As technology infiltrates all parts of business, it pays to be aware of the weak spots, writes David Crow
Barely a week goes by without yet another loss of personal data by someone who should be trusted. Yesterday, it was the bank details of over a million Royal Bank of Scotland, NatWest and American Express customers, found on a second-hand laptop for sale on eBay. If it had fallen into the hands of a criminal, it would have been a dream come true; everything one would need to empty the accounts – including names, mobile phone numbers, addresses, account details, signatures and mothers’ maiden names – was there. The price for this information? A mere £36. Stealing candy from a baby would be harder.
We’re becoming increasingly used to these oversights. The latest loss came hot on the heels of news last week that an agency working for the Home Office had lost the data of thousands of criminals.
Add to this driving licence records of 3 million learner drivers, 25 million child benefit claimants and the details of every customer who has stayed in one of Best Western’s 1,300 European hotels in the last year, and it’s hard to believe there’s any personal information that isn’t at risk.
Although consumers are increasingly worried that a wily fraudster will be able to hack their bank account using the information on their Facebook profile, or that they will fall prey to an email hoax telling them they’ve won £800,000 on the Nigerian lottery, it seems that giving your details to a company or agency you trust is in fact far riskier.
For businesses who need to collect the personal data of their clients or who have secret internal data – which includes just about every firm in the world – the stakes couldn’t be higher.
According to IT analyst Richard Holway, the loss of data on thousands of criminals by PA Consulting last week will severely damage its reputation. “This is seriously bad news for the company.
“They have made security into a key part of their business. Indeed they are one of the contractors on the government’s ID cards project. You could legitimately ask if PA Consulting cocks up like this, what confidence can anyone now have in personal data security of any info held by any Government agency,” he says.
So why has this started happening now? Paul Hanley, senior manager in Deloitte’s security and privacy services, says that part of the problem is the trend towards offshoring and outsourcing. “When using a third-party organisation to manage your data, it’s important to make sure that the access, storage, processing and disposal of information is appropriately controlled,” he says.
Firms who are letting personal data out of their possession need to make sure that they draw up a contract which has appropriate security related clauses as well as performing regular reviews of the supplier, he says.
Another factor is the proliferation of new communications devices coming to market. Although firms might have good arrangement in places for desktop computers, few are getting to grips with mobile technology like USB sticks and smartphones. It’s important to remember that if an employee is getting sensitive work emails forwarded to their BlackBerry, a humble pickpocket could have access to valuable and secret information.
As far as director of Secure Test, the IT security division of NCC, Ken Munro is concerned, not enough firms are prepared for the mobile threat. “I would guess that those who are smart enough to take appropriate preventative measures are still leaving the mobile phone vulnerable to attack.
“With increasingly sophisticated mobile phone technology hitting the mass market, and ‘cloud computing’ on the rise, it is only a matter of time before we hear about some high-ranking official losing data through this. In fact, as the mobile phone is so low on the security agenda, it probably has happened already – and even more worryingly, that person doesn’t even know,” he says.
According to Andy Horn, head of SME at Colt UK, there are some simple steps that businesses can take to reduce their exposure to IT security risks. For example, almost half of SMEs still access the internet without a firewall – a free piece of protection that comes with Windows – making it much easier for hackers to access their customers’ details. But he also points out that thousands of businesses still think that having an anti-virus program installed is enough to remain safe.
“Today, for a number of reasons, anti virus-software is not enough. The volume of new types of malicious code increases the chances that a new piece of malware is not identified by anti virus software and spyware often goes undetected.”
The solution, says Horn, is to make security integral to everything your business does. He identifies three pillars that should form the backbone of every company’s security policy. The first and the most important is protection, which involves taking pre-emptive action to ensure the business is safe from intruders or malicious viruses.
Second comes reliability, which involves rigorously checking that your protection policy works and finally continuity – the ability to carry on even after a breach of security has occurred.
For many SMEs, the chances of having the in-house expertise to set up and monitor an IT security policy are slim, which is why most will turn to outsourcing. It might seem ironic to put your security policy in the hands of a third-party company, especially as this often creates a problem, but if you pick a well-known brand like IBM or Dimension Data, the chances of them defaulting are much slimmer.
With all the security checks in the world, it will be hard to eliminate human error entirely. That’s why the next phase of IT security will have to be more sophisticated. In the coming decades, staff will have to log sensitive data out using a biometric signature such as their fingerprint, iris or voice.
It might sound a bit space age, but sci-fi films got one thing right: as technology looms larger in our lives, security measures will become more draconian.