The private sector needs to take data privacy more seriously if it is to stop the Information Commissioner's Office getting the power to audit their information security systems without warning, says James Alexander, technology security partner at Deloitte, a management consulting firm.
"Companies need to take the bull by the horns," Alexander told Computer Weekly. His comments followed Deloitte's finding that only 54% of technology, media and telecommunications (TMT) firms will tell customers if their data privacy is breached.
Alexander said the ICO won "stop and search" powers to spot-check public sector firms' data protection procedures following the loss of 25 million personal records by HM Revenue & Customs (HMRC) last year. "If private sector firms do not want similar scrutiny, they need to become more proactive," he said.
Alexander said half of TMT firms are spending less than 3% of their IT budgets on data security, and only 5% are budgeting to increase their spend by 15% or more. "They are only treading water," he said, noting that only 7% of respondents believed they are prepared for future security threats.
However, three-quarters of firms said "human error" by insiders was the greatest danger, ahead of operations and technology.
"The HMRC incident showed that information security can no longer be considered a back-office function," Alexander said. Companies now underestimate the impact of data breaches, but the ICO's new powers, if applied to the private sector, could force a radical revision of the risks they face, he said.