Another day, another data breach: how to make sure you aren't next
06 February 2013
By Nick Banks
It is in the public sector's interest to protect itself against data breaches, writes one specialist, who says taking precautions is infinitely preferable to closing the door after the horse has bolted
Devon County Council, Leeds City Council, the London Borough of Lewisham and Plymouth City Council have at least one thing in common.
They are amongst the latest public bodies to be fined by the Information Commissioner's Office for breaches of the Data Protection Act and failing to adequately protect sensitive data.
These organisations are just the latest in a long line of very public data breaches, and any public sector organisation to fall victim to a data breach in future certainly won't be able to claim that they weren't aware of the risks. Data breaches and the resulting penalties are big news now, and it seems that barely a month goes by without another large fine hitting the headlines. This perception is backed up by statistics from the Information Commissioner's Office (ICO) which show that the number of self-reported data breaches has increased every year since 2007.
With all the recent brouhaha around data breaches, it stands to reason that increasing awareness should translate into reduced incident numbers as organisations toughen up on data protection. And yet in the past 18 months alone, the public sector has received fines of over £2 million for data breaches. The problem is not unique to the public sector, and in fact the figures suggest that the private sector is underrepresented in data breach fines. While private businesses accounted for more than a third of the breaches reported over an 11-month period, they received less than 1 per cent of the ensuing financial penalties.
With such large fines being handed down by the ICO, the public sector has an additional incentive to toughen up on data protection, and in particular the handling of data on portable memory devices such as USB flash drives. One such case saw Greater Manchester Police fined £150,000 by the ICO when an officer lost an unencrypted memory stick containing sensitive data on serious crimes. Tightening up this area of data protection can be one of the most effective measures to prevent data leakages. So how can organisations ensure that they aren't next to hit the headlines?
Encrypting data on portable memory devices is an obvious solution, and one which would have prevented many recent data breaches. Encryption is relatively cheap, simple to administer and highly effective in preventing data breaches. If an encrypted memory device is lost or stolen, the data remains secure and a breach is avoided.
Another compelling reason in favour of encryption is ease of use. Employees are very sensitive to any rules and policies which they feel will make their jobs more difficult. Using an encrypted memory stick is no different from using an unencrypted device, and provides peace of mind for staff and security for data. Biometric devices are more expensive but also more secure, and have the usual benefits that biometric security holds over passwords (a fingerprint can't be forgotten, guessed or written down on a Post-it note).
Staff have become very adept at finding workarounds for policies which they don't see as strictly necessary. If following the rules makes life harder for employees then some are bound to follow their own paths, putting data at risk. Management systems can be used to block the use of non-encrypted devices on a network, thereby mandating the use of approved, secure devices to transfer data and preventing a possible data breach.
For an additional layer of security, managed devices make it possible to remotely wipe or even kill a device making it totally inaccessible to even the owner. These features are growing in prominence as the data breach headlines mount up. When a lost or stolen managed device is plugged into an internet connected end-point, a command is sent from a central console in the IT department to either erase (wipe) all data or completely disable (kill) the device. This additional cost makes this technology more appropriate for highly sensitive data, where organisations want additional security to guard against data falling into the wrong hands. Equally if inconsistencies are found in authentication policies or device security is not fully implemented in hardware, then a remote kill feature can provide peace of mind.
Technology has to be supplemented by educating staff about their responsibilities around data security and how to use technology effectively. Technology in data security should be an enabler, which allows staff to do their jobs better and more safely. In short: ease of use is crucial.
For a long time data security did not receive the attention it warranted because the potential penalties for non-compliance were seen as preferable to implementing technology and policy. But the landscape has evolved and with record fines and cost-effective technologies such as encryption, enforcing data security is now more important and achievable than ever.
It is in the public sector's interest to protect itself against these types of data breaches, because large ICO fines are especially unwelcome at a time when budgets are static or falling. Taking precautions to ensure compliance is infinitely preferable to closing the door after the horse has bolted.
Nick Banks is head of EMEA and APAC at Imation