The Information Commissioners Office (ICO) has warned that businesses should improve data security standards following its annual report and the revelation that private businesses accounted for almost a third of the 603 data breaches reported in 2010/11.
Categorised as the loss, corruption or release of personal data, these security breaches are potentially a serious issue for both the companies holding the data and the individuals’ whose data has been affected – particularly where the release (through negligence or theft) is concerned. The damage to a business should, therefore, be concern enough to review security processes, infrastructure and the overall management of the companies’ data on a regular basis.
While most organisations have a number of information security controls in place, a lack of a clearly defined Information Security Management System and subsequent company policies can create gaps. This is where data security breaches can begin. Although it should be noted that the most developed ISMS in the world couldn’t account for human error, it can create the policies and procedures necessary to both limit the potential of human error and create a clear plan of action should the worst happen.
Taking the management of an organisations information a step further is ISO27001. As Wikipedia notes;
ISO/IEC 27001 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
Conforming with ISO27001 and having done so since August 1st 2007, Blue Chip has a well defined ISMS, including physical and network information which includes our own Business Continuity plan.
Data Security is certainly something to take seriously and businesses should heed the warnings of the Information Commissioners Office. If a loss of data isn’t enough to spark an urge to review your own data security controls and policies, the following statistics relating to data loss and disaster recovery may help;
Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term.