SME's poor server admin may break data laws

Half of the UK's SMEs could be breaching the Data Protection Act

Half of the UK’s small and medium-sized enterprises could be breaching the Data Protection Act because of poor server administration practice, a survey has revealed.

IT research firm Vanson Bourne found that of the 121 SMEs questioned, 94% understood that the Data Protection Act had implications for IT security, yet 59% incurred unnecessary security risks because of poor server configuration. These businesses said they were using default configurations when setting up servers. The research also revealed that 47% of SMEs do not regularly auditing the services they have running on their servers.

The seventh principle of good practice under the act states that personal data should be held securely in accordance with the sensitivity of the data and current technological trends. 

Some businesses believed that using the default configuration was the most secure option, but this left services running that businesses did not use, exposing them to potential threats, said Rob Lovell, chief executive at web hosting firm Hostway, which commissioned the research.
“It is not just about the initial installation, businesses need to regularly audit what is running on their servers,” said Lovell. “By installing and leaving services running that are not being used, businesses are essentially leaving doors into the server open, therefore compromising data security.

“With personal details residing on most servers, you can easily see why so many SMEs are at risk of breaching the Data Protection Act. If an SME is found guilty of breaching the act, not only will its reputation suffer but it could also incur financial penalties.”

An individual whose personal data had been stolen from a business running its security below “best practice” could report the company to the information commissioner, who can issue fines and penalties.

Principles of good practice

The Data Protection Act contains eight data protection principles. These state that all data must be:
Processed fairly and lawfully
Obtained and used only for specified and lawful purposes
Adequate, relevant and not excessive
Accurate and, where necessary, kept up to date
Kept for no longer than necessary
Processed in accordance with the individuals rights
Kept secure. The Data Protection Act requires that appropriate security measures are in place to safeguard against unauthorised or unlawful access/processing of personal data
Transferred only to countries that offer adequate data protection.
Source: information commissioner

Read more on IT risk management