Posts Tagged ‘information commissioner’

Legal and financial firms should follow the ICO’s data security guidelines, too

August 10, 2012

Just two days after the news of a Torquay health trust being fined £175,000 for publishing sensitive data of over 1,000 of their own employees on their website, the Information Commissioner’s Office (ICO) released the top five areas which need improvement in order to keep personal and sensitive information safe within an SME. Although aimed at charities and public sector organisations, these tips are also relevant to the private sector, in particular the financial and legal arena where a vast amount of personal and sensitive information is handled.

The guidelines issued by the ICO include giving employees data protection training, being clear on what use is made of personal information and having an established data retention period, where it is only kept for as long as necessary. It is important to highlight the emphasis on the ‘people’ factor and the role of security awareness training in the protection of information within an organisation. Human error is still the leading cause of data protection breaches across the UK, most of which are not malicious. About a third of all data breaches (36 per cent) are due to negligent employees, according to the latest Symantec/Ponemon Institute ‘UK cost of a Data Breach’ study. It is therefore crucial to give more attention to educating people rather than simply concentrating on purchasing the latest data protection tools and technology.

Organisations have to act in two ways: on one side, they have to train their employees so that they are more aware of data protection regulations, the applicable risks to the organisation and internal policies, as well as the consequences of not following these regulations and policies; on the other side, they need to protect themselves from their own employees, making sure encryption is used on all devices, as well as limiting access to data to only those who are authorised.

If personal and sensitive information is lost, stolen or made public, the organisation responsible for the breach will potentially face a hefty fine – but the consequences of a data breach are not only financial. Especially in the case of financial and legal firms, there will also be reputational damage which may be too difficult to recover from.

It may be the case that for a large multi-national company the money and reputational loss involved does not affect their bottom line or position within the market too much, it is not the same for small and medium-size enterprises. With less money at their disposal and a limited number of loyal clients, a large fine can severely affect their capital and the subsequent reputational loss might lead to business loss and, ultimately, failure.

For this reason, it is increasingly important that SMEs in the legal and financial sector invest time and resources on preventing information security incidents, in order to avoid having to pay for their mistakes at a later date. There is a lot of trust bestowed upon these organisations by their clients, so the least they can do is to make sure that their details are kept safe and secure, ensuring that this trust is well deserved.

David Cowan, Head of Consulting Services

Advertisements

Is information safe enough at NHS trusts?

April 1, 2010

It looks like NHS trusts are starting to realise that Information Security is not just a matter of using complex passwords, locking drawers at the end of the day and installing the latest firewall and antivirus solutions. The Information Commissioner has been particularly critical of the NHS in the past due to a high proportion of security breaches as a result of inadequate Information Security controls and staff awareness programmes.

The result has been an NHS wide initiative to ensure all removable media including laptops and USB drives are encrypted. However, this may not be enough. As reported by the BBC recently, a remarkable amount of non-medical personnel at UK trusts have access to patient records including recent medical history – at least 100,000 including porters, hospital domestics and IT staff, a Big Brother Watch survey stated.

It seems like the risk is not only from staff at off-shore service providers collecting and selling British data to make a few extra pounds, as reported on ITV not long ago. It also comes from internal personnel who have the potential to access extremely sensitive data without the appropriate authority or preventative controls.

 This is not surprising: data collected in the BIS Information Security Breaches Survey 2009 illustrated that 60 per cent of all companies suffered a security breach in the previous two years and of these, 50 per cent were perpetrated by staff, often premeditated or malicious but in many cases simply a matter of a stolen laptop or lost removal media device.

There is an obvious need for greater awareness of information security regulations across the entire organisation, and measures must be taken to protect personal and sensitive data. Management in particular need to be involved in order to avoid resentment, complacency and to ensure everyone takes the matter seriously.

In the case of the NHS, information at risk is highly sensitive and breaches can have very serious outcomes. Consequences of Data Protection Act breaches are not confined to costly fines and a few employees being fired – it is the organisation’s reputation that suffers the most.

This risk can be mitigated by conducting an independent gap analysis and security review which would assess compliance with Information Security best practice, i.e. ISO27001, IG Toolkit v7, and certify that information held within an organisation is secure, reducing the risk of incidents and the cost to the business.

Equally important are staff awareness sessions to which not only general staff but executive participation is required, which is vital in creating a culture where Information Security is part of the organisation’s DNA.

 

David Cowan, Head of Infrastructure and Security