The Rise and Repercussions of Corporate Information Leaks
There is a common misconception that most data loss experienced by businesses and organisations is the result of intentional and malicious behaviour such as hacking, viruses or corporate data theft. For too long, companies in the public and private sectors have focused on outside-in threats to information, such as industrial espionage or hackers. In reality, data leaks are primarily inadvertent, such as information within documents or emails and hitting firms of all sizes. Companies exposed most recently include IBM, Nationwide and the UK’s National Health Service (NHS).
As our workforce becomes increasingly mobile, the risk to customer and corporate data rises. In a recent poll by Silicon.com, 90% of respondents stated that they now work from home at least once a month. Workers are routinely leaving the office with corporate information, often of confidential or sensitive nature, held on laptops, USB sticks and mobile devices, meaning that a company’s security could be breached, quite literally, anywhere.
This year, high profile cases of lost or stolen laptops continued to hit the headlines and prove how damaging information leaks can be. One of the most publicised examples in the UK was that of high street building society, Nationwide. A laptop was stolen from an employee who took the equipment out of the office in order to work from home. The theft was slow to be reported and details about security measures in place at the financial institution were hazy. As a result, Nationwide was fined almost £1m for the security breach by the Financial Service Authority. Financial losses aside, damage to the brand is yet to be quantified.
The public sector is not exempt from data loss. Already, this year the NHS has been hit several times by mobile security breaches a number of times. In March, Nottingham Primary Care Trust (NPCT) admitted that several laptops had been stolen, one of which contained information on about 11,000 young children. Data lost included names, addresses and dates of birth of children from the Newark, Mansfield and Ashfield areas of the UK. The NPCT was forced to apologise, writing to all families affected by the theft and setting up a helpline for those concerned about what might happen to the information.
In May, a laptop holding personal and financial information on 10,000 UK NHS patients was stolen from a hospital in Cornwall. The laptop was stolen by determined thieves from a locked and alarmed building. While this incident could not have been stopped, people have questioned the adequacy of security measures in place on the laptop itself. Although a spokesperson confirmed the laptop was ‘password protected’ they were unable to say if any other security policies or technology were in place to safeguard information on the device. Experts have agreed that today, password protection and physically locking laptops away is not enough to protect sensitive data of this kind. It is the responsibility of businesses and organisations themselves to ensure that confidential information remains as such.
The opinion of security experts aside, what steps are governments and regulatory bodies taking against these information leaks? Increasing calls for legislation on data storage and data breaches across the globe means legal compliance must also be taken into consideration. According to a security survey conducted by IDC last year, 48% of organisations still do not have a policy for notifying customers when their private data may be at risk. Currently, UK organisations that lose sensitive customer or employee data or expose it to others do not have to disclose details of the breach, even to those affected. Now, in the wake of recent data losses security experts have called on UK legislators to bring laws in line with US law SB 1386, which was introduced in California in 2003 and has spread to 34 states, requiring full disclosure around security breaches. Bodies such as the Independent Commissioners Office and House of Lords are among those currently pushing for the introduction of tighter legislation on disclosure of serious data breaches.
In addition, while UK laws around data breaches are lagging behind the US, customers themselves are increasingly aware of the dangers of information leaks and are prepared to vote with their feet. As data breaches continue to hit the headlines, consumers are demanding to be notified if their personal information is in danger of being compromised. If companies fail to comply with such demands, they face serious damage to customer relationships and long-term loss of business.
Firms in both the private and public sectors need to realise that the threat of information leakage is a real one, and take action before it reaches a crisis point. Actionable steps can be followed to mitigate the risk of these security breaches. Firstly, all employees within an organisation must be educated on the risks and dangers associated with the data they are creating and sharing on a daily basis, as well as the repercussions of information loss. Today, more information is being created and utilised than ever – IDC estimates that the world’s ‘digital universe’ was 161 billion gigabytes in 2006, and that this figure is continuing to rise at an astonishing rate. Staff need to be aware of the information they are handling and make every effort to keep this inside the perimeter of the business.
In addition to this, proven technologies need to be put in place so that everything from emails and documents, to removable storage and mobile devices are being managed in a controlled and measurable way. While written security policies are worthwhile, firms also need to deploy user-friendly technology that will enforce such policies and ensure that sensitive information is not leaked accidentally. These controls will also prevent any cases, which are albeit in a minority, whereby information leaks occur maliciously, or through theft.
In today’s legal, regulatory and media aware society, organisations can no longer manage data on blind faith. High-profile gaffes serve to prove that mistakes are being made every day. With the vast amount of information being created and shared, it is largely a question of when, not if, companies will have to face up to the growing issue of information leakage, unless steps are taken to prevent it. Now is the time to educate employees, enforce realistic security policies and protect your information – your most valuable asset.