IT managers often talk about the security of their systems. Robust firewalls, up-to-date virus checks, controlled remote access and the insatiable need to back everything up at every opportunity all reinforce a job well done, writes Garry Mackay (pictured). However, no matter how good the security or how much money is thrown at maintaining the integrity of systems, there is a fundamental flaw - people. Indeed, while I have no idea as to the origin of the quote - the reality is that you really are "only as strong as your weakest link" and that link is rarely the systems but the users.
The IT profession faces a very difficult balance and one that will never be easy to achieve. On the one hand they are tasked with ensuring the integrity of business IT systems, but on the other they are expected to adapt to a firm's changing needs – which often means greater mobility and greater access to data whilst on the move. The difficulty is that, once data is allowed out of the controlled environment of the businesses infrastructure, the risk of inadvertent disclosure inevitably increases.
A report in the Sunday Times highlighted the problem. Having visited numerous internet cafés, reporters discovered a number of serious confidentiality breaches. Information left on the hard drive, desktop links and browser history apparently included:
- Personal details of unemployed 18-24 year olds belonging to a government-affiliated company;
- An internal company memo about the cocaine habits of one of its employees;
- Details of child models used by John Lewis in its advertising.
Download resources on data protection
All confidential, all potential breaches of the Data Protection Act (DPA) and all accessible because an individual failed to take prudent steps to ensure that information they had access to and control of had been deleted from public access.
Internet cafés or public access points of any sort should take steps to work with its customers to protect a user's security. Simple steps such as deleting settings on log-out, regular deletion of content on hard drives and clear warnings to users of the risks they are exposing themselves to are simple ways of helping their customers to understand and mitigate the risks of using these systems. But it is the individual and often their employer who are likely to find themselves in trouble with the Information Commissioner (ICO) for failing to take adequate steps to protect data.
It is easy for lawyers to scare-monger and overplay risk, but recent cases have highlighted the ICO's growing willingness to levy hefty fines on organisations that ignore (whether deliberately or not) their confidentiality obligations. It is no longer uncommon to see fines in excess of £100,000 for data security breaches. A recent example is NHS Surrey, fined £200,000 on 12 July 2013 after the patient records of 900 adults and 2,000 children were found on a second-hand computer purchased from an online auction site. The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey to wipe and destroy out-of-date computer equipment.
After being alerted to the problem, NHS Surrey reclaimed a further 39 computers sold by the trading arm of their data destruction provider, three of which still contained sensitive personal data. The ICO’s investigation found that NHS Surrey had no contract in place with their new provider and there had been no explanation of the provider’s legal requirements under the Data Protection Act. NHS Surrey had also failed to observe and monitor the data destruction process.
Businesses need to understand their obligation to protect data does not end once it is outside their internal systems nor does it become the sole risk and responsibility of the individual who removes it. Data left on trains, left on unencrypted devices or simply left on the hard drive of an internet café expose a business to risk of fines and other sanctions, including monitoring or even orders to cease activity. Businesses need to ensure their IT managers and other departments – including HR – are working together to not only put in place robust practical systems (for example, encrypted laptops and remote wiping), but also to ensure they have in place clear computer use policies and that staff are properly trained to understand the risks and exposure that their actions or failures can cause.
In summary, technology can only protect data so far, businesses also need to change the behaviour of their staff.
Garry Mackay is partner and head of Commercial Services at Ashfords Solicitors