The private sector needs to take data privacy more
seriously if it is to stop theInformation Commissioner's
Officegetting the power to audit their
information security systems without warning, says James Alexander,
technology security partner at Deloitte, a management consulting
firm.
"Companies need to take the bull by the horns," Alexander told
Computer Weekly. His comments followed
Deloitte's
finding that only 54% of technology, media and
telecommunications (TMT) firms will tell customers if their data
privacy is breached.
Alexander said the
ICO won "stop
and search" powers to spot-check public sector firms' data
protection procedures following the loss of 25 million personal
records by HM Revenue & Customs (HMRC) last year. "If private
sector firms do not want similar scrutiny, they need to become more
proactive," he said.
Alexander said half of TMT firms are spending less than 3% of
their IT budgets on data security, and only 5% are budgeting to
increase their spend by 15% or more. "They are only treading
water," he said, noting that only 7% of respondents believed they
are prepared for future security threats.
However, three-quarters of firms said "human error" by insiders
was the greatest danger, ahead of operations and technology.
"The HMRC incident showed that information security can no
longer be considered a back-office function," Alexander said.
Companies now underestimate the impact of data breaches, but the
ICO's new powers, if applied to the private sector, could force a
radical revision of the risks they face, he said.