The Infomation Commisioner’s Office (ICO) report for 2010/2011, released earlier this week, expresses disappointment with the response it has received from organisations that are at particularly high risk of a data breach. The ICO revealed it has contacted a number of private sector organisations, including lenders, general business and direct marketing companies which account for almost a third of total complaints, but less than one in five were willing to submit to a data protection audit.
Ross Brewer, vice president and managing director for international markets, LogRhythm, has made the following comments:
“This year has been punctuated with a number of high profile organisations that have fallen victim to data breach. As a result you would think those deemed high risk* by the ICO would welcome its help in identifying and resolving any potential weaknesses. However, the behaviour of those refusing audits is indicative of the attitude that led to this situation in the first place. Too many organisations are in denial about the scale of the threat and the possibility that they will be affected.”
“One of the main reasons these companies are so in need of the ICO’s help is that they are unlikely to have taken steps to develop a full understanding of their IT systems. All IT networks generate log data that can be used monitor performance and identify anomalies. However, due to a number of factors, including the volume of logs produced and sometimes just plain ignorance, many organisations are not using this crucial information effectively. Aside from accepting the ICOs assistance, these organisations should be looking to implement centralised, automated systems that provide the traceability required to spot weaknesses and, if aberrant activity does occur, provide real-time alerts so immediate action can be taken.”
*Risk assessment took into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered