Time to review data security needs

The changes in working practices that enable us to do business on the move are leaving networks increasingly vulnerable to attack, and businesses' data at serious risk.

The past couple of years have seen a huge rise in the use of remote, wireless and mobile access to computer networks.

More people are working from home and accessing the company network from their home computer to save commuting.

Many people now use laptops to carry files and data from place to place and can use wireless connections to work from almost anywhere they please.

However, these changes are leaving networks and data at serious risk.

Never before has the information of so many people been so vulnerable to data-loss or theft.

In the past few weeks, MPs on the Justice Select Committee have called for new laws to introduce heavy fines and/or jail terms to protect the integrity of personal data.

The move was prompted by critical government data losses over the past few months, such as the loss of computer disks at HM Revenue and Customs.

The committee called for a breach law that would make it a legal obligation for companies to notify customers if their data has been accessed and to create a system of fines for repeat offenders.

"The scale of the data loss by government bodies and contractors is truly shocking, but the evidence we have had points to further hidden problems," said committee chairman Alan Beith.

"It is frankly incredible, for example, that the measures put in place at HM Revenue and Customs were not already standard procedure".

The Committee also called for the Information Commissioner to have powers to make spot checks on government departments to ensure that correct practice is being followed.

UK Information Commissioner Richard Thomas has also argued for much tighter data protection laws in Britain, insisting that those who lose data should end up in court.

Thomas told the Lords Constitution Committee that those who knowingly or recklessly flout data protection rules should be prosecuted and fined up to GBP5,000.

"If a doctor or hospital [employee] leaves a laptop in his car and it is stolen, it is hard to see that as anything but gross negligence," Thomas told the Lords.

He also proposed that companies should be inspected without warning for data security, rather than the current system which relies on consent.

UK councils also came in for sharp criticism recently for falling woefully short when it comes to protecting sensitive data, according to a recent study by data security firm BeCrypt.

The survey, conducted among 60 councils, London boroughs and authorities, investigated how public sector organisations approach the legal requirements for mobile working and data security.

The Public Sector Data Security Survey found that 43 per cent of respondents admitted that no data is encrypted by their organisation.

Around 45 per cent said that data on some computers carrying sensitive material is encrypted, while only 10 per cent said that data on all machines is encrypted.

Another recent survey of local councils found that barely half use data encryption, even though more than a third had admitted that they had lost a laptop.

David Ewen of David Ewen Marketing said: "Without doubt, the biggest threat to data security is the use of laptops, USB devices and other unsecure removable media".

Ewen, whose company sells secure, biometric USB drives, added: "This survey highlighted that around a third of UK councils have no policy at all regarding the use of USB devices and the inadvertent or malicious threat of data leakage.

"It is a shocking but true fact that data-loss has become an everyday occurance.

"Gartner research recently found that almost a quarter of all USB flash drives are sold to enterprises, yet about 80 to 90 per cent of those are not encrypted and organisations know full well that there is a problem with that.

"Given the recent spate of data breaches at HMRC, Local Authorities and NHS trusts, perhaps Mr Thomas's approach is the only way to get people to take this problem seriously.

"These latest proposals to punish reckless data leakage with large fines and/or prison sentences will go some way in encouraging organisations from the top down to be compliant, or at least be able to prove they took the sufficient steps to protect their data", he said.

A recent study carried out by David Ewen Marketing into data security measures being taken by a cross section of businesses and organisations suggests that the time has now come for them to urgently review the way they protect their data.

"Currently, the security of company and personal information is, on the whole, woefully inadequate", explained Ewen.

"Whether it be confidential company information on research and development, customer or supplier details, patient files or personal finance info, there is a huge and growing market for every piece of lost or stolen data.

"Reputations can be lost, fines levied and now perhaps jail sentences too for anyone found to be negligent in a data-loss/theft situation.

"Every company, organisation or business that holds confidential information must wake up to the fact that a full data security review must be addressed now, from the ground floor up.

"The risk is now so great that it is essential that it is impressed on all staff that data protection is the responsibility of everyone in an organisation and not just the IT team.

"Now is the time to carry out a risk assesment and draw up an action plan to protect against potential loss or theft.

"This should be communicated to all staff members and discussion encouraged.

"Clear lines must be drawn on the subject of what is acceptable to the organisation regarding remote, laptop, USB, PDA, Blackberry etc usage and what is deemed to be too risky.

"When doing this it is worth bearing in mind that the DTI Survey 2006 found that 60 per cent of companies that allow remote access do not encrypt transmissions and as a result are more likely to have their networks penetrated".

TJX - parent company of TK Maxx, had 45 million customer records hacked in this way; even though WEP had been activated; this was the biggest loss of credit card data in history.

(WEP is the wireless security standard - currently the world record for cracking WEP, set in April 2007, stands at 3 seconds.) Most companies and organisations should be well aware of their legal requirements under the Data Protection Act, to secure the information they hold on their employees and customers.

However, the real problem seems to be that many are genuinely unaware of just how many ways there are that their security can be compromised with ease.

"Others are in a state of denial while some just stick their head in the sand.

Every day there are instances where people download data onto unsecure USB drives and leave the workplace; the USB can then be lost or stolen.

"Laptops can be lost or stolen or compromised by unsecure wireless connections.

A DTI Survey in 2006 found that only one in seven companies encrypted data on hard drives.

A company computer network may be protected by multiple layers of firewalls but employees working from home and accessing the computer network remotely may have inadequate protection, or even no protection at all.

Remote access control may only be a simple password, which is now considered to be an inadequate security measure.

"I would like to see a National Data Security Review week, where these issues and many more could be addressed for the benefit of the whole country, because right now there is a data-loss time-bomb ticking away", said Ewen.

There are signs however, that those tasked with looking after our personal data are indeed finally catching on to the fact that improvements in data security need to be made.

The new generation of biometric or fingerprint recognition, secure USBs sold by David Ewen Marketing are currently being snapped up by many high-profile businesses and agencies including 15 UK police forces.

Back to top