Mention IT security and the risks that come to mind are hackers, phishers and other external threats. But what if we told you that your biggest IT security threat was internal?
We’re not talking about fraud here, but about simple data security. Have you ever thought about the implications of a disk filled with data going missing in the post, a company laptop being stolen, or an employee not disposing of data correctly?
If you haven't considered these risks already, now is the time to tighten your policy because not only is it bad for your business but the Information Commissioner's Office (ICO) has new powers to deter data security breaches. The ICO will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. For a long time stricter compliance powers have been called for. The law has been somewhat toothless until now. This will affect every business that holds any type of personal data.
Since the Data Protection Act was originally introduced in 1998 companies have failed to comply time and time again and have had to deal with the consequences:
NOVEMBER 2007
The personal records of 25 million individuals, relating to child benefit payments were lost when two disks were posted. There was more than enough information to potentially allow identity theft and fraud. The crucial point was that although the disks were password protected, they had not been encrypted. Richard Thomas from the ICO said: "Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risk of not protecting people's personal information properly."
JANUARY 2008
A retailer was found in breach of the Data Protection Act after the theft of an unencrypted laptop that contained the personal information of 26,000 employees. The laptop was stolen from the home of a contractor.
JANUARY 2010
Social work records that contained sensitive personal data were found in a filing cabinet purchased second hand by a member of public. The files were duplicates of documents held in the council's offices and had allegedly been used by a social worker during casework duties.
JANUARY 2010
Clients' details were found in two large waste bins intended for the use of local residents, including mortgage applications, client bank account details and copies of documents used to verify client identity. The company signed an official undertaking to improve data security.
All these situations highlight how easily companies can find themselves in breach of the Act. No-one can prevent items being lost or stolen, and organisations cannot constantly monitor staff. But if these incidents had happened after April 2010, the organisations could have been hit with a hefty fine.
Paul Jonson, partner from the dispute team at Pannone, says: "The aim is to force security up the agenda of companies. If the risk is of being hit with a £500,000 fine I think directors and managers will take the Act more seriously."
One way to solve the problem of course would be to store all your data on a secure Cloud platform, so no data stays on a laptop, and the data is accessed through SSL protected systems, with corporate grade firewalls, such as www.cloud9hosts.net