IT strategy: Careless whisper – the dangers of sloppy data security

Last month’s IT column focused on the danger posed by portable computer storage devices containing potentially highly sensitive data in an unencrypted form. Unfortunately, newly published research warns it is not just portable drives that are leaving firms open to devastating data loss incidents. The study from academic periodical International Journal of Liability and Scientific Enquiry suggests there is a huge amount of sensitive data haemorrhaging from the back door of companies by way of redundant computers, many of which are being disposed of in a cavalier fashion.

Researchers found that sample items of IT kit bought from a variety of second-hand dealerships contained highly sensitive information. In fact, only a third of working second-hand disks had been wiped. The paper concludes that this careless disposal of unencrypted data poses a dangerous level of risk for commercial sabotage and identity theft.

This warning is echoed by research published by Which? Computing in February. After purchasing eight second-hand hard drives from eBay, the magazine’s researchers were able to recover 22,000 ‘deleted’ files, many of which contained what they say is potentially sensitive data.

Disposing of old IT equipment safely is relatively easy and inexpensive. There are many ‘data shredder’ applications available that can make data on redundant hard drives safe from all but the most advanced forensic recovery techniques.

Going further, anyone seeking a more dramatic and permanent solution to their data disposal headaches might like to search for “shooting hard drives” on YouTube. This will pull up some instructive videos that scientifically prove the larger the calibre of the bullet used to shoot the hard drive, the better the data removal effect. It should be noted, however, that equipping IT staff with automatic weapons could result in unwelcome and unforeseen consequences.

It is apparent that the problem of data leakage is still growing fast: a report published last month by the Information Commissioner’s Office (ICO) reports a significant increase in the number of data breaches in recent months. This study uncovered 99 breaches in the public and private sector in the three months from November 2008, compared to 277 incidents during the whole of the previous year.

Law firm Eversheds highlights a recent case of data loss emphasising the serious repercussions facing firms that lose sensitive data. In this instance, the ICO issued an enforcement notice against a major high street retailer warning that it faced criminal charges, when a laptop holding unencrypted details on 25,000 employees’ was stolen. The ICO and the retailer eventually reached an agreement whereby the watchdog accepted undertakings from the retailer to comply with the Data Protection Act (DPA) in future.

However, there is some indication that companies and government departments have woken up to the danger posed to their businesses by sloppy data security. The latest research from Forrester notes that IT data security budgets are “going strong”. The analyst firm’s study, The State of Enterprise IT Security: 2008 to 2009, reveals the chunk of the corporate IT budget given over to IT security is getting bigger, with larger companies devoting an average of 11.7% of their IT operating budget to IT security in 2008, compared with 7.2% in 2007. According to the study, data protection is now the “dominating theme” for today’s security organisations.

While throwing money at the problem will help, training and proactive communication of compliance policies must have an equal role in stemming the escape of sensitive data from companies. This is because most security breaches occur as the result of human error; communication is key to containing the threat. While it is all well and good to argue in favour of improved communication, doing it in the real world is almost always problematic.

Research conducted by Financial Director reveals that senior finance executives are extremely concerned about communications failures within their organisations. Around 90% of the 125 FDs responding to our poll agreed that top management could and should do more to encourage improved communication between various intra-organisational departments and silos.

In this context, Forrester’s report provides grounds for optimism. It notes senior staff responsible for data security are increasingly reporting outside IT. More than a third of security decision-makers have dotted-line reporting to their board or CEO or president, while one-fifth report to an executive committee.

It appears much progress has been made, particularly in the private sector: information security is now being treated seriously by executive boards, not just by IT staff. There is now growing awareness between divisional silos of the organisational, compliance, policy and communications jigsaw that must be completed to address the issue of data loss. But when all’s said and done, there is no such thing as security ­ just levels of insecurity.