By Mark James
Fines by the UK’s Information Commissioner’s Office
(ICO) for security breaches have been a matter of discussion for some time. For
most, they seem fairly small; and if we think about the actual monetary value
when compared to a large company’s earnings, they are.
The ICO is an independent authority set up to
uphold information rights in the public interest. They have issued some fairly
substantial fines that have included – but are not limited to – record fines of
£400,000 for a telecoms company; £100,000 for a county council and £180,000 for
an NHS trust in London – and that’s just 2016. As more and more companies are
found to be negligent in their protection of our private data, these fines will
have to rise to reflect the growing concern by the public on why they are not
doing more.
The fine itself may seem fairly insignificant; but
that, of course, is not the whole story. The negative PR exposure and the
damage done through the act in the first place both have a cost.
“You should be able to take
reasonable precautions to ensure you have done all you can to protect the data
of your users.”
These days, the topic of security is on everyone’s
lips and is something that every company needs to take seriously. Whilst it’s
not possible to protect against every possible attack vector, you should be
able to take reasonable precautions to ensure you have done all you can to
protect the data of your users.
One of the simplest and often easiest methods of
protecting data from being seen by unauthorised persons is encryption.
However, as with many common “IT” procedures, it needs to be seamless and easy
to use for the average user to utilise it effectively.
Even companies that have purchased encryption have
ended up being on the wrong end of the ICO’s long arm because they failed to
implement it correctly or even at all, as demonstrated by the recent case
concerning Royal & Sun
Alliance Insurance PLC.
Therefore choosing the right encryption depends on
many things, including ease of use, validation and being flexible and easy to
deploy.
Encryption is not new; it has a relative low cost
and can be rolled out and maintained with ease. It would not have stopped the
theft of the hard drive in this case but it would have stopped the data being
accessible.
“Encryption is not new; it
has a relative low cost and can be … maintained with ease.”
Fines need to be in place but more importantly
there needs to be a follow-up procedure of some kind: if you are holding other
people’s data you need to do all you can to keep it safe.
Data loss or theft is something we have to deal
with. With so many breaches taking place through lapsed security or outdated
applications, companies need to do more to keep it safe. Stopping them is
nearly impossible but making it harder is not as difficult as it sounds.