Why you should care about keeping your data secure

Ross Jones
Written By N

In April 2025, Marks & Spencer (M&S), a prominent UK retailer, suffered a significant cyberattack that disrupted its online operations for several weeks. The breach exploited a supplier's systems giving unauthorized access to customer data and causing an estimated £300 million loss. 

More and more frequently, the daily news carries reports of companies and organisations falling foul of a data breach as a result of some form of digital attack. Often customer data is leaked to those who may use the data for their own nefarious activities, or sell it to others for theirs.

These reports describe the failures as something that happened to a company, but most do not describe the technology and processes employed by that company to keep the data safe from misuse. Instead the companies will email existing customers, listing what data was lost, and assuaging any concerns by resetting everybody's password.

The fallout from data loss can be embarrassing, trust-damaging and sometimes even critical with companies sometimes having to cease trading as a result of the financial impact, see TravelEx and National Public Data as two recent examples in addition to Marks and Spencer. Even if the company survives the loss of key customer and operational data, there may be a severe loss of trust in the organisation by their customers and other organisations.

What do we mean by security?

Security, in this context, refers to the practices, tools, and behaviour that protect systems and data from unauthorized access, use, disclosure, disruption, or destruction.

Unfortunately, security is not an absolute, nothing is 100% secure or 100% insecure, but instead exists on a spectrum. The organisation’s position on the spectrum will likely change over time as new techniques and technologies are discovered and used, and either integrated by the organisation or not.  

An organisation’s security can range from no effort expended in protecting data, through one-off attempts to secure data at a specific time, to well designed and managed processes that change over time in response to the changing environment that they operate in. Keeping out low-sophistication attackers should be relatively straight-forward, as these scripted attacks exist only because of those organisations at the weak end of the spectrum.  The National Cyber Security Centre describes these types of attacks in detail in their Common Cyber Attacks white paper..

Whilst it is often perceived that attacks on organisations that result in data breaches are not an entirely technical phenomenon, many are the result of social engineering which according to the famous hacker Kevin Mitnick, “bypasses all technology, even firewalls”. By manipulating users to perform actions on behalf of the attacker, it is possible to obtain access to systems with minimum technical effort, as often a telephone call from the IT department about your most recent password isn’t treated with as much suspicion as it should be. Organisations can minimise the occurrence of social engineering by training staff to recognise phishing attempts, or fake IT calls. In addition simulating social attacks as part of their regular training and requiring the use of 2-factor authentication would help as a reminder of the risks staff face. 

The results of a data breach

The after-effects of a data breach can be quite far reaching, both for the organisation and for the subject of the data, often a customer, but sometimes a supplier or related organisation.  Depending on how the data was managed, and what data was breached the impact could range from behavioural data (such as shopping or browsing habits) to highly sensitive financial information like stored credit card numbers.

Losing customer, investors, partners or suppliers data can damage both the company’s trust and brand causing long term reputational damage, which may be hard to regain after this type of incident.  It may also damage the operational stability of the company, making it hard or impossible to continue to operate as a business until the situation is resolved.  

Financially there are likely to be fines if the breach was out of compliance with data laws such as the European GDPR, or the CCPA and HIPAA in the United States all designed to impose accountability on organisations for the secure storage of potentially sensitive data. These can be substantial, with the Cost of a Data Breach report suggesting that globally the average cost was $4.88 million in 2024. This is in addition to potential legal fees and compensation, lost business, and the cost of actually resolving the incident.  

Challenges and Approaches

As we previously discussed, there is no absolute security, and aligned with that, there are no perfect solutions.  There are however some generally accepted good practices that after implementing will improve the security of your data.  Once implemented there will need to be a continuous process of monitoring, evaluation and updates to keep ahead of the fast changing world of technology.  

There are many ways to determine the practices to follow, and the National Cyber Security Centre provides solid guidance on data security as part of their 10 steps to cyber security. There is other guidance available from many trusted sources, and whilst it would be unwise to only consider one, care must be taken if attempting to merge multiple sources of guidance to ensure the result is not conflicting and potentially damaging the organisation's security position.

Protecting the data

Protecting data effectively is essential for any organisation. Data is vulnerable at every stage of its lifecycle, and if not properly managed, the organisation can be exposed to serious risks.

Security breaches are often thought to occur when data is being used, but data is often lost when being moved between systems and even from its final storage location. The storage of the data might be at risk due to misconfigured cloud storage, forgotten backups, poor access controls, and data lost in transit might be at risk due to unsafe wifi networks, or compromised networks.  This is why it is key that data is encrypted in transit and at rest.  

Implementing strict controls around who can access, consume or change data significantly reduces the risk of compromise, ensuring only those who need access have it, with strict rules and monitoring in place for everybody to keep critical information secure and intact.

Protecting data effectively, whether it's being stored, transferred, or processed is essential for any organisation. If not well managed, data can be exposed at any point in its lifecycle, leading to potentially serious consequences. Implementing strict controls around who can access, consume or change data significantly reduces the risk of compromise. This means ensuring that sensitive or business-critical information remains secure and intact.

Data should be assessed and protected based on its sensitivity. This might mean using encryption when storing or sending certain types of data, or it might mean tightening controls on who can see or edit it. Keeping software up to date and monitoring how data is accessed also plays a big part. The ability to spot unusual activity quickly is key in limiting the damage if something does go wrong, and increasing the speed of response if it does.

Setting clear data policies

Having clear policies in place around how data is stored, moved, and eventually disposed of makes it much easier to manage risk. When everyone in the business understands their responsibilities—and why they matter—it becomes part of the culture, not just a checkbox exercise. Regular training helps keep this front of mind for staff and ensures that procedures are followed consistently.

Creating a response plan

No organisation can completely rule out the risk of a breach, which is why it’s just as important to plan for when something goes wrong. Having a tested response plan allows you to act quickly and reduce both the immediate and long-term fallout. That might mean protecting your reputation, meeting legal obligations, or simply being able to carry on operating. In today’s threat environment, readiness is just as important as prevention.

What’s next? 

Since breaches are a matter of when, not if, every organisation must regularly ask if they are ready for the result? Assessing your current practices, revisiting your response plans, and investing in both people and processes are a necessity and a required ongoing commitment. 

Luckily you don’t have to do this alone, we can support you increasing your confidence in the security and management of your data.  We can help you with reviewing your current Data Architecture or helping you design one from scratch, implementing a data governance framework to help you implement policies and processes that improve the management of your data or simply helping you meet your compliance obligations for any sensitive data you hold. 

If you’d like to learn more about how we can support you, get in touch with one of our data specialists now.

Author

Featured
Ross Jones
Ross Jones

Ross is an experienced engineer with a broad range of knowledge and interests, ranging from data platforms, and metadata management, to programming language theory and distributed systems.

Read More →

Tags:

N
Next

Why merging services is so difficult