Data security begins at home

It seems impossible to open a newspaper these days without reading about some further incident involving the loss of personal data, whether it be a bank, a government department or some major retail chain.

It is impossible to overestimate the importance of personal data and of the dangers associated with holding it. Most if not all of us and our clients will, within a wide variety of organisations, hold huge amounts of personal data – whether that be in relation to their employees or customers or both.

The newspaper headlines carry a consistent message that this is a significant problem and one which appears to be on the increase.

We just need to think briefly from a personal point of view of how easily our own personal detail can be lost, to imagine how, on a larger and more catastrophic scale, this could happen to an organisation where more complicated systems and processes are involved and where you are faced with the increased problems caused by the presence of multiple individuals, all with human failings such as forgetfulness and carelessness.

Bringing pressure to bear

Accidental loss accounts for a large proportion of data loss incidents – laptops left on trains, for example, or data storage discs lost in the postal system. However, as a forensic accountant with a special interest in fraud and misconduct, it is the more sinister side which tends to come across my desk – incidents which are the result of deliberate interception of data, the theft of data, or the infiltration of call centres by rogue staff. The implications can be serious in terms of identity theft and, from that, identity fraud. Both accidental and deliberate data loss provide opportunities for potential fraud.

The extent of the problem has led to pressure on – and by – regulators to levy increasingly heavy sanctions. For example, the FSA has recently fined a number of banks and other financial institutions. The Information Commissioner is looking for increased powers to inspect data holders, and there is also a Government working group looking at criminal penalties for organisations which are not as careful with our data as we would hope.

Some facts and figures

KPMG has recently carried out a study into data loss (Data Loss Barometer, September 2008), based on publicly disclosed incidents of data leakage from 2005 (but mainly from 2007) onwards. It is a worldwide survey but heavily weighted towards the USA, where there is a legal requirement to disclose incidents of data loss, and the UK, where there currently isn’t.

Some headline statistics from the study include:

• 138 million people have been affected by data loss since January 2007
• 1,034 data loss incidents have taken place since January 2005
• All sectors are affected
• 25% involve the theft of a PC or laptop
• 80% result in the loss of personal details
• 51% of losses stem from an internal source
• 46% of lost data has no protection (i.e. not even password protected).

The graph below shows the number of data loss incidents since 2005. The upward trend suggests that there will be 400 incidents of data loss this year.

Is this upward trend surprising? As organisations rely more on technology, new risks and threats to data emerge. Data protection points become more diverse and difficult to control. Even with the most secure controls, it is practically impossible to achieve absolute protection against all conceivable threats.

The increasing use of removable media – such as CDs, tapes and memory sticks – has certainly contributed to the incidence of data loss and the survey found that, although data encryption was widely accepted as an effective way of protecting information, in practice it is rarely adopted. In the majority of such cases (62%) lost data was neither encrypted nor password protected.

Steps to compliance

“Organisations which process personal information must ensure it is held securely. This is an important principle of the Data Protection Act” – UK Information Commissioner’s Office

As noted above, we and our clients all possess personal information relating to staff and customers/clients. There are certain steps which can be taken to minimise the risk of losing that data. These include:

• Clear policies and processes – including, for example, a clear desk policy; the deletion of used data from memory sticks; screen locking of PCs when employees are away from their desk.
• Database access rights – reviewing who has access to personal data, renewing access rights for those who require access and removing those who don’t.
• Encryption – particularly where data is being transferred through removable media.
• Disabling thumb drive facilities/capabilities – on PCs to ensure that data cannot be downloaded and removed from systems.
• Escalation mechanism – ensuring that there is a response strategy so that employees know how to react when data loss happens.
• Media policy – similarly, having a robust policy and process covering contact with shareholders/ customers/police.
• Employee vetting – ensuring that this is thoroughly done and that references are taken up before allowing new staff access to personal data.

It is all too easy to be complacent and think “It couldn’t happen here” – but it could, it can and it just might. Here are some questions that you and your clients should be asking:

• Do you know where your data comes from, where it is stored and how it is used?
• Do staff understand the importance of good data handling?
• Are you confident that your IT networks and systems are secure?
• Do you have a clear plan of what to do should you lose data?

A few final points

Internal controls are vital – they are not a panacea but if sufficiently clear and robust they can prevent a significant number of incidents. Human error will still result in laptops or confidential dossiers being left on trains, but having controls around how data should be handled will minimise the risk.

Portable media are highly vulnerable – we all use them all the time, they’re small pieces of equipment, hold huge amounts of data, and are easily lost or stolen. However, a lost or stolen device is not in itself vulnerable if the data is suitably secured.

Hackers are a persistent danger – unauthorised data access is a real issue and is something to bear in mind. Data is valuable to people outside the organisation and some may take extreme measures to get their virtual hands on it. Regular risk assessments can help protect networks and system resources from hackers, and controls should be continuously monitored and regularly tested to ensure and maintain confidence.

Incident response is critical – reputation is an organisation’s greatest asset. Loss of reputation means loss of customer trust and, ultimately, loss of business. It is essential therefore that there is a policy and process to ensure that any incidents are handled correctly through a planned response, which should include how the media are handled to mitigate damage.