Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Monday, 1 February 2010

Encourage data security or pay the penalty

The Information Commissioner's office has released details of 800 data security breaches (PDF)reported to it in the last two years. The office is warning that tougher sanctions will follow for organisations that fail to report breaches that subsequently come to light.

Also, the ICO announces in the same press release the increased sanctions applicable to personal data breaches - up to £500,000 for the most serious offences.

Time to review your organiation's handling of laptops and removable media?

In my experience, organisations spend a lot of time and effort on technical data-loss prevention (DLP) solutions while missing the point - that employees don't really want to take data home on a memory stick, but they have no choice. If they were empowered with secure access to their data while away from the office they won't actually need to take anything with them on a thumb drive. Ensure the laptop hard drive is encrypted and protected by a boot-time logon, sure, but if you spend some time and effort on properly enabling remote access to your servers, providing synchronisation and collaboration tools, remote access to e-mail and keep the servers up 24/7 then your employees wil be less inclined to take data home on sticks and disks.

And even more important is connecting your geographically diverse business units. To fail to connect two closely related but separately located departments electronically, such that they have to send CDs to eachother (such as happened in the UK government's child benefit data loss) is just criminal.

Practical security starts with enabling good behaviour through technology, do that and you'll have less bad behaviour to deal with.

No comments:

Post a Comment