Companies are failing to take simple security measures to stem data losses, despite high-profile cases spotlighting the brand damage such a cavalier attitude can cause.
The number of data losses reported to the UK Information Commissioner’s Office (ICO) for the year ending October 2009 has almost doubled to 415 incidents, compared to 277 reported for the year before, according to security firm Overtis.
Incidents have risen partly because more firms are reporting them. But the true picture is even worse. “Things have always been bad and many people are starting to behave more opening and reporting issues to the ICO, but two-thirds of the iceberg is still below the waterline,” said Richard Walters, CTO at Overtis.
Chief causes of data loss included stolen data/hardware (225), data disclosed in error (160), and lost data/hardware (166). Typically, information was lost because people failed to encrypt data onto USB sticks, for example, or through simple errors, such as pressing the ‘reply to all’ button and inadvertently sending out sensitive data to the wrong people. Security of mobile devices was also an area of concern.
Key to plugging the data hemorrhages is communication, according to Walters. “It all comes back to education and awareness. When we go out and speak to people, it’s just simple stuff they got wrong, and so much comes back to the importance of ongoing education.”
Tick-in-the-box attitudes to security, which meet auditory requirements, but fail to translate to the shop floor, were also a problem. “A lot of companies have security policies for a number of years which they are continually improving, but at the end of the day they are just words on paper, if they are not enforced,” added Walters.
High-profile cases in 2009 include the loss of 43,000 child records by Wigan Council and 20,000 patient records by the Royal Free Hampstead NHS Trust.