The news on Monday had the effect of a bomb: British Authorities deposed a fine amounting to £183.5 Million against British Airways for a data breach affecting 500 000 customers under the new General Data Protection Regulation (GDPR).
Amounting to roughly 1.5% of the company’s annual revenue, the penalty imposed on the iconic British brand comes as warning to all that data security and privacy are not to be taken lightly. While Alex Cruz, Chairman and CEO of British Airways assures the company has always responded swiftly to criminal data theft attempts and previously had no indication of fraudulent activity related to the hack accounts, Michael Veale, Digital Rights Researcher at University College London affirms the breach was “wholly avoidable [and] resulted from sloppy technical and organizational practices”. In Europe, the enforcement of GDPR manifests a will to hold companies accountable for the data they own and combat the pressing threat of large-scale cybersecurity attacks.
This warning is coming in a context where cyberattacks are on the rise and businesses are increasingly ill-equipped to protect the growing quantity of customer information they collect, store and use. According to the 2019 Hiscox Cyber Readiness Report, 61% of the 5400 firms interviewed reported attacks within the past 12 months, a 20 point increase from the previous year while less companies achieved expert scoring on the Cyber Readiness Test. Average costs related to cyber-attacks also leapt from $34 000 one year to $200 000 the next; three quarters of respondents planned to have their cybersecurity budget increased from the average $1.5 Million.
In the wake of accrued regulations and surging cyber menaces carried forth by individuals and geopolitical entities, business leaders must bring to the board true discussion on the implications of cyber security issues within the business and consequently devise, implement and monitor an appropriate defense plan.
For sure, staff – as essential players in company operations – must be continuously trained in regard to cybersecurity standards and implications; passwords must be protected by multi-factor authentication tools, preferably hard keys or dedicated apps; but companies would also be wise to invest also in more sophisticated solutions as malicious bots become hackers’ preferred tools for infecting devices. Finally, as legal and privacy matters progressively become more intertwined with the technology behind, some call for a team where departments, traditionally kept separate, would merge.
In all the cases, the necessity to invest in cybersecurity measures thus has become apparent; the business environment is changing, and should companies fail to take appropriate measures to assure the security and privacy of data they own, they risk losing more than just reputation and clientele as discovered by British Airways.