If risk management is defined as the process of identifying, assessing and reducing risk to an acceptable level, the question remains: What is acceptable? In terms of risks to employees, acceptable is that in the event of an emergency, no one gets hurt. When it comes to company data systems, the mantra is backup, backup, backup. Most will have secondary systems set up off site. Keeping going, no matter what, is the name of the game.

But is risk management as simple as that? Is it only about threats to life and limb, property and commercial capability? Focusing on the big risks – the ones which will get us sued or put us out of business – is like covering one eye. It ignores one whole side of the issue. As much attention needs to be paid to the everyday risks because the everyday risks are the ones which are most likely to cause us pain.

It’s an uncomfortable truth but a truth all the same that when it comes to data security, humans are the weakest link. That means our staff, however much we love them, potentially pose as great a risk to our business as any terrorist-inspired incident or Act of God. A recent survey for the DTI, for instance, found that staff misuse of information systems accounted for 65% of security incidents in large businesses in 2006. Other studies confirm that data theft and corporate sabotage is most often conducted from the inside. Yet are companies prepared for this threat? More often than not the answer is no.

It is not just that organizations lack the appropriate security policies or forget to update them from time to time, though these are common faults. It is often that, once an incident happens, containing it becomes the overriding concern. Whilst it is obviously necessary to make sure that business continues as normal, there is a danger that important information - evidence which will be wanted, later – will be lost in the frenzy. Digital data is incredibly fragile yet it is digital data which will be needed when it comes to making a case against a culprit down the line.

What is crucial, then, is an awareness of proper practices and procedures as they apply to the gathering and preservation of digital evidence. For not knowing the rules may mean that the best proof is rendered inadmissible. Happily, the basics are easy to grasp and excellent guidelines have been laid down by the Association of Chief Police Officers (ACPO)*. Nevertheless, the deeper the understanding, the less likelihood there is that something will foul up. Those in charge of system security should therefore make a mission of arming themselves with the right knowledge.

Forensic preparedness of this type is essential if companies expect their cases to hold water when they come to court. Even where a law suit is not envisaged, adhering to best practices helps demonstrate due diligence and compliance - a fact that should tip the balance on its own.

* ACPO Guidelines

Security policies. You’ve got yards of them, right? Fire, flood, terrorism, four horsemen of the apocalypse – pretty much everything’s covered. So you save the documentation, breathe a sigh of relief and get back to the business of doing business.

And that’s where the potential problems start. That file ‘em and forget ‘em attitude which abounds in companies of every size and significance. The point about security policies is not that it’s OK because they exist. Like any laws, they have to be workable and enforceable. Just as importantly, they have to be reviewed and updated on a regular basis. Read more

The Devil’s in the detail, so the saying goes. Wise words which apply with especial force to data security, not that you’d notice in many large institutions (and not just the ones currently in the corner in a dunce’s cap).

Time and again, when sensitive information goes AWOL, you find the focus has been on fixing the big stuff. Staff up an IT department, invest thousands in a sophisticated firewall, buy the right software and you’re home free. At least that’s the apparent misconception. Read more