IT Governance
Article by Alan Calder
For ExaProtect Newsletter
9 May 2008
A Pre-emptive Strike Against Data Breaches
Organisations that experience a breach of confidential data can pay a very high price for the loss or theft of personal data. Aside from the cost of restitution, the unauthorised disclosure by an organisation of personally identifiable information can result in substantial costs to that organisation, whether expended on legal counsel, lost customers or regulatory fines, while the price of reputation or brand damage can be incalculably high.
According to the Attrition database (www.attrition.org), which compiles statistics on data security incidents from around the world, security breaches of confidential data are growing at a substantial rate. In 2004, the USA recorded just 12 reported breaches, but by 2006 this had soared to 326 incidents. The trend is echoed in the UK and elsewhere, where financial services organisations are the worst hit, with regulated organisations accounting for 12 percent of reported security breaches. No accurate data is available for unregulated operators, while there is significant evidence that there is a high level of unreported breaches.
With the number of data breaches growing steadily, pre-emption is by far the wisest and most cost effective strategy. The cost to financial institutions in the UK alone has been shown to be around £55 per compromised record – an alarming statistic for organisations that deal with millions of records every day. No surprise, then, that a 2007 report by The Ponemon Institute on data breaches in the US (www.ponemon.org) commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and ” the return on investment (ROI) and justification for preventative measures is clear”
Contrary to the headlines in the popular press, the most dramatic data breaches are not caused by junior employees leaving their laptop in their car or at the pub. The IT Governance Data Breaches Report identifies that spectacular data breaches, such as the UK’s HMRC CD-Rom fiasco and the prolonged theft of TK Maxx credit card records, arise from systemically inadequate information security arrangements at the organisations where the incident occurs. Organisations can literally not afford to deal with data breaches purely in a reactive way.
The protection of personal data is a key business and compliance responsibility. At IT Governance we recommend a number of steps to ensure the security of personal data.
· Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-ROMs and magnetic backup tapes
· Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.
· Organisations that accept credit and other payment cards should also comply with the PCI DSS.
· Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.
· Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as DPA and PCI.
· Establish a vulnerability patching programme and implement anti-malware software.
· Implement a business-driven access control policy, combined with effective authentication.
· Develop an incident management plan that enables the organisation to respond effectively to any data breaches.
Alan Calder is chief executive of IT Governance (www.itgovernance.co.uk), the one-stop shop for information security books, tools, training and consultancy, which recently published ‘Data Breaches: Trends, Costs and Best Practices’ (http://www.itgovernance.co.uk/products/1615)