Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Nine steps towards halting data breaches

The high-profile data handling fiascos of recent months have underlined the importance of data protection. The loss of millions of child benefit records by Her Majesty’s Revenue and Customs, and the mislaying of laptops and security dossiers by Ministry of Defence staff – as well as the recent disclosure of British National Party members’ details – are very much part of the same problem.

In short, we’re talking about institutional failures to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA) 1998.

Complying with the requirements of the DPA – the core UK legislation around data protection – is a key challenge for Whitehall departments and commercial organisations alike. A much tougher regulatory regime is now coming into place, which builds on the major fines recently levelled by the Financial Services Authority (such as the GB pound 980,000 penalty served on the Nationwide Building Society and a GB pound 1.26 million fine incurred by Norwich Union, with both organisations heavily criticised for failing to adequately protect personal data).

Added to this, there’s the recently passed Criminal Justice and Immigration Act which brings in a regime of ‘substantial’ fines for organisations that fail to meet their compliance obligations.

Systematically inadequate security

The IT Governance Data Breaches Report identifies that spectacular data breaches are not caused by the misdemeanour of a junior employee. Rather, they arise from systemically inadequate information security arrangements at the organisations where the incident occurs.

The attrition database of data loss and data theft incidents shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that pass by unreported. Research suggests that organisations are reluctant to officially report data breaches unless they’ve already been exposed.

Available evidence suggests that waiting to be found out isn’t the best strategy.

Data protection is receiving so much attention for three reasons. Identify theft is a low-risk, high return option for organised criminals. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It’s easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police and is, conversely, relatively low-risk for the criminal.

Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility (or transience) of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.

Legal and regulatory compliance

Legal and regulatory compliance initiatives – such as the EU Data Protection directive and SB1386, California’s data breach disclosure law – have both formalised the concept that personal data must be legally protected and introduced penalties for failing to do so.

The recent amendments to the UK’s DPA – alongside changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive – make this a particularly urgent issue for UK organisations. The proliferation of mobile data storage devices – laptops, USB sticks, PDAs – has changed the boundaries of where we store our data and effectively eliminated ‘fixed fortifications’ as an effective tool for preventing data breaches.

The Ponemon report of 2007 commented that: “The investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and: “The return on investment (ROI) and justification for preventative measures is clear”.

Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant. For financial services organisations, it stands at about GB pound 55 per compromised record. While not involving legal compliance, if an organisation has a credit card-related data breach and is found not to comply with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties – including a bar on the business accepting payment cards.

Nine steps all companies must take

All of these factors make the protection of personal data a key business and compliance responsibility. To this end, there are, I believe, nine key steps that every organisation should take. As a bare minimum:

In addition, end user organisations must:

Alan Calder is chief executive of information security expert IT Governance

IT Governance will be exhibiting at Infosecurity Europe 2009 – Europe’s leading event dedicated to information security. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products and services from over 300 exhibitors and attracts circa 12,000 visitors from every segment of the industry.

Running from 28-30 April at London’s Earls Court, the show is something of a ‘must attend’ event for all professionals involved in the information security space. See our dedicated link on the right hand panel of this page for more details.

Exit mobile version