Why are businesses ignoring the offer of a free ICO audit?

Reports that large numbers of UK businesses are ignoring the offer of a free audit being conducted by the Information Commissioner’s Office on their IT security have met me with amazement.

The fact that 81 per cent of firms have ignored or rejected the ICO’s offer of a data breach audit survey is indicative of the blasé attitude that many companies have towards their IT security.

What they don’t realise is the potential for damage that a data breach can pose to their organisation. And we are not just talking about potential ICO penalty fines here, but the effect on the firm’s public reputation and, for larger companies, their share price.

Where previously many industry observers, I would have attributed the lack of interest in ramping up a firm’s data security defences as being due to economic issues, the fact that firms are ignoring the ICO’s free audit offer – effectively looking a proverbial gift horse in the mouth – shows the apathy that many managers take towards IT security.

In my opinion, directors should not ignore offers for a free security audit – especially after arousing the interest of the ICO’s staff – they need to embrace the IT security needs of their company.

What many people do not realise is that companies are legal entities in their own right and, as such, have their own rights under the law. This is the Companies Act and other legislation seeks to lay down in the law books.

Unfortunately, it is only when a company goes to the wall that questions are asked by investors and shareholders, but the cost of remediating breaches of fiduciary duty are quite expensive to pursue through the courts.

And when a company goes bust, its legal insurance often goes west, along with most corporate protection. If the directors could wind back the clock and prevent the company going to the wall, however, they would clearly take this option.

And with many companies’ sales in the doldrums as a result of the economic downturn, any reputational damage that arises as the result of a data breach can often be enough to tip the company in a deadly spiral of loss-making and eventual demise.

And this is why I find it amazing that the ICO’s offer of a free IT security audit is being snubbed by so many companies. Are their managers too busy to respond, or just badly informed?

Andrew Kemshall is co-founder of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next generation authentication software.