Avoiding the Volcano – Top 10 Guide to Information Data Security

IT’S now mid-April, the Information Commissioner’s Office powers to fine organisations up to £500,000 for a ‘deliberate or negligent’ data breach are officially in force.  But word on the web is that businesses still aren’t taking heed of security warnings.

It’s time to wake up and smell the coffee – the ICO is ready, willing and able to impose these fines.  Do you want to incur the wrath of the ICO?  I didn’t think so. 

We are a leading on-site data disposal service with over nine years experience of secure data destruction so we know a little something about information security.  We have put together a guide to help businesses get their house in order and avoid a hefty fine.

1. First things first organisations need to be aware of the importance of data.  Whether it is trade secrets or personal customer information, a data breach can cause serious damage to a business – and not just financially.  When trust is lost it can be extremely difficult for a company to repair its reputation and this affects future business prospects.  Losing information is very serious, be aware of that.
2. There are some people out there who think the ICO won’t enforce the new powers but don’t be misled.  The new Information Commissioner Christopher Graham is poised to pounce.  He said: “Getting data protection right has never been more important than it is today…I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
3. As I have talked about before, all staff must be educated on the importance of data protection.  Careless staff can cost a business dearly, security protocols must be in place to ensure the protection of information.  Just last month the personal details of 9000 school children were compromised after unencrypted CDs and USB sticks were stolen from a council employee’s home.  Fortunately for the council the incident occurred before the ICO powers came into force and they avoided a substantial penalty.
4. And that goes for the big wigs too.  There has to be corporate compliance to ensure a data loss does not occur.  The top dogs in any company must also take these measures seriously.  However as the recent Ponemon study revealed, that is not always the case.  The survey found that 53 per cent of British business managers have disengaged the encryption on their laptops.  This is hardly a good leadership example to set for their own staff.
5. The best way to know if your data protection policies are up to scratch is to test them.  Give your procedures a complete overhaul to ensure your data security and breach policies are running smoothly.  This includes website privacy, internal data, data retention, data disposal, portable information and the use of third parties.
6. When outsourcing services to a third party, whether it’s for hard drive shredding or encryptions, make sure all contracts meet your data security policies.  Ask the contractors for proof of pre-employment screening and 5-year security background checks (in compliance with BS7856:2006).  Also ask for proof that the chosen data destruction company is accredited to BSEN15713:2009 for Secure Destruction of Confidential Media or holds a CESG CCTM accreditation from the UK Government.
7. These days data can be stored on the smallest of devices.  CDs, USBs, PDAs and even Smartphones store an enormous amount of information but they are easily misplaced and could fall into the wrong hands.  It is important for businesses to enforce ‘don’t take home’ policies with staff to avoid loss or theft, and when these devices are deemed redundant dispose of them correctly, guaranteeing all data has been destroyed.
8. Greening your office is good for the environment but before donating old computer equipment make sure it has been professionally wiped and overwritten using software that meets an accredited standard, such as the CESG InfoSec IA Standard 5, otherwise significant data could end up in the wrong hands.  This point has been championed by European Data Protection Supervisor Peter Hustinx, who warned the EU’s proposal to recast the old WEEE (Waste Electrical and Electronic Equipment) Directive focuses too heavily on the environmental issues. He said: “It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment. Respect for security measures and a ‘privacy by design’ approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data.”
9. Trusting an outsider to dispose of data storage devices can be difficult for some companies.  Take control of your data disposal and insist on witnessing the destruction.  That way you know the job has been done.
10. Finally, information security is an ongoing process.  This isn’t a Spring clean quick fix.  Businesses need a long-term strategy to keep them and their customers secure.  I know it might sound like a broken record but it’s better to be safe than sorry, particularly when potentially up to £500k is at stake.

To discuss this further, we’ll be taking a stand at InfoSecurity Europe at Earl’s Court in London from 27^th – 29^th April.  Visit us at stand E64.