Our security awareness is poor – but there may be a simple solution for the majority of security breaches…
“I think,” said Hugo Harber, Star’s Director of Convergence and Network Strategy, “that what surprised me most was the sheer number of security breaches that were directly caused by internal staff. 41% of the respondents admitted to lost notebooks, data sticks and disks. And 50% admitted to breaches caused by staff either not using passwords, or writing them down and allowing them to be compromised. I had thought that the average security consciousness was higher than that.” But it isn’t, is it? And we really do need to do something about it.
Well, the technology is there. “Mobile devices get lost and stolen. That’s one of the reasons we very strongly recommend that companies only use mobile devices that have a remote wipe capability, and proper encryption capabilities to encrypt all data on the device. That will protect data outside of the firewall, while data loss prevention techniques can prevent sensitive data leaking out from the servers.”
But the fact remains, even though we have this technology, we’re simply not using it. So what is the solution? In reality, it may not be in the hands of the security professionals (who have always struggled to make a business case for security investment) but rather it lies in the hands of our business regulators: bodies like the FSA and the ICO.
“The FSA and other authorities,” says Harber, “need to come down very hard on data protection lapses.” The FSA has indeed made a start, just last month fining “Zurich Insurance Plc (Zurich UK) £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information.” It’s a start, but it’s not enough.
“I think the ICO also needs to take a harder line,” Harber continued. “The reality is that every business that pays its staff electronically is going to have very sensitive personal information, including names and addresses, national insurance numbers and bank details. It’s instant ID theft if you lose your HR records – and that applies to almost every business in the country. The FSA is absolutely right to be harsh on the banks, but the ICO needs to take every business that loses personal data to task; starting with the big ones, but including some small ones as well.
“If you don’t fine these companies that lose sensitive data, if you don’t make it very painful, then the IT director will not get budget next year to put in DLP or encryption or some similar system to fulfill the company’s duty of care,” he concluded. It could be as simple as that: the most effective security device currently available is a big stick wielded by the regulators.
We had been talking about the survey details contained in the whitepaper sponsored by Star: Data security: a way forward in the cloud