UK security regulations need teeth

The recent launch of a new forum dedicated to promoting security awareness in both business and industry raises once more the question: how effective can awareness campaigns ever be?

At the launch event, Chris Potter of PWC made the point that 'awareness' by itself is no guarantee of security unless it is accompanied by a change of behaviour. Users may be aware that it is not a good idea to put unencrypted personal bank details on a CD and put them in the post. But if their boss wants the job done yesterday, and they are keen to please the boss, then you can see why they might think it's better to take a chance rather than appear uncooperative.

Potter also reminded the audience that most security breaches do not arise from a single major failure. They happen as a result of a series of small errors or omissions that may combine to produce cataclysmic effects. At least one of those errors or omissions will involve a person who, if properly trained, could raise the red flag and stop the disaster happening. But again awareness is not enough by itself if the person involved does not feel empowered to act.

If we really want to tackle this problem, then we need to take a broader view. The legal enforcement of security in the UK and Europe is still very weak compared to what happens in the US. In most states of the US, the mandatory disclosure of any loss of personal data forces careless companies to be named and shamed.

In the UK, we still leave companies to sort things out behind closed doors if they insist. Admittedly, since the case of the lost Nationwide laptop two years ago, more organisations have chosen voluntarily to make disclosure, weighing up that it's probably best to look as if you care rather than to be exposed later.

But the ation system is far too weak to strike fear into the hearts of senior managers.


The Information Commissioners Office, which monitors privacy issues, recently complained in evidence to a Parliamentary committee that its annual budget of £10 million is too paltry to allow it to operate effectively.

At the same time, the Financial Services Authority (nicknamed in some quarters the Fundamentally Supine Authority for its handling of the Northern Rock affair) is said to be losing senior managers at an alarming rate as they move to more lucrative jobs in the companies they have been paid to police.

Furthermore, the £980,000 fine levied by the FSA against Nationwide in February 2007 was seen by many as a mere slap on the wrist, given the potential impact of the data loss involved. Many companies might still reckon it's worth the gamble to skip expensive security and just pay the fine if they get caught.

That attitude needs to be changed, and the only way to achieve it is to give real teeth and resources to the UK security regulations. Proposals are already with Government to make security breaches a crime punishable by a prison sentence in some cases. Whether that will happen – and how blame could be allocated to an individual – have still to be worked out.

But the existing Data Protection Act does already provide for unlimited fines in cases of serious misuse of personal data. If those powers were to be applied by the Information Commissioner, and the fines were high enough, then it might encourage more companies to take the whole thing seriously. But we need a much more aggressive approach from the ICO than we have seen so far.

Only then might organisations be persuaded, not only to encourage awareness of security regulations, but to implement a real change in the way people behave.


Read more on Regulatory compliance and standard requirements