Since the almighty blunder of HMRC losing personal details of every family in receipt of child benefit (25 million people)  (HMRC apologises for data loss ) other similar stories have come to light from private as well as public bodies. Security lapses at a Norwich Union call centre allowed fraudsters to steal 3.3m from pensioners while we learn that the driving standards agency have lost details of 3 million driving test candidates. These cases are almost certainly the tip of the iceberg; for one thing they were discovered and reported whilst most instances of data loss almost certainly go unnoticed and hence unreported. So what can you do to prevent it happening to you?

The HMRC and driving standards agency data losses were noticed because the physical media on which the data was held was lost, somebody noticed that something physical they should have had, they no longer had. The Norwich Union loss was noticed when their customers money started disappearing, but in most cases of data loss a copy can be taken without you noticing anything is missing. Don't be lulled into a false sense of security by thinking this only affects big organisations with massive databases. If you are in business ask yourself who has access to your customer details? Most of your staff I would suspect, but what about people outside your company who provide you with services? Who has access to contract information, HR information? If you can't answer these questions with absolute certainty your commercial ell being is at risk and you may well be in contravention of data protection laws (as HMRC were).

IT security firms have claimed that the HMRC loss was completely predictable and sadly I have to agree, they were also completely preventable. In the three instances quoted the principle failing was a lack of enforced security policies and procedures. The HMRC data was apparently shipped on password protected CD's with the password on a slip of paper included with the discs! It is not acceptable to blame a junior clerk, a junior member of staff should not have access to data at this level in the first place. Poor management was the culprit.

There are technical solutions you can deploy. You must control who has access to your network, both inside and outside. You must be in control of what software gets installed on your machines (both deliberately and inadvertently). You should make it very difficult for users to copy data by disabling all removable drives and USB ports on any machine that connects to your network. Where people have to have access to data logs should be kept of user behaviour and alerts generated when unusual access occurs. I would recommend that any business adopts these technical security measures, but the real problem is management and training. Get the proper policies in place, ensure that staff know them and adhere to them, and make security an accepted part of your company's culture. Contact us now to start this process.

Average user rating