In July 2019, British Airways was hit with a potential £183 million fine by the Information Commissioner’s Office (ICO).
That’s big – even by big company standards – and comes in the same month hotel giant Marriott International was notified by the ICO of their intention to fine over £99 million for a data breach that initially took place back in 2014 (and was discovered in 2018).
But what do these huge fines mean for SMEs? The numbers are so significant and the brands so large that you’d be forgiven for thinking, “Oh, it’s a big company; this still doesn’t impact me”.
In reality, no business is safe from the ICO’s scrutiny.
Let’s take a closer look at what these two big brands did wrong.
British Airways: “All we need is your credit card details…”
The BA cyber incident started in June 2018 when visitors to its website were diverted to a fraudulent site, enabling cyber criminals to capture the personal data of around 500,000 BA customers.
British Airways identified the incident in September 2018 and notified the ICO. Part of their forensic investigations identified that the incident had started a lot earlier than they had first thought – a full 3 months earlier. Customer log in details, payment card information, and travel data were compromised, along with name and address information.
What can SMEs learn from this? Well, it’s a reminder that security isn’t just a one-time event, but must be an ongoing activity. It’s about keeping an eye on your website and other systems to ensure it’s regularly updated with security patches is vital for businesses of all sizes. Doing simple checks called vulnerability scans can help identify weaknesses. And these checks don’t need to be expensive. Prices can start for as little as £40 for a basic check.
Marriott International: a lack of due diligence
The Marriott data breach isn’t particularly unusual; hackers simply managed to gain access to their back-end system and steal a staggering 339 million guest records.
But here’s the rub. In 2016 Marriott acquired the Starwood hotels group, and it was data from that organisation’s system that was compromised. According to the ICO, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
The same goes if you’re an SME that acquires another business or begins working with a new partner. Any inherent security issues they have will quickly become yours if you don’t investigate them.
Will the ICO will treat an SME like this?
When the GDPR was introduced, the maximum fine rose from £500,000 to 4% of global turnover. But while big fines like those noted above are likely to continue hitting the headlines, the ICO would obviously prefer it if businesses just complied with the legislation.
So, what’s the likelihood of your SME being hit with a big fine? Providing you take the GDPR seriously and focus on prevention rather than cure, you’ll probably escape the ICO’s wrath.
Here are three quick-fire tips to avoid being slapped on the wrists, big time, like BA and Marriott:
- Do everything you can to prevent data loss. BA were fined so heavily because the ICO believes they should have done more to prevent personal data loss. The same goes for any SME. Technical solutions such as Cyber Essentials, regular staff training, and an IT provider that understands cyber security and the implications of the GDPR will help to ensure you remain compliant.
- Invest in training. Just as you need lessons before you can drive a car, the same goes for cyber security. Can your staff spot a phishing email? Are they aware of the risks inherent with using public WiFi? Are you sure there isn’t a risk of employees stealing information? Our ‘Keeping the Human Cyber Safe’ course is designed to arm your staff with the knowledge they need to keep the business safe from attacks. Get in touch if you want to find out more.
- Treat cyber security as added value for your business. Take action now to prevent future compromises, and you’ll add value to your business. Marriott’s purchase of Starwood included a catastrophic cybersecurity risk. If they’d known about it, the sale might have been cancelled entirely or at the very least the offer reduced considerably. The more cyber secure your business is, the more it’ll be worth to investors and buyers.
So, what can we learn?
As an SME, you could be fined by the ICO. Just this week, an SME received an £80,000 fine from the ICO. And seems people are starting to realise this; we’ve seen a significant increase since the start of this year in customers asking for help completing supplier assessments – particularly if it involves receiving personal data from clients.
Fines are already being issued for non-registration with the ICO, yet it takes just minutes and £40 to do so. Equally, if you can demonstrate that you’re taking reasonable steps to prevent a data breach, the ICO will probably move onto the next suspect.
The takeaway? Think of cyber security as a benefit for your customers. Wouldn’t it be great to start a conversation with a prospective client by saying “we do x, y and z to protect your information”?
Need help with GDPR compliance? Get in touch with our friendly team to find out how we can help you avoid big fines from the ICO and provide ultimate peace of mind for your clients.