Externally, companies are at risk from hackers or others who might want to find something detrimental on an organisation which they can publicise. Criminals, wanting to use information (particularly financial) to carry out crimes, are also a significantly increasing threat. The large sums available from these types of crimes, the low risks of detection and punishment, and the ease of carrying them out has made this much more attractive than many other areas of crime. It will continue to grow at an increasing pace over the next few years.
Data leakage is a very important issue, not least because companies have a legal requirement, under The Data Protection Act, alongside other statutory requirements, to secure information on their employees and on their customers. Even if information held on a system has come from a third party such as a supplier, companies are still liable to protect that information from being seen by unauthorised people. The impact of negligent data loss on their reputation is also now moving organisations to focus on an area that has traditionally been ignored.
According to the Department of Trade and Industry (DTI) Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks. Recently, a laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees went missing from a printing firm, which was writing to M&S workers about pension changes. Identity theft is the possible result of such losses.
You only have to use email on the Internet, and receive ‘phishing’ emails, to be aware of the many criminals out there today who want to get access to your personal data so they can steal from you. If your company is the repository for sensitive personal data, then it is more important today than ever to protect it. If you carry out credit card transactions and hold information on company networks, then you have to comply with the latest PCI (Payment Card Industry) data security standard by next year, or you may be financially penalised.
Is current protection adequate?
We have used various methods up until now to protect company data, but they are no longer enough in themselves, because of the increased risks we face. Firewalls and access control are commonly used and networks may be protected by multiple layers of firewalls. However, computers being used by staff at home to communicate with the office and access information may not have firewall protection. Even if they do, the user may not have enabled the firewall or may not have updated it. And, of course, if access control is inadequate, firewalls will not stop data being read.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.