Instances of data loss and reports of lost personal records or stolen customer data have made the headlines on an alarmingly regular basis this year. In November, the ICO issued its first major fines to Hertfordshire Country Council, and employment services firm A4e – for £100,000 and £60,000 – and earlier this year, Zurich Insurance was fined 2.3 million for the loss of customer data. As organisations prepare for the challenges in the year ahead, we explore the data security trends on the horizon and how organisations can best protect the integrity of their data.
Walking a ‘Fine’ Line to Compliance
Enterprises are under continued pressure to meet regulatory compliance standards, and organisations failing to comply will need to be prepared for tough penalties in 2011. Compliance will continue to be a key driver in security decision-making with new, more stringent regulations such as the deadlines of revised standards for PCI DSS (V2) in January.
The new powers held by the ICO – now able to enforce penalties of up to £500K for serious breaches of data – will force many organisations to re-think their data protection strategies. Now that the ICO has issued the first major data breach fines, will we see the first maximum penalty levied in 2011? There have also been calls for the UK to follow in the footsteps of the US and make disclosure of data loss mandatory which may gain ground as we progress through the year.
The ICO has already sent a clear message that organisations need to stay a step ahead of the game in ensuring they have adequate data protection and security measures in place. Protection of customer data must be at the heart of all security processes and, whilst there is debate on the impact of these hefty monetary fines as a ‘deterrent’ , if the final result is better safeguards for the public’s data, then the end could justify the means.
The rise of the Mac
Tablet computers such as ipads have a rapidly growing user base, and their use in the enterprise is gathering pace; Gartner recently told CEO’s to consider more widespread use of ipads arguing that they are more than just a consumer gadget. Macs are also now increasingly being adopted by businesses, with the US already expecting the Mac to comprise up to 10% of devices used within the enterprise and the UK is likely to follow suit.
This uptake could present a number of security challenges: Macs, by nature, tend to be more widely used by senior professionals and therefore more likely to hold high-level, sensitive data of significance and value to the organization. ipads, launched in May this year, quickly became highly sought after and are valued for their functionality, design and portability but this also makes them a desirable and prime target for thieves.
Now making the transition from simply a ‘cool’ gadget, to a tool which has a very practical role to play in the enterprise environment, they can perform a variety of business tasks, for an increasingly mobile workforce.
As Macs make the transition from ‘niche’ device to established business tool, cross-platform protection should now factor into organisation’s security practices. Certainly, having tools to encrypt sensitive data across the Mac platform will become increasingly important as their place in the corporate world becomes more established. Organisations must also establish clear policies on what data is, and isn’t, permissible to be accessed and stored on portable devices and moved outside of the organization. The future is in protecting data at the endpoint, wherever it goes, whatever the Operating System.
We are seeing the dawn of a new era in identity protection as many of us now have a strong online presence, disclosing some form of personal data on a daily basis. In this age of open dialogue, we freely supply personal information; our name, date of birth, address or social security numbers and, as individuals, our online fingerprint is everywhere. As well as social networking, everyday tasks such as paying bills, renewing car tax or online shopping now play a part in our day to day online activities. With more places to share data, there is more potential for data loss.
It is easy to forget about the security we voluntarily submit data when registering for social networking sites, updating statuses or making new business contacts. With new threat vectors, and more personal information available online, organisations need to make a conscious decision on how to enforce privacy policies, how to set individual privacy settings and establish guidelines on the use and mis-use of ‘recreational’ sites at work.
The ‘Insider’ Threat
Whilst we should protect against the threats from outside the organisations, industry statistics consistently show that the most significant security threat to the organization comes from within. The Wikileaks incident which has seen the release of more than 250,000 confidential cables sent by US Embassies is a model example of the threat from ‘within’.
As we move through 2011, the economic situation and impact of public sector spending cuts could create further uncertainty and result in job losses. As a result of this, corporate data may become an increasingly valuable commodity for the more unscrupulous employees. Likewise, those with an axe to grind against their employers may seize an opportunity to disclose confidential or sensitive data or leave their former employees open to insider attacks.
In times of economic uncertainty, it is more important than ever to identify what data is confidential, monitor where the information is going, and then deploy technology and set policies to control this data.
The threat landscape will continue to evolve through 2011 and, as such, data security will prove increasingly challenging. In a world of growing mobility, more information sharing and economic uncertainty, there is a mounting danger of information leakage and data theft.
The repercussions of data loss can be financially damaging and have a devastating impact on brand and company reputation. As the threat vectors continue to shift and new threats emerge, organisations need to provide protection from data at rest, data in motion and data in use and, of course, make DLP an intrinsic part of their security strategy.