Data protection law unclear to companies

gallery

The law over data protection is unclear and is preventing organisations from dealing with the scale and complexity of the problem, according to a security expert.

In the light of the story carried by IT PRO yesterday in which Information Commissioner Richard Thomas told chief executives that they would have to act now to prevent data breaches, experts said many companies are shying away from the problem.

"They are hiding their heads in the sand, hoping that they won't be the next victim of a high profile breach," said Steve Hurn, chief executive of database security company Secerno. "However, storing huge volumes of data on a system without using the appropriate database security technology is akin to operating without a firewall or anti-virus technology - it's a case of when a security breach will happen, not if."

He said that companies can mitigate risk by only allowing employees access to the data needed to carry out their job.

"A company wouldn't make its payroll details accessible to anyone outside of its payroll or finance departments, so why make other equally valuable data available to those that do not need access to it?" said Hurn.

Hurn said that one area often overlooked by companies was that they very rarely monitor access to sensitive data by systems administrators.

Ross Paul, Product Management director at Websense said that by 2010 he expected around 80 to 90 per cent of data breaches to be unintentional, accidental or the result of poor business processes. He also said that data leaks are mostly invisible.

"Whether unintentional, intentional or malicious in nature, the ramifications of information leaks can be significant," said Paul. "For many organisations, losing customer information isn't the only risk; intellectual property, merger and acquisition plans, product launch dates, distribution strategies, and other confidential information pertinent to the day-to-day business must remain secure in order to sustain a competitive advantage."

He said that leaks not only cause monetary loss but also the organisation's reputation would suffer as a result. There would also be regulatory concerns as well.

"The difference with data breaches is the scale of the impact for both businesses and the general public," he said. "If an employee sends out customer details or the company forecast ahead of the official announcement, the impact goes far beyond IT and HR. The Board and regulatory bodies such as the FSA would want to know as this is something of direct and immediate relevance to the business."

Others believe that the organisations are not recognising the importance of managing personal data.

"Good business practice is central to making an organisation compliant-ready, alongside industry specific regulation and internal policies," said Symon Blomfield, cheief executive of secure IM company Presence Networks. "Likewise, it is essential to include comprehensive monitoring to ensure all content is recorded, in the event of an investigation like we have seen today - or to satisfy an auditor examination."

Email to a friend

Print this page