In the wake of the £183m fine levied at British Airways by the Information Commissioner’s Office (ICO), it is clear that best practice data security is essential for large enterprise.
BA’s fine stems from a large-scale data breach which started in June 2018 and culminated in the data of around 500,000 BA customers being accessed by hackers.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.” Said ICO’s Information Commissioner, Elizabeth Denham.
Who continued: “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”
GDPR in action
The size of the fine stamped on BA dwarfs the now seemingly miniscule £500,000 fine imposed on Facebook for its part in the Cambridge Analytica scandal.
The EU-wide GDPR regulations, which came into effect in May 2018, have markedly increased the scope for the ICO and its European equivalents to hit large enterprises with fines. Non-compliance with GDPR can result in fines of up to 4% of an enterprise’s global turnover.
To put that into context, Facebook would have been liable for a fine of up to £1.8bn under GDPR regulations.
C-Suite must ensure best practice cyber security is followed
Data security is paramount for large enterprises and best practice must be followed to protect organisations from the huge penalties that can now be levied by the ICO and other governmental bodies.
Many organisations are actively working to improve processes and BA have been praised by the ICO for their efforts in improving its security arrangements. However, there is still a long way to go and many large organisations are still leaving themselves at risk of data breach.
Protect against the most common cause of data breach
More that 80% of data breaches are caused by weak or stolen passwords. Large enterprises that rely of passwords for employees to access systems are leaving a door open for hackers to get access into their networks.
One way which Boards can mitigate their risk of fines is by showing a best practice approach to employee identity. This means using strong multi-factor authentication for employees to login.
Strong multi-factor authentication means providing employees with a simple, seamless way to prove their identity by PIN or biometric and by using a device they’ve previously proven to belong to them.
With two-factors of proof – a physical device (smart card, USB token, smartphone, laptop) with a PIN or biometric, users are able to simply prove who they are and securely access a system. Remote hackers are therefore mitigated as they will not have the physical device even if they have a PIN. Similarly, they will not have the biometric.
As hacking techniques become more advanced, the lines between employee and personal devices blur, and more enterprise systems become accessible via the cloud, robust means of employees proving they are who they claim to be is integral to data security.
Discover MyID credential management software for digital employee identity and why it’s trusted by large organisations around the world to issue and manage credentials for strong multi-factor authentication.