IT strategy: Careless whisper – the dangers of sloppy data security

Last month’s IT column focused on the danger posed by portable computer
storage devices containing potentially highly sensitive data in an unencrypted
form. Unfortunately, newly published research warns it is not just portable
drives that are leaving firms open to devastating data loss incidents. The study
from academic periodical International Journal of Liability and Scientific
Enquiry suggests there is a huge amount of sensitive data haemorrhaging
from the back door of companies by way of redundant computers, many of which are
being disposed of in a cavalier fashion.

Researchers found that sample items of IT kit bought from a variety of
second-hand dealerships contained highly sensitive information. In fact, only a
third of working second-hand disks had been wiped. The paper concludes that this
careless disposal of unencrypted data poses a dangerous level of risk for
commercial sabotage and identity theft.

This warning is echoed by research published by Which? Computing in
February. After purchasing eight second-hand hard drives from eBay, the
magazine’s researchers were able to recover 22,000 ‘deleted’ files, many of
which contained what they say is potentially sensitive data.

Disposing of old IT equipment safely is relatively easy and inexpensive.
There are many ‘data shredder’ applications available that can make data on
redundant hard drives safe from all but the most advanced forensic recovery
techniques.

Going further, anyone seeking a more dramatic and permanent solution to their
data disposal headaches might like to search for “shooting hard drives” on
YouTube. This will pull up some instructive videos that scientifically prove the
larger the calibre of the bullet used to shoot the hard drive, the better the
data removal effect. It should be noted, however, that equipping IT staff with
automatic weapons could result in unwelcome and unforeseen consequences.

It is apparent that the problem of data leakage is still growing fast: a
report published last month by the Information Commissioner’s Office (ICO)
reports a significant increase in the number of data breaches in recent months.
This study uncovered 99 breaches in the public and private sector in the three
months from November 2008, compared to 277 incidents during the whole of the
previous year.

Law firm Eversheds highlights a recent case of data loss emphasising the
serious repercussions facing firms that lose sensitive data. In this instance,
the ICO issued an enforcement notice against a major high street retailer
warning that it faced criminal charges, when a laptop holding unencrypted
details on 25,000 employees’ was stolen. The ICO and the retailer eventually
reached an agreement whereby the watchdog accepted undertakings from the
retailer to comply with the Data Protection Act (DPA) in future.

However, there is some indication that companies and government departments
have woken up to the danger posed to their businesses by sloppy data security.
The latest research from Forrester notes that IT data security budgets are
“going strong”. The analyst firm’s study, The State of Enterprise IT Security:
2008 to 2009, reveals the chunk of the corporate IT budget given over to IT
security is getting bigger, with larger companies devoting an average of 11.7%
of their IT operating budget to IT security in 2008, compared with 7.2% in 2007.
According to the study, data protection is now the “dominating theme” for
today’s security organisations.

While throwing money at the problem will help, training and proactive
communication of compliance policies must have an equal role in stemming the
escape of sensitive data from companies. This is because most security breaches
occur as the result of human error; communication is key to containing the
threat. While it is all well and good to argue in favour of improved
communication, doing it in the real world is almost always problematic.

Research conducted by Financial Director reveals that senior finance
executives are extremely concerned about communications failures within their
organisations. Around 90% of the 125 FDs responding to our poll agreed that top
management could and should do more to encourage improved communication between
various intra-organisational departments and silos.

In this context, Forrester’s report provides grounds for optimism. It notes
senior staff responsible for data security are increasingly reporting outside
IT. More than a third of security decision-makers have dotted-line reporting to
their board or CEO or president, while one-fifth report to an executive
committee.

It appears much progress has been made, particularly in the private sector:
information security is now being treated seriously by executive boards, not
just by IT staff. There is now growing awareness between divisional silos of the
organisational, compliance, policy and communications jigsaw that must be
completed to address the issue of data loss. But when all’s said and done, there
is no such thing as security ­ just levels of insecurity.