Print
Discuss
Send to friend
RSS feedsPreventing data breaches is the highest priority for today’s IT security professionals, two new surveys have concluded. But delegates at the Infosecurity Europe show in London last week were divided on the most effective method for securing data – and protecting corporate reputations.
The Department for Business Enterprise and Regulatory Reform (Berr’s) biennial security survey showed 77 per cent of firms now regard protecting customer information as a priority. Yet only eight per cent of those polled encrypt data stored on laptops.
Meanwhile, in an ISC2 Global Information Security Workforce Study of more than 7,500 security professionals, avoiding damage to reputation was a priority for 71 per cent of respondents. A further 70 per cent said protecting customer data was a priority, while 61 per cent said the risk of breaching laws and regulations was a driver for information security governance.
But the disparity between firms’ security intentions and their actions persists, argued Chris Potter, a partner at PricewaterhouseCoopers. “There are gaps between the aspirations of companies and what they are actually putting into practice,” he added.
The lack of dedicated IT security professionals and the ever-evolving nature of threats are major factors adding to the risks that firms face today, argued Potter. Companies should step up their risk assessment programmes, he advised.
But Information Commissioner Richard Thomas, told delegates he believed firms’ reluctance to take data protection seriously would persist until stronger penalties were enforced. He noted that while high-profile cases such as the loss of millions of personal records by HM Revenue & Customs had raised awareness, the attitude of the public sector towards data protection remained “worrying”.
Thomas said he was frustrated that powers to imprison those convicted of il legally trading information had yet to be fully enacted. “I’m still seeking serious deterrents to those who engage in this illegal market,” he advised.
Further evidence of government heel-dragging was perceptible in one of the big holes in the show agenda. The Police Central E-crime unit had been expected to be operational in time to unveil its new e-crime reporting portal at the show. But a spokeswoman for the Association of Police Officers confirmed that launch plans have been pushed back.
Some security experts believe that business leaders will not take data loss
prevention seriously until they are compelled to inform customers of any breach.
Howard Schmidt, director at security company Fortify, and one-time security
adviser to the White House, insisted that breach notification laws had been
largely successful where they had been introduced.
“Breach notifications would be of benefit to anyone. But when you have the requirement to do so, it must be consistent. In the US, states make their own [laws] and there is a lot of complexity. This makes it difficult to manage,” he suggested.
Meanwhile, other security experts bemoaned the general level of organisational security awareness.
“What we find is that we may have got the technical problems solved but we
need to raise the human element,” said Martin Smith of The Security Company.
Although firms are trusting their staff more by reducing blocks on instant
messaging and opening up internet access, training policies still lack vigour,
the Berr report found.
But Mike Smart of security vendor Secure Computing argued that technology
controls are an important part of an effective security risk management
programme.
“Policy-based actions, like encrypting content, become very important and
technology can help to stop users clicking on a certain link, to [mitigate the
risk] from social engineering attacks,” Smart explained.
See also:
Tough penalties need to be used to protect personal data, says commissioner 23 Apr 2008
While malicious attacks tend to grab the headlines, the prime causes of data breaches are usually more mundane 24 Apr 2008
EC study reveals current law not suited to protecting online transfer of personal data 18 Apr 2008
Annual trade show will see the launch of the annual Information Security Breaches Survey 17 Apr 2008
The Information Commissioner's Office has some strong advice for firms making data breaches 01 Apr 2008
Joint Committee on Human Rights criticises "lax standards" 14 Mar 2008
Security breaches have far reaching implications for businesses finds report 27 Feb 2008
New report warns business leaders of security threats 13 Dec 2007All Enterprise Security Technology
del.icio.us
Digg this
reddit!
