By Christian Annesley
24 October 2006
Customer data security and the risk of identity theft is high in the
public consciousness at the moment.
This month's Channel 4 Dispatches documentary on data being stolen from
Indian call centres has added fuel to a fire that was sparked into life
earlier this year with the news that the US Department of Veterans
Affairs had lost a laptop containing the personal details of 26.5
million veterans and active service personnel.
But behind the headlines, the issue for UK business goes deeper, with
far too many firms not yet having addressed or assessed their core data
security risks, or even ensured compliance with the UK's Data Protection
The Department of Trade & Industry's latest Information Security
Breaches Survey, published in April, included the statistic that half of
all UK retailers and utilities companies do not have formal procedures
in place for compliance with the Data Protection Act. This suggests that
the data breach problem is likely to get a lot worse before it gets
The DTI has said it wants businesses to address the gap by adopting
BS7799 or related ISO standards on information security. But despite the
rhetoric, awareness of the standard remains low in the UK - just 10% of
firms are familiar with its contents - and many UK businesses still
appear to be treating data security as a low priority.
"All the evidence suggests that businesses need to take more care of
their crucial assets, including business-critical data," said Dan
Morrison, a partner at law firm Mishcon de Reya.
"For many firms information is the lifeblood of their business. Where
the Data Protection Act - which relates to the storage of personal data
- is being neglected, that may mean a company is also not paying
sufficient attention to protecting its trade secrets and other crucial
Morrison warned that companies needed to get a better understanding of
their vulnerabilities around data security, in part to avoid the threat
"If a breach occurs, firms could be sued by shareholders or creditors
who could argue that they have not taken adequate care to protect
company assets," he said.
Morrison said it was his experience that the biggest threat came from
within, and said firms should treat this as their first priority. "It is
usually an insider. Insiders know where data is, the value of the data
and how to get their hands on it."
He said vulnerable firms could make some relatively simple, but
effective changes immediately, and then look to address the bigger
issues around systems security.
"Get your employment contracts right so they can act to deter any staff
that might be tempted. Also look creatively at where data is held and
how it is accessed. You need to adopt a tiered approach to access rights
that ensures information is only available to those who need it," said
Forrester security analyst Thomas Raschke said an initial security risk
assessment looking at the assets and data to be protected also needed to
include the likelihood of that data being leaked. "That should form the
basis of any data security evaluation. It sounds simple, but many do not
Raschke said that instead many firms still adopted a piecemeal approach
to security which could, and often did, leave them exposed.
"You cannot tackle the problem with technology alone. There needs to be
a lot of education at every level in the business. Companies and their
IT staff need to understand what kind of data employees are dealing with
and its commercial value," he said.
With the security of outsourcing arrangements also in the spotlight
following the publicity around India's data-theft problems, Raschke said
there were risks associated with outsourcing. But he said having a
robust approach to every aspect of data security and how firms managed
outsourced contracts was potentially more significant.
His stance will come as some comfort to the National Outsourcing
Association, which, after the Channel 4 documentary aired, argued that
to link fraud to outsourcing overlooks the point that all businesses are
vulnerable to data theft.
The association said many call centres had strict security measures in
place, including bans on staff carrying storage devices, or even pens.
It also said that close management of offshore operations was crucial
for any firm contemplating the move, and noted that India was in the
process of formalising its equivalent of the Data Protection Act.
Another tool changing the security landscape is the evolution of
information leak prevention software, which Raschke said was now
catching up with many of the risks firms faced. "There are now lots of
firms out there offering software that tries to plug all the holes for
you. It can stop data being copied to USBs or even printed out.
"Many firms are looking at this as it can also help them to meet their
compliance obligations under legislation like Sarbanes-Oxley."
www.noa.co.uk www.dti.gov.uk/sectors/infosec www.forrester.com
Steps to better security
* Define what you mean by security and conduct a full data security
* Take that assessment and implement it as security policy.
* Review and leverage the security functionality on your existing
* Plug any holes with investment in systems and education.
* Take steps to ensure you understand how security and protection
systems are evolving.
Visit the InfoSec News store!