Friday, 14 November 2008

Personal data loss an "alarming" problem

High profile instances of accidental leakages of sensitive customer information show no signs of abating. This time last year the media was having a field day with the revelation that the UK's HM Revenue & Customs (HMRC) had lost two discs containing the personal details of 25 million people. According to Symantec, not much has improved since then.

Symantec says an additional nine million personal records have been lost since the HMRC incident by private companies and third party data handlers. The total loss of 34 million people's records means that more than half of the UK's 61 million population have had their data lost in the last year, which when you put it like that sounds alarming.

While UK Prime Minister Gordon Brown has made it abundantly clear that the government cannot guarantee the protection of personal data by bumbling bureaucrats who appear to have a penchant for leaving laptops and USB sticks lying around on trains or in pubs, Symantec's Data Loss Prevention survey, does not show much hope for the private sector either.

Almost half of UK companies surveyed admitted that one or more incidents of data loss had taken place, and another 25% had no strategy for dealing with data loss, which is concerning given the reputational risks and increasingly hefty fines.

Symantec's survey suggests that companies are not taking data protection seriously enough or that they don't know where to start.

It has provided companies with some useful pointers as to measures that can be taken to prevent data loss:

One of the big ones is to educate employees about the importance of data loss avoidance and procedures

Secondly, Symantec recommends "locking down" computers, mobile devices and other removable media using either software or physical locks. The big problem seems to be stopping employees from taking personal information outside the corporate firewall.)

Network access controls should mean that employees can only access "relevant" systems and information.

Data should also be monitored to prevent leakages (although with so much data residing in firms, data classification in terms of which data needs to be secured or classified 'top secret' is an essential first step).

No comments: