If Absolutely
Training was asked to describe 2007’s data security
situation in a couple of words ‘data loss’ would
immediately spring to mind.
2008 has only just begun,
and Britain still seems to be in the midst of an identity
theft and data protection crisis. Personal, financial and
business information is finding its way into the hands of
organised crime or being lost due to negligence.
Let’s go back and
take a quick look over 2007. It seemed that organisations
were queuing up to give sensitive data away. One of the first
high profile warnings of the implications of not keeping data
safe came courtesy of the Nationwide Building Society. They
found themselves with £980,000 fine from the Financial
Services Authority following the theft of a laptop containing
confidential customer information.
In March, Halifax apologised
after 13,000 mortgage details went missing. Parliament disclosed
that the personal details of 25 million Britons sent by standard
delivery on un-encrypted discs had been "lost in the
post".
Consumer Trust
The cases would have been
less worrying for consumers if an obvious online trade in
people's personal information wasn't also taking place. An
investigation by a UK newspaper found more than 100 websites
selling account information for UK bank customers, including,
PINS, security codes and full account details.
Identity theft which involves
the criminal use of someone’s identity to obtain goods,
services or financial information is also still on the rise.
Home Office statistics show that card fraud losses were up
by 25% with the increase being driven by a £90.5 million
increased in fraud abroad as more UK card details were stolen
for use in countries yet to upgrade to chip and PIN.
David Smith, deputy
commissioner at the ICO, has stated that "If organisations
fail to recognise the importance of data protection they not
only risk losing business, they could also face action from
the ICO."
Paying the price for loss of data
Most of us will know someone
who has been the victim of identity fraud, if not ourselves.
Data has become the new currency in the world of organised
crime. Business and personal data needs to be kept safe and
when used in business, regulation needs to be adhered to.
What are the implications
for firms in the regulated sector?
Financial services
firms hold a great deal of sensitive information about their
customers and their financial affairs. There are legal and regulatory
considerations for firms regulated by the Financial Services
Authority (FSA) which hold customer information.
Like all businesses they are bound by the Data Protection Act.
One of the principles of the DPA is that information must be
kept carefully.
Aside from the reputational damage, firms can face legal sanctions
if they breach the Act. Those firms which are regulated by the
FSA, face the additional threat of regulatory sanctions.
One of the FSA’s statutory objectives is reducing financial
crime. Under the FSA’s rules, senior management must establish
and maintain systems and controls to prevent criminals from
using the firm for criminal purposes. This includes fraud and
today much fraud involves the illegal use of customer information.
PricewaterhouseCooper’s (PwC) 2008 Information Security
Breaches Survey (ISBS) shows that companies are placing greater
trust in their staff and encourage the use of technology to
improve their effectiveness. The role of technology in staff
development has coincided with a rise in social networking and
the internet, both of which play a major role in our work and
social life.
Individual and company security
The
survey shows an increase in targeted social engineering attacks,
where outsiders try to obtain confidential information from
employees.
Chris Potter, partner at PwC, who led the survey, said: “What
companies are realising is that increasing security awareness
is only part of the answer. The critical issue is changing
the behavior of their people. A ‘click mentality’
has grown up - users do what expedites their activity rather
than what they know they ought to. It is a bit like the road
speed limit – everyone knows what they ought to do,
but only a few actually do it. Only when behavior changes
do businesses realise the benefits of a security-aware culture.”
One of the key building blocks in creating behavioral change
is a learning and development programme to reinforce information
security policies and procedures.
Simple steps for a
secure oganisation
For any business, practical steps to train everyone on basic
information security need to be taken. This should include
I.T. security, such as always keeping passwords and login
details secure and never leaving your PC logged in, as well
as physical security measures, such as locking away sensitive
information when you are finished with it, not removing information
from the office and keeping a clear desk policy.
The ICO poll of 1,000 people found that 53 per cent of those
asked no longer had confidence in the way banks, local authorities
and government departments handled personal information.
The Privacy Watchdog wants more people to double-check that
their information is being used properly and is currently
publishing a checklist to help them.
Make sure your organisation is fully aware of the Data Protection
Act and staff are aware of their responsibilities under the
Data Protection Act.
Absolutely Training
provides courses on:
- The Data Protection Act
- Financial Crime
- Anti Money Laundering
- Fraud
- ID Fraud
- Information Management
|
