruption while the organization attempts to fix the security issues and restore systems. Which in turn can result in lost revenue and a damaged reputation.
The financial impact of a cyber-attack can be manifold. In addition to the direct costs of restoring the systems, indirect costs can also arise due to operational downtime, loss of reputation and legal consequences. According to the study of IMB (2023), the global average cost of a data breach sums up to USD 4.35 million. The highest costs related to the health sector (USD 10.10 million), followed by financial sector (USD 5,97 million).
In some cases, attackers could try to blackmail the company, for example by demanding a ransom for the release of locked data (ransomware attacks).
The effects of a cyberattack can be long-term, even if the immediate problems are resolved. Public trust and the company's competitiveness could be permanently affected.
Depending on the nature of the cyber-attack and the type of data stolen or compromised, legal consequences may be imminent. Data protection laws often require organizations to take appropriate measures to protect personal data.
In the context of data protection, the DGPR obliges both the controller and the processor to ensure the security of the processing of personal data. The tool for fulfilling this requirement is called the technical and organizational measures.
Technical measures or technical data protection means any protection of the security of data processing that can be implemented through physical measures, like the IT systems. But also securing data processing environments, such as facility security. Organizational measures are regularly aimed at operational processes and security structures within an organization.
As we have analyzed above, this is not an onerous requirement from the legislator. Rather, it makes perfect sense, as the damage caused by data theft is very high.
The best way to protect oneself is to implement information security measures, which includes data security and IT- security, and to be prepared for cyber incidents. Most importantly, organizations need to implement a comprehensive cybersecurity training program for all employees and contractors.
SEC Consult has developed several services and programs for assisting and supporting your organisation with expert knowledge in all these areas.
