How can you protect your media business from data breaches?
The recent data breach at Dentsu is a reminder that even the most established players in the media and marketing services industry can be exposed – with employees, supplier and client data at risk. This year has seen a spate of cyber-attacks on major businesses, creating serious risks for those whose personal data has been compromised and significant financial implications for the businesses involved. What can you do to reduce the risk of falling foul of such incidents and how should you respond if the worst was to happen?
Secure your personal data
Robust data protection controls can certainly help. Having a comprehensive record of what personal data you hold, where it is stored and the risks that could materialise if it was compromised gives you better visibility and understanding of your risks. This in turn will help you decide how best to secure the personal data you hold – the more sensitive the personal data or the more severe the potential risks, the more stringent your security measures should be. Encrypting personal data, implementing proper access controls and putting tools in place to protect against viruses and malware are all areas you should consider.
It is also important not to forget the other measures that are key to preventing security incidents. Not everything comes down to technical controls – it is equally important to ensure you:
- Have documented policies in place particularly around information security and breach management;
- Train staff regularly on information security as well as how to identify and report breaches; and
- Have robust due diligence procedures for selecting suppliers to ensure you are confident that personal data will be kept secure throughout your supply chain.
Incident response
If the worst does happen, it’s crucial to have strong breach response procedures in place so you can act quickly and comply with any notification obligations. Key areas to consider:
- Do you have a breach response plan in place, and does it set clear roles and responsibilities for managing the incident?
- Are you confident your staff can identify breaches and know exactly what to do, and who to inform?
- Do you have procedures for notifying affected individuals and working with them to minimise any risks to them because of an incident?
- Do you have proper procedures for restoring access to affected systems quickly?
Quickly identifying and reporting incidents is key to ensuring you can contain the incident and minimise any risk. Personal data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware. Having clear risk assessment criteria and a dedicated person responsible for assessing incidents is vital to meeting this deadline. Finally, ensure you have steps in place to conduct post-incident reviews to identify and document lessons learned to prevent future occurrences.
It’s easy to assume it will never happen to you, but the reality is that anyone can fall victim to an attack, and the consequences can be significant – not just for the business, but for the individuals whose information is affected. Having robust security measures and an effective breach response plan in place can help mitigate these risks.
Esther Carder, Head of Media at Moore Kingston Smith, commented: “The recent Dentsu breach highlights just how vulnerable the media sector is to cyber and data threats. Handling vast amounts of data makes businesses across the industry an extremely attractive target. Businesses should be regularly reviewing their protection measures and response plans – ensuring they’re properly covered and prepared for when, not if, a breach occurs.”
If you would like to find out how our Moore Kingston Smith Data Protection Services Team can help ensure you have the correct measures in place, please get in touch. Our team can help you assess risks, implement best practices, and ensure you are ready to respond quickly if an incident occurs.
Written by Ian Inman, Data Protection Officer at Moore Kingston Smith.
