The DTI recently published its sixth Information Security Breaches Survey, carried out by PricewaterhouseCoopers. Its statistics make alarming reading – the following are some of the principal findings:
- Security breaches are rising fast. 44 % of UK businesses have suffered at least one malicious security breach in the past year compared to 24% in the 2000 survey – many were fixed within a day but 20% of large businesses had incidents which took over a week to get business back to normal. Many of these incidents were caused by viruses.
- 90% of incidents used to be caused by insiders but the pattern seems to be changing. Of the worst incidents, two-thirds were from external sources (although for large businesses the figure was only half).
- Only 27 % of UK businesses (59% of large businesses) have a documented security policy – while an improvement on the previous figure of 14% this is still woefully small given the importance of the issue.
- Only 15% of IT staff responsible for security are aware of the contents of BS7799, the data security standard, which has now become ISO 17799.
- Nearly three quarters of businesses spent 1% or less of their IT budget on security – against a global benchmark of 3% -5%.
- 76% of businesses with websites are confident they have the necessary controls in place to prevent or detect security incidents connected with that website, yet only 66 % of UK web sites (88 % for large businesses) have the basic protection of a firewall, only 21% check it using penetration testing and only 33% use intrusion detection software.
- Only 40 % of businesses with websites have any form of redundancy or fall back site for their web site.
- Only 51 % of businesses with transactional websites encrypt traffic over the Internet.
- Only 59% of businesses using e-procurement/EDI encrypt traffic over the Internet and only 25% use two factor identification (i.e. a software or hardware token in addition to passwords)
The Survey estimates the average cost of a serious security breach at £30,000 with the most serious breaches costing £500,000. Quite apart from the significant commercial impact that security breaches can have, failure to have in place adequate security for your business can give rise to legal liabilities. The following are a few examples:
- if you are responsible for transferring a virus to your clients through e-mail or floppy disks, you may be liable in negligence for the consequences on their business (although they may be contributorily negligent for failing to have adequate virus protection themselves);
- if the effect of the security breach is to allow access to information on your system which is confidential to a customer or supplier, you may be in breach of contractual obligations to keep that information confidential;
- if your system contains personal data, relating to customers, employees or business contacts, then failure to have adequate security systems in place to protect that data will constitute a breach of your obligations under the Data Protection Act 1998 to comply with the data protection principles. One of those principles states that appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to that data. Failure to comply with the principles could result in enforcement action by the Information Commissioner or even claims for compensation from affected individuals.
Data security involves much more than technical measures such as passwords, firewalls, access controls and back-ups. It also involves physical security measures such as visitor controls, separate working areas for those dealing with personal data and procedures for safe disposal of personal data such as shredding.
Most importantly, it involves organizational issues: the first step in data security is creation of a formal data security and data protection policy which assesses the security risks and determines the appropriate controls. Organisational controls may also include:
- compliance with BS7799;
- change control procedures for IT systems;
- formally addressing IT security in all IT projects and including in system design;
- regular review , testing and updating of all security policies, procedures and technical measures – six month old firewalls may not work against today’s viruses;
- an up-to-date, secure and well tested business continuity and disaster recovery plan;
- creation of an e-mail/web use policy;
- review of the contracts with third party data processors and any overseas recipients of data to ensure that adequate controls are in place regarding use of the personal data;
- provision of training to employees, contractors and casual staff on a regular basis – in addition to a data protection policy set out in the staff handbook.
To access the survey please click here
CMS Cameron McKenna can provide an audit of compliance with the provisions of the Data Protection Act 1998.
For further information on data protection laws and on data protection audits please contact:
+44(0)20 7367 3570