We are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers? This month alone (Aug 2015) Carphone Warehouse reported a security breach where up to 2.4 million people may have had their names, addresses, dates of birth and bank details made accessible to hackers. In addition, up to 90,000 customers may have had their encrypted credit card data made accessible to hackers also. Included in these numbers are customers of other mobile telephony companies which Carphone Warehouse operates or provides services for.
Also this month, the Information Commissioner's Office (ICO) issued a fine of £180,000 to The Money Shop, on account of data breaches regarding two servers. One server was stolen from a store in Northern Ireland, where it had been stored in a room without adequate security controls, contrary to company policy. The other server had been lost by a courier firm in transit. Both servers contained sensitive customer information and lacked sufficient encryption. Neither has been recovered. There are other recent examples cited in contemporary media which have garnered international attention concerning dating sites, cycling teams'. The list is not exhaustive.
The loss of face, business and public confidence in such instances can be devastating to your business. The negative connotations associated with your brand can impact heavily, steering faithful and potential clients elsewhere.
The organisations in the press for the wrong reasons, receive this attention as they are in the public eye and the public engage with them on a regular basis by using their services. However, there are other organisations which are breached regularly, yet receive very little column inches.
In the four quarters of 2014/2015, the NHS/Health Services reported 747 instances of data breaches. The highest by some figure of organisations that have reported such breaches to the ICO. Yet very few, if any such breaches have been reported in the national media considering that personal medical records may have been made available to hackers. However, these instances do not solely affect large organisations.
For example, the local flower store with an owner/manager and three or four members of casual staff who have not been vetted, located in an affluent area who input customer names, addresses, phone numbWe are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers?
As well as the moral component associated with protecting your customers' data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.
Principle 7 of the DPA
The ICO provides Principle 7 as dealing specifically with security. In brief the following is applied to information security:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
Specific controls are not stipulated by Principle 7, as necessary processes will differ from firm to firm and are dependent on the type of information held. A large multinational with country-specific servers will have very detailed controls in place to administer their information security to that of the charity which stores all its information in hardcopy in a locked filing cabinet in a locked room with access by designated persons.
However, the risk assessments made to determine these controls will be of a similar doctrine to both the large and small organisation, in order to reach the necessary conclusions.
In the UK, regarding information security, the ICO requires that an organisation, as a minimum, takes into account the following factors in order to formulate controls:
The nature and extent of your organisation?s premises and computer systems;
The number of staff you have;
The extent of their access to the personal data; and
Personal data held or used by a third party on your behalf
The threats to an organisation's information security can come from within, from slack procedures to wilful abuse. Threats from outside of the company will usually exploit vulnerabilities in your IT systems, circumnavigating firewalls, utilising unprotected ports, malware etc. If your business is doing everything in its ability regarding cost reasoning, risk analysis methods that are current and suitable for your organisation, documented processes and procedures which are adhered to by staff, you just may run less of a risk of receiving a fine from the ICO should the worst happen and your information systems are hacked.
All things being said, the non-monetary consequences of your customer's information being accessible to hackers has far more business penalties than any fine. Be pragmatic, utilise specialist advice where necessary and have an information policy that is understood by your employees. In effect, do all you can to minimise the risk to your clients regarding the safekeeping of their sensitive information. ers on computers lacking any form of encryption presents a series of information security risks. Chances are, such a situation may never see the light of day via any report yet, may prove catastrophic for customers.
As well as the moral component associated with protecting your customer's data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.