Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Nine methods of preventing data breaches

InfoSecurity Europe : 23 December, 2008  (Technical Article)
Alan Calder of IT Governance provides nine clear steps towards security data from intentional or inadvertent losses
Alan Calder looks at how complying with the requirements of legislation around data protection is a key challenge for organisations; companies have, for too long, been ignoring the importance of protecting data, and urgent attention to both the spirit and the letter of the law is urgently required, especially as a much tougher regulatory regime is now coming into place. The only away to avoid these dangers is to take steps.

The high-profile data-handling fiascos of recent months have underlined the importance of data protection. The loss of millions of child benefit records by HM Revenue and Customs, and the mislaying of laptops and security dossiers by MoD staff - as well as the recent disclosure of BNP members' details are part of the same problem - institutional failures to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA).

Complying with the requirements of the DPA - the core UK legislation around data protection - is a key challenge for Whitehall departments and commercial organisations alike. A much tougher regulatory regime is now coming into place, which builds on the major fines recently levelled by the Financial Services Authority, such as the £980,000 penalty served on the Nationwide Building Society and a £1.26 million fine incurred by Norwich Union - both criticised for failing to adequately protect personal data. Added to this, there is the recently passed Criminal Justice and Immigration Act, which brings in a regime of 'substantial' fines for organisations that fail to meet their compliance obligations.

The IT Governance Data Breaches Report identifies that spectacular data breaches are not caused by the misdemeanour of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.

The Attrition database of data loss and data theft incidents shows a ten-fold increase in the number of reported data breaches - in the US, the UK and across Europe - since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK's HMRC data loss, suggests that there were - and probably still are - many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy

Data protection is receiving so much attention for three reasons: Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police force and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator's anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalised the concept that personal data must be legally protected, and introduced penalties for failing to do so. The recent amendments to the UK Data Protection Act (DPA), and changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive, make this a particularly urgent issue for UK organisations. The proliferation of mobile data storage devices - laptops, USB sticks, PDAs - has changed the boundaries of where we store our data and effectively eliminated 'fixed fortifications' as an effective tool for preventing data breaches.

The Ponemon report (2007) commented that "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach" and " the return on investment (ROI) and justification for preventative measures is clear". Costs of data breaches - legal costs, the costs of restitution, brand damage, lost customers and so on - are significant; for financial services organisations, it was about £55 per compromised record. Whilst not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organization should take:

As a minimum:.

1 Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognised standard for encryption engines.

2 Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.

In addition:.

3 Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.

4 Organizations that accept credit and other payment cards should also comply with the PCI DSS.

5 Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.

6 Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI, etc

7 Establish a vulnerability patching programme and implement anti-malware software.

8 Implement a business-driven access control policy, combined with effective authentication.

9 Develop an incident management plan that enables the organization to respond effectively to any data breaches.

IT Governance Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Alan Calder is chief executive of IT Governance Limited, the one-stop-shop for information security books, tools, training and consultancy. He is author of 'Data Breaches: Trends, Costs and Best Practices'.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo