The compliance landscape that IT managers in all sectors must negotiate is constantly evolving to keep up with new threats to data. These threats can come from outside, as in the recent incident at US retailer TJX where the card details of 45 million customers were exposed to hackers, or increasingly from within organisations.
In a survey conducted earlier this year by analyst firm Freeform Dynamics and sponsored by CA, 715 senior IT managers working across Europe and the Middle East said they felt the threat of security breaches or data leaks from employees acting carelessly or deliberately was as high as that from external attacks. Around 80 per cent of respondents rated threats from internal sources as significant, while about 40 per cent said the problem was likely to get worse.
Alex Brown, communications, outsourcing and technology partner at law firm Simmons & Simmons, said such research reinforces the point that it is not good enough to look to just technology to protect corporate data and stay on the right side of the law. “The weakest link is often human,” he said. “You can have the most new, advanced security technologies in place, but they won’t help you stay secure and compliant if your policies mean your people are the weak link in the chain.”
Brown argued that process change is just as important to security and compliance as technology change and investment. He cited the example of procedural breakdowns in banks, highlighted by the recent annual report from the Information Commissioner’s Office (ICO), which led to sensitive customer data being left outside high street branches in refuse sacks.
“The Information Commissioner chose to make a public example of these banks, knowing that the resulting public relations embarrassment would be a more potent form of censure than imposing fines on them. They were, as a result, required to make process changes,” Brown added.
But the need to make sure IT security policies and procedures are just as ro bust as the technologies that underpin them becomes apparent when the proliferation of potential vulnerabilities is taken into account. These can include risks resulting from the use of peer-to-peer networked applications, widgets, gadgets, wireless and voice-over-IP (VoIP) networks, and removable, portable devices such as USB drives and mobile phones. Almost 70 per cent of organisations surveyed by Freeform Dynamics highlighted the potential threat to information security from USB memory sticks and other portable storage devices as a key concern.
Given this growth in vulnerabilities, it is not surprising that governments and regulatory bodies have increased their use of legislation and industry rules to ensure organisations take responsibility for protecting their systems and preventing data leaks.
Richard Hastings, commercial technology partner at law firm Thomas Eggar, said the impact of new technologies on managing and securing corporate data can often be overlooked. “There is a common misconception that organisations can use new technologies without needing to make sure they comply with regulations because the new technology does not fall within the letter of the law,” he said. “Compliance can have an impact on the use of new technologies because firms aren’t aware of the way the data they use is being compiled, managed and stored.”
The most potent recent example of the profound effect compliance can have on an organisation’s security strategy can be seen with the introduction of punitive regulations such as the US Security Breach Notification Act. This law states that a company must publicly notify customers in the event of a security breach that could expose their personal data. “However, the trouble with the US Breach Notification Act is that it is a sanction imposed on organisations after the horse has bolted, as it were,” Hastings said. Data protection legislation in the UK and across Europe instead aims to set out the principles by which companies can handle their data prior to breaches occurring, he added.
“Although the sanctions available to the ICO are reasonably limited for security breaches, we have the foundations in place for good compliance practices in the first place with the Data Protection Act," Hastings added.
An ICO spokeswoman said that the data privacy watchdog is currently looking at the possibility of introducing new regulation styled on the US Security Breach Notification Act.
Andy Kellett, security analyst for research firm Butler Group, said companies looking to adopt identity management technologies to help them meet compliance obligations should avoid leaping ahead to advanced systems.
“It’s all about extending the scope of access to data but, at the same time, retaining the strength of authorisation procedures. Some organisations have bitten off more than they can chew, looking to implement single sign-on to multiple systems and users, or an end-to-end solution,” Kellett argued. “Those that are probably gaining most value out of these systems as far as security, privacy and data protection compliance are concerned are those that have delivered such technology projects in small, manageable and user-focused chunks. This approach also allows legal and IT teams to work together and check systems remain compliant at every stage of deployment, as well as at regular, subsequent policy reviews.”
