AOH :: ISN-3185.HTM

UK firms must wake up to security

UK firms must wake up to security
UK firms must wake up to security 

By Christian Annesley
24 October 2006

Customer data security and the risk of identity theft is high in the 
public consciousness at the moment.

This month's Channel 4 Dispatches documentary on data being stolen from 
Indian call centres has added fuel to a fire that was sparked into life 
earlier this year with the news that the US Department of Veterans 
Affairs had lost a laptop containing the personal details of 26.5 
million veterans and active service personnel.

But behind the headlines, the issue for UK business goes deeper, with 
far too many firms not yet having addressed or assessed their core data 
security risks, or even ensured compliance with the UK's Data Protection 

The Department of Trade & Industry's latest Information Security 
Breaches Survey, published in April, included the statistic that half of 
all UK retailers and utilities companies do not have formal procedures 
in place for compliance with the Data Protection Act. This suggests that 
the data breach problem is likely to get a lot worse before it gets 

The DTI has said it wants businesses to address the gap by adopting 
BS7799 or related ISO standards on information security. But despite the 
rhetoric, awareness of the standard remains low in the UK - just 10% of 
firms are familiar with its contents - and many UK businesses still 
appear to be treating data security as a low priority.

"All the evidence suggests that businesses need to take more care of 
their crucial assets, including business-critical data," said Dan 
Morrison, a partner at law firm Mishcon de Reya.

"For many firms information is the lifeblood of their business. Where 
the Data Protection Act - which relates to the storage of personal data
- is being neglected, that may mean a company is also not paying 
sufficient attention to protecting its trade secrets and other crucial 
company data."

Morrison warned that companies needed to get a better understanding of 
their vulnerabilities around data security, in part to avoid the threat 
of litigation.

"If a breach occurs, firms could be sued by shareholders or creditors 
who could argue that they have not taken adequate care to protect 
company assets," he said.

Morrison said it was his experience that the biggest threat came from 
within, and said firms should treat this as their first priority. "It is 
usually an insider. Insiders know where data is, the value of the data 
and how to get their hands on it."

He said vulnerable firms could make some relatively simple, but 
effective changes immediately, and then look to address the bigger 
issues around systems security.

"Get your employment contracts right so they can act to deter any staff 
that might be tempted. Also look creatively at where data is held and 
how it is accessed. You need to adopt a tiered approach to access rights 
that ensures information is only available to those who need it," said 

Forrester security analyst Thomas Raschke said an initial security risk 
assessment looking at the assets and data to be protected also needed to 
include the likelihood of that data being leaked. "That should form the 
basis of any data security evaluation. It sounds simple, but many do not 
do it."

Raschke said that instead many firms still adopted a piecemeal approach 
to security which could, and often did, leave them exposed.

"You cannot tackle the problem with technology alone. There needs to be 
a lot of education at every level in the business. Companies and their 
IT staff need to understand what kind of data employees are dealing with 
and its commercial value," he said.

With the security of outsourcing arrangements also in the spotlight 
following the publicity around India's data-theft problems, Raschke said 
there were risks associated with outsourcing. But he said having a 
robust approach to every aspect of data security and how firms managed 
outsourced contracts was potentially more significant.

His stance will come as some comfort to the National Outsourcing 
Association, which, after the Channel 4 documentary aired, argued that 
to link fraud to outsourcing overlooks the point that all businesses are 
vulnerable to data theft.

The association said many call centres had strict security measures in 
place, including bans on staff carrying storage devices, or even pens. 
It also said that close management of offshore operations was crucial 
for any firm contemplating the move, and noted that India was in the 
process of formalising its equivalent of the Data Protection Act.

Another tool changing the security landscape is the evolution of 
information leak prevention software, which Raschke said was now 
catching up with many of the risks firms faced. "There are now lots of 
firms out there offering software that tries to plug all the holes for 
you. It can stop data being copied to USBs or even printed out.

"Many firms are looking at this as it can also help them to meet their 
compliance obligations under legislation like Sarbanes-Oxley." 


Steps to better security

* Define what you mean by security and conduct a full data security 

* Take that assessment and implement it as security policy.

* Review and leverage the security functionality on your existing 

* Plug any holes with investment in systems and education.
* Take steps to ensure you understand how security and protection 
  systems are evolving.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods