The Department for Business Enterprise and Regulatory Reform (Berr’s) biennial security survey showed 77 percent of firms now regard protecting customer information as a priority. Yet only eight per cent of those polled encrypt data stored on laptops.
Meanwhile, in an ISC2 Global Information Security Workforce Study of more than 7,500 security professionals, avoiding damage to reputation was a priority for 71 percent of respondents. A further 70 percent said protecting customer data was a priority, while 61 per cent said the risk of breaching laws and regulations was a driver for information security governance.
But the disparity between firms’ security intentions and their actions persists, argued Chris Potter, a partner at PricewaterhouseCoopers. “There are gaps between the aspirations of companies and what they are actually putting into practice,” he added.
The lack of dedicated IT security professionals and the ever-evolving nature of threats are major factors adding to the risks that firms face today, argued Potter. Companies should step up their risk assessment programmes, he advised.
But Information Commissioner Richard Thomas, told delegates he believed firms’ reluctance to take data protection seriously would persist until stronger penalties were enforced. He noted that while high-profile cases such as the loss of millions of personal records by HM Revenue & Customs had raised awareness, the attitude of the public sector towards data protection remained “worrying”.
Thomas said he was frustrated that powers to imprison those convicted of il legally trading information had yet to be fully enacted. “I’m still seeking serious deterrents to those who engage in this illegal market,” he advised.
Further evidence of government heel-dragging was perceptible in one of the big holes in the show agenda. The Police Central E-crime unit had been expected to be operational in time to unveil its new e-crime reporting portal at the show. But a spokeswoman for the Association of Police Officers confirmed that launch plans have been pushed back.
Some security experts believe that business leaders will not take data loss prevention seriously until they are compelled to inform customers of any breach.
Howard Schmidt, director at security company Fortify, and one-time security adviser to the White House, insisted that breach notification laws had been largely successful where they had been introduced.
“Breach notifications would be of benefit to anyone. But when you have the requirement to do so, it must be consistent. In the US, states make their own [laws] and there is a lot of complexity. This makes it difficult to manage,” he suggested.
Meanwhile, other security experts bemoaned the general level of organisational security awareness.
“What we find is that we may have got the technical problems solved but we need to raise the human element,” said Martin Smith of The Security Company.
Although firms are trusting their staff more by reducing blocks on instant messaging and opening up internet access, training policies still lack vigour, the Berr report found.
But Mike Smart of security vendor Secure Computing argued that technology controls are an important part of an effective security risk management programme. “Policy-based actions, like encrypting content, become very important and technology can help to stop users clicking on a certain link, to [mitigate the risk] from social engineering attacks,” Smart explained.
