By Lea Pachta
– Expert offers practical security tips to avoid serious data loss –
An IT expert at national law firm Cobbetts LLP has described the proposed introduction of new fines of up to £500,000 for organisations who incur serious data losses as “a long awaited wake up call to UK businesses”.
Susan Hall, partner and ICT specialist at Cobbetts, said: “Too many organisations in the UK have, for some time, been lax on data security — putting their employees, customers and stakeholders at risk of fraud. These new fines will have a profound impact on internal procedures, especially at medium-sized, data rich businesses, whose growth commonly out-matches their internal development and the maintenance of procedures.
“Data breaches, especially in large organisations, have the potential to impact millions of people. There were a raft of high profile private and public sector data losses in 2009, most of which caused significant reputational, and, in some cases, financial damage to the organisations in question. Many of these losses were blamed on human error; however it is company procedures that ensure data is secure. Security provision for mobile devices and remote access are two simple examples of how companies can improve, while training should also be a priority in changing employee attitudes to data protection and security.
“While for many organisations auditing internal security procedures could lead to significant up front costs, however the piece of mind that a data security policy and regular testing can provide is invaluable.”
The Information Commissioner’s office will be able to issue the new fines from 6 April 2010, with the cost to the company determined by the seriousness of the breach. Other criteria to measure the size of fines will include the finances of the business in question, the impact of the loss and whether the breach was accidental or deliberate.
Susan Hall has compiled five tips for businesses implementing or updating data security policies and procedures:
1. Testing and data audit —
Third party security testing can identify vulnerabilities in office networks; remote working and existing applications to ensure any pre-existing flaws are found and patched. Testing should be carried out on a regular basis to allow for the detection of new vulnerabilities. Businesses should also audit all data they hold, taking into consideration how sensitive the information is, and which employees need access to specific data sets.
2. Remote working and mobile devices —
Although remote working offers a raft of tangible business benefits, organisation must consider the added security concerns that it presents. At a minimum, all mobile devices including laptops, USB sticks and smartphones should be password protected and encrypted. All computers used for remote working should be protected by organisations’ firewalls and antivirus software. Furthermore, there should be strict policies as to when, how and which employees can use mobile devices.
3. Training —
For many businesses, working practices will be engrained, and it can often take some time for employees to become security-conscious. To aid this process, a staff training programme should be established to raise awareness of secure working procedures and ensure employees understand the risks of data loss.
4. Outsourcing —
Outsourcing and newer approaches such as cloud computing and software as a service (SaaS) offer organisations flexibility and cost saving benefits. However, contracts for the supply of such services need to be detailed and strict with regards to allocation of responsibility for data security.
5. The insider —
Businesses should be aware that opportunist employees or disgruntled former employees could present a significant risk to data security. Businesses should ensure that only senior employees have access to large amounts of sensitive data, while all access privileges for former employees, including access to email and virtual networks, should be removed as soon as their contact ends.