In our hectic, information-laden world, there is an expectation that we should have access to everything all of the time.
We also presume that when organizations hold our personal information, it will be kept securely. Under the UK Data Protection Act 1998, organizations have a duty of care and a legal responsibility to ensure that our information is secure.
So, considering it’s the law, why are there so many news reports of personal information being lost under the following circumstances?
- a bag being stolen or left in a pub
- unencrypted laptops being stolen from offices and homes
- confidential papers being sent to the wrong people or address
- unencrypted USB sticks lost or stolen
- computers and paperwork left in vacant offices
- confidential papers being disposed of in public bins
What can you do to avoid this from happening in your organization? There’s a huge amount of support out there, but where do you start?
Let’s go back to the Data Protection Act, which requires companies processing personal information to keep it secure. Looking at the earlier list of scenarios, we are focused on where things have gone wrong. Despite prevention being the main objective, you should undeniably prepare for the worst-case scenario. The Information Commissioner’s (ICO) website substantiates this:
“If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively.”
We process vast amounts of information and should ensure this is done securely. Start with simple measures, which must become part of the organizational culture.
Information must be classified – so you know how to treat it and who needs access to it – and set rules for handling of the information (i.e., how it is stored, distributed, and what you do with it once it is no longer needed).
Once you’ve decided how you will treat the information, you can start to introduce security processes. These could be IT related, such as access control (who has access to the information), encryption on storage devices and backups of the information – after all, technology is fallible.
Alternatively they could relate to physical copies of the information, such as secure bins for confidential waste or, if really sensitive, straight to the shredder. When transporting information off-site, replicate the measures you have on-site; for example, storing papers in locked briefcases (remember the photos of confidential papers being carried into Downing Street?).
As previously mentioned, mistakes can happen, so you need to be prepared to deal with them quickly and effectively. You should have a security incident management process in place, starting with a plan of what to do if you lose information, including damage limitation. Inform people about what has happened and what you are doing about it. This must include the people whose information has been lost and any organizations you are be duty-bound to tell. Review what happened, see if there’s anything you could do better or differently, and then do it!
We understand what information we use, we’ve put rules in place to handle that information, and we’ve got a plan of what to do if something goes wrong. The final piece in the jigsaw is you – unfortunately ‘you are the weakest link’.
The Data Protection Act requires companies to ensure the reliability of people who have access to personal information. How is this done? Again, it’s back to security measures and getting them embedded into the company culture.
Start with implementing a HR process to screen staff during pre-employment checks and write rules on handling of personal information into employment terms and conditions. Make committing a security breach part of your HR disciplinary process and establish a formal training, education and awareness program for information security – start with the company induction. Get it into the culture and make people feel comfortable with it.
Have any of us actually challenged someone walking around their office without a visible ID badge? Is that person on the phone really who they say they are? How does your company verify identity on the phone? Is that person carrying the PC really from the IT department?
Admittedly, we may feel uncomfortable challenging people in this way, but that must be better than seeing your company name in negative print and being fined by the ICO for losing or disclosing information. Not to mention the impact on your organization’s reputation – remember, trust can slowly be gained but very quickly lost.
Richard Hall is a senior information security consultant at CS Risk Management. Over the past 25 years, Hall has worked in IT operations, IT audit, information risk management, information security, and business continuity & resilience.