IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
March 10, 2008

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Secure IT

Preparing for a swift recovery

The security of corporate data is a growing concern for many practitioners and, as the volume of data ‘enlisted’ by businesses increases almost exponentially, so too does the need for robust policies and strategies to regulate its use.

Recent cases of data theft involving Her Majesty’s Revenue and Customs and Norwich Union, for example, have shown just how easily vast swathes of information can be ‘mislaid’ when improperly handled.

Though these high profile cases are the ones sparking public outcry, it’s the financial implications for private companies that warrant a reappraisal of policy and outlook.

Clearly, the growing volumes of electronically-stored information mark an irreversible trend. An estimated 36 billion e-mails are sent worldwide on a daily basis (a statistic that’s rising by 20% every year). Studies have also shown that 93% of information is now held in a digital format, while 70% of that data is never actually printed.

Furthermore, with means of communication constantly evolving, the number and type of mediums holding electronic information continue to grow. Sensitive data can now be found in any number of different places including on laptops, PCs, back-up tapes, PDAs, Blackberries, mobile telephones, home computers, CDs, DVDs and on USB sticks. Great news for data ‘hoarders’, but an increasingly complex matter for security professionals.

Apathetic approach to regulation

The use of electronic storage technologies has seeped further into the corporate environment, but the slow trickle that – in total – equates to a major shift has led far too many organisations to form apathetic approaches on regulation.

In light of this, Kroll Ontrack carried out extensive research in the latter part of last year, examining corporate preparedness in relation to electronically-stored information. The research primarily considered the use of such information in the legal process, questioning whether companies would have the policies in place to deal with a legal inquiry or investigation and the demands for electronic evidence that this would introduce.

As a backdrop, it should be noted that the rise in sheer volumes of data has led to the amendment of rules governing admissible evidence in legal cases both in the UK and the USA, with every electronic document, the meta-data relating to it and any deleted documents now subject to the disclosure process.

Despite this, the key finding from our research was that only 48% of UK companies have a policy or strategy in place on how to deal with electronically-stored information in litigation, regulatory or investigation-related matters. That means over half of all organisations don’t have policies in place, leaving them wide open to financial, legal and a whole host of other security risks.

At the root cause of this apathy, it would seem, is an uncertainty as to who should have responsibility for developing policy. Of the in-house legal teams quizzed, 25% claimed it was they who had primary responsibility. Surprisingly, given the potential legal and financial ramifications, only 14% believed this responsibility should rest with the chief executive or Board of Directors.

The same number saw IT as being chiefly responsible, and the remainder were split over whether it was for the risk/compliance practitioners or the HR Department to dictate policy and implement the necessary strategy.

Damage can be severe

The sheer spread of responses hints at the absence of any real ownership, and also a fundamental misunderstanding of the damage that inappropriate use of electronically-stored information can cause.

In 2006, US bank Morgan Stanley had to pay GB pound 11.7 million to settle a civil lawsuit brought by the Securities and Exchange Commission after it failed to provide “tens of thousands” of e-mails demanded by the US regulator during its investigation into the independence of Wall Street stock analysts.

Had effective e-mail storage strategies been in place, it’s likely such a massive fine could have been avoided. In this case, the scale of the damage clearly suggests policy ought to be dictated at a level above and beyond Human Resources or IT.

Certainly, far more companies consider the consequences of an inappropriate information security strategy – or indeed a lack of one – to be a matter for which the senior management would be accountable. Though only 14% claimed the CEO or Board of Directors is responsible for policy, just under 40% believed they would be held accountable if that policy were to result in Government-induced fines, Court-imposed sanctions or damage to an organisation’s reputation.

Only 3% believed that liability would rest with IT (despite its greater influence in developing and enforcing strategy). The evident gap in terms of responsibility and accountability only creates a new risk in itself, with those designing the strategies not being responsible for their effective functioning.

The cost of ignorance

The general impression of apathy towards – or at least a misunderstanding of – the need for clearly defined strategies is odd given the awareness that most companies seem to have of the time and financial cost of non-existent information security procedures. Only a third (32%) of UK companies are confident that they never lose any time because of poorly-implemented data security strategies. Just less than half (46%) comment that some time is lost, with 7% stating that time lost is significant.

Tellingly, 15% say they don’t know how much time is lost by the organisation, again suggesting a complete lack of understanding.

In terms of the financial cost, around a third (34%) of organisations questioned believe they have data security strategies in place efficient enough to avoid any financial impact. 50% feel there’s a financial impact, with 7% believing that impact to be significant. That 15% have no idea as to the financial impact is, again, a rather worrying statistic.

Boards must accept responsibility

It’s clear organisations need to work to develop coherent policies, employing effective strategies and ensuring that these are both properly communicated and enforced. The key barrier to this seems to be an insufficient understanding of the nature of electronically-stored information and the potential threats.

That and a further barrier – the lack of ownership over policy – needs to be tackled by top-down management, with those at the most senior levels taking responsibility for strategy.

Ultimately, it’s the CEO or the Board of Directors that will be held accountable.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted