UK firms must wake up to security

With recent headlines focusing on overseas data security breaches, it is all too easy for UK firms to be complacent. But the threat at home is every bit as real

Customer data security and the risk of identity theft is high in the public consciousness at the moment.

This month's Channel 4 Dispatches documentary on data being stolen from Indian call centres has added fuel to a fire that was sparked into life earlier this year with the news that the US Department of Veterans Affairs had lost a laptop containing the personal details of 26.5 million veterans and active service personnel.

But behind the headlines, the issue for UK business goes deeper, with far too many firms not yet having addressed or assessed their core data security risks, or even ensured compliance with the UK's Data Protection Act.

The Department of Trade & Industry's latest Information Security Breaches Survey, published in April, included the statistic that half of all UK retailers and utilities companies do not have formal procedures in place for compliance with the Data Protection Act. This suggests that the data breach problem is likely to get a lot worse before it gets better.

The DTI has said it wants businesses to address the gap by adopting BS7799 or related ISO standards on information security. But despite the rhetoric, awareness of the standard remains low in the UK - just 10% of firms are familiar with its contents - and many UK businesses still appear to be treating data security as a low priority.

"All the evidence suggests that businesses need to take more care of their crucial assets, including business-critical data," said Dan Morrison, a partner at law firm Mishcon de Reya.

"For many firms information is the lifeblood of their business. Where the Data Protection Act - which relates to the storage of personal data - is being neglected, that may mean a company is also not paying sufficient attention to protecting its trade secrets and other crucial company data."

Morrison warned that companies needed to get a better understanding of their vulnerabilities around data security, in part to avoid the threat of litigation.

"If a breach occurs, firms could be sued by shareholders or creditors who could argue that they have not taken adequate care to protect company assets," he said.

Morrison said it was his experience that the biggest threat came from within, and said firms should treat this as their first priority. "It is usually an insider. Insiders know where data is, the value of the data and how to get their hands on it."

He said vulnerable firms could make some relatively simple, but effective changes immediately, and then look to address the bigger issues around systems security.

"Get your employment contracts right so they can act to deter any staff that might be tempted. Also look creatively at where data is held and how it is accessed. You need to adopt a tiered approach to access rights that ensures information is only available to those who need it," said Morrison.

Forrester security analyst Thomas Raschke said an initial security risk assessment looking at the assets and data to be protected also needed to include the likelihood of that data being leaked. "That should form the basis of any data security evaluation. It sounds simple, but many do not do it."

Raschke said that instead many firms still adopted a piecemeal approach to security which could, and often did, leave them exposed.

"You cannot tackle the problem with technology alone. There needs to be a lot of education at every level in the business. Companies and their IT staff need to understand what kind of data employees are dealing with and its commercial value," he said.

With the security of outsourcing arrangements also in the spotlight following the publicity around India's data-theft problems, Raschke said there were risks associated with outsourcing. But he said having a robust approach to every aspect of data security and how firms managed outsourced contracts was potentially more significant.

His stance will come as some comfort to the National Outsourcing ­Association, which, after the Channel 4 documentary aired, argued that to link fraud to outsourcing overlooks the point that all businesses are vulnerable to data theft.

The association said many call centres had strict security measures in place, including bans on staff carrying storage devices, or even pens. It also said that close management of offshore operations was crucial for any firm contemplating the move, and noted that India was in the process of formalising its equivalent of the Data Protection Act.

Another tool changing the security landscape is the evolution of information leak prevention software, which Raschke said was now catching up with many of the risks firms faced. "There are now lots of firms out there offering software that tries to plug all the holes for you. It can stop data being copied to USBs or even printed out.

"Many firms are looking at this as it can also help them to meet their compliance obligations under legislation like Sarbanes-Oxley."

Steps to better security

  • Define what you mean by security and conduct a full data security assessment.
  • Take that assessment and implement it as security policy.
  • Review and leverage the security functionality on your existing systems.
  • Plug any holes with investment in systems and education.
  • Take steps to ensure you understand how security and protection systems are evolving.

Read more on IT risk management