Policy and technology: the belt and braces of data protection

The flurry of recent high-profile data security breaches highlights how easy it is to hit the headlines for the wrong reasons. But avoiding infamy is not that difficult.

Every week it seems a story breaks about the loss of laptops and storage media holding personal details. Late last year it was HM Revenue's loss of 25 million personal details on two CDs which hit the headlines. And already this year, the MoD has admitted to losing 69 laptops in the past 12 months, including one which held information on 600,000 people who had applied to join the armed forces. Almost reduced to a footnote among these colossal failures of data protection was the loss this month by a Stockport NHS employee of a USB stick containing the details of 4,000 patients.

At present there is little in law to force organisations to better look after data. The Data Protection Act is vague about the obligation to not let data fall into the wrong hands, with a breach only considered to have occurred if the lost data is misused. Unlike the US, British organisations do not have to disclose data losses either, although most do to lessen the negative effect on their public standing that is likely to occur if they don't. Public sector organisations are also free from the threat of prosecution under Crown Immunity.

I don't think there should be mandatory encryption...in all circumstances
Guy Bunker
Chief scientist, Symantec
So, do we need a change in the law? Should encryption of data or disclosure of losses be enforced? It is difficult to find anyone in the industry that thinks so.

Guy Bunker, chief scientist with Symantec, says mandatory encryption would impose an intolerable overhead on British business.

"I don't think there should be mandatory encryption for these types of media in all circumstances," he says. "Managing keys is very time consuming and needs good processes to avoid problems. We don't want to be making it more difficult to do business than necessary."

Neither should disclosure be made mandatory, says Hamish Macarthur, chief executive of analyst group Macarthur Stroud International.

"We don't need a change in the law to enforce disclosure," he says. "Naturally it is good to see egg on the faces of organisations that lose data but we don't live in a perfect world and if disclosure was enforced insignificant cases could be blown out of proportion with more damage than is warranted to the business, its customers and business partners."

The key to best practice is a combination of good processes and culture plus technological solutions, with the emphasis on the former.

Fundamentally the responsibility needs to be placed on the CIO and from there down to all employees who handle data that is in any way sensitive, says MSI's Macarthur.

"The CIO needs to be very clear about the level of responsibility that needs to be shown towards the organisation's information assets," he says. "And that point also needs to be made to individual employees."

MSI research has found that where staff members know they are responsible for data and that their reputation and credibility and their chances of getting a job in future will be affected, they take it seriously. That is also the attitude of Dave Lipsey, infrastructure manager with the Ordnance Survey.

If people are stupid enough to download information they don't really need from central servers they should be sacked
Dave Lipsey
Infrastructure managerOrdnance Survey
"If people are stupid enough to download information they don't really need from central servers they should be sacked," he says. "It's not to do with security or encryption but with bad work practices. Data is held on central servers for a good reason - because there is a lot of it and it needs to be held securely, and it needs to be managed and backed up."

There's no doubt that individuals taking personal responsibility for data would have meant some recent losses were avoided. But is the threat of career-limiting sanctions enough? Such awareness among staff has to become part of an organisation's culture, and cultures aren't created overnight, especially in workplaces where contractors come and go. Best then to add technological braces to the cultural belt, says, Quocirca service director Clive Longbottom.

"It's easy to say that IT or the business should put in place policies that forbid employees from taking out such information," he says. "However, employees are renowned for paying no attention to policies, and therefore, something more technically efficient has to be put in place."

In fact what's needed is a carefully blended set of people-oriented policies that can begin to form a culture that treats sensitive data with the care it deserves, allied with appropriate technology. The latter can be quite simple things, such as using the internet to access central repositories of information rather than carrying data offsite.

In circumstances where a culture among staff is a difficult thing to bring about, perhaps where there is a high turnover of contractors, such as in large public sector organisations, then making copies of data – as happened at the Revenue – needs to be made more difficult. A federated database architecture, such as the master data model, can effect this.

Of course there will always be a need for some roaming users to have access to data off-line and IT departments should have policies and procedures in place that dictate what information can and can't be taken off the premises, says Donal Casey, security consultant with Morse.

"Businesses need to put measures in place to make certain that all devices are not only password protected but also that any sensitive corporate information is encrypted, ensuring that if a mobile device does go missing, any sensitive information contained within is still protected," he says.

This can range from full disk encryption for laptops through to password-protected USB sticks that can be disabled if lost.

Such technologies are widely available, and the policies needed to make people responsible for sensitive data are not rocket science. Clearly though the awareness that these need to be implemented is taking some time to sink in, says Jon Collins, service director with analyst group Freeform Dynamics.

"Technologies exist to protect people from their own behaviours, and policies need to be implemented to ensure the risks of such behaviours are minimized," he says.

"This is not new, but clearly, there are still plenty of organisations that are yet to emerge from the primeval swamp when it comes to implementing appropriate levels of security practice," says Collins.

Read more on Data protection, backup and archiving