Customer data security and the risk of identity theft is
high in the public consciousness at the moment.
This month's Channel 4 Dispatches documentary on data being
stolen from Indian call centres has added fuel to a fire that was
sparked into life earlier this year with the news that the US
Department of Veterans Affairs had lost a laptop containing the
personal details of 26.5 million veterans and active service
personnel.
But behind the headlines, the issue for UK business goes deeper,
with far too many firms not yet having addressed or assessed their
core data security risks, or even ensured compliance with the UK's
Data Protection Act.
The Department of Trade & Industry's latest Information
Security Breaches Survey, published in April, included the
statistic that half of all UK retailers and utilities companies do
not have formal procedures in place for compliance with the Data
Protection Act. This suggests that the data breach problem is
likely to get a lot worse before it gets better.
The DTI has said it wants businesses to address the gap by
adopting BS7799 or related ISO standards on information security.
But despite the rhetoric, awareness of the standard remains low in
the UK - just 10% of firms are familiar with its contents - and
many UK businesses still appear to be treating data security as a
low priority.
"All the evidence suggests that businesses need to take more
care of their crucial assets, including business-critical data,"
said Dan Morrison, a partner at law firm Mishcon de Reya.
"For many firms information is the lifeblood of their business.
Where the Data Protection Act - which relates to the storage of
personal data - is being neglected, that may mean a company is also
not paying sufficient attention to protecting its trade secrets and
other crucial company data."
Morrison warned that companies needed to get a better
understanding of their vulnerabilities around data security, in
part to avoid the threat of litigation.
"If a breach occurs, firms could be sued by shareholders or
creditors who could argue that they have not taken adequate care to
protect company assets," he said.
Morrison said it was his experience that the biggest threat came
from within, and said firms should treat this as their first
priority. "It is usually an insider. Insiders know where data is,
the value of the data and how to get their hands on it."
He said vulnerable firms could make some relatively simple, but
effective changes immediately, and then look to address the bigger
issues around systems security.
"Get your employment contracts right so they can act to deter
any staff that might be tempted. Also look creatively at where data
is held and how it is accessed. You need to adopt a tiered approach
to access rights that ensures information is only available to
those who need it," said Morrison.
Forrester security analyst Thomas Raschke said an initial
security risk assessment looking at the assets and data to be
protected also needed to include the likelihood of that data being
leaked. "That should form the basis of any data security
evaluation. It sounds simple, but many do not do it."
Raschke said that instead many firms still adopted a piecemeal
approach to security which could, and often did, leave them
exposed.
"You cannot tackle the problem with technology alone. There
needs to be a lot of education at every level in the business.
Companies and their IT staff need to understand what kind of data
employees are dealing with and its commercial value," he said.
With the security of outsourcing arrangements also in the
spotlight following the publicity around India's data-theft
problems, Raschke said there were risks associated with
outsourcing. But he said having a robust approach to every aspect
of data security and how firms managed outsourced contracts was
potentially more significant.
His stance will come as some comfort to the National Outsourcing
Association, which, after the Channel 4 documentary aired, argued
that to link fraud to outsourcing overlooks the point that all
businesses are vulnerable to data theft.
The association said many call centres had strict security
measures in place, including bans on staff carrying storage
devices, or even pens. It also said that close management of
offshore operations was crucial for any firm contemplating the
move, and noted that India was in the process of formalising its
equivalent of the Data Protection Act.
Another tool changing the security landscape is the evolution of
information leak prevention software, which Raschke said was now
catching up with many of the risks firms faced. "There are now lots
of firms out there offering software that tries to plug all the
holes for you. It can stop data being copied to USBs or even
printed out.
"Many firms are looking at this as it can also help them to meet
their compliance obligations under legislation like
Sarbanes-Oxley."
www.noa.co.uk
www.dti.gov.uk/sectors/infosec
www.forrester.com
Steps to better security
- Define what you mean by security and conduct a full data
security assessment.
- Take that assessment and implement it as security policy.
- Review and leverage the security functionality on your existing
systems.
- Plug any holes with investment in systems and education.
- Take steps to ensure you understand how security and protection
systems are evolving.