The protection of personally identifiable information (PII) continues to dominate regulatory compliance efforts, with European data protection laws cracking down on negligence and poor data management. Data protection regulators have already slapped companies – large and small, public and private – with penalties that show no mercy to any organisation.
The Information Commissioner’s Office in the UK (ICO) recently released a list of its top data security threats, based on it analysis of serious or frequent contraventions of the Data Protection Act (DPA).
Having done a bit of an analysis of the case law, I discovered that over the past 18 months, out of 66 references to each of the eight DPA principles, 58 of the cases contravened the seventh principle, which refers to data security.
In other words, in 87% of the cases when one of the principles was referenced, the reason for enforcement was due to poor IT security.
The seventh principle states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The following eight risk factors were identified by the ICO as the biggest reasons why organisations fail to comply with the IT security elements of the Act:
- Failure to keep software security up to date;
- A lack of protection from SQL injection;
- The use of unnecessary services (i.e. software);
- Poor decommissioning of old software and services;
- The insecure storage of passwords;
- Failure to encrypt online communications;
- Poorly designed networks that process data in inappropriate areas;
- The continued use of default credentials including passwords.
The above risks are not hugely complex or difficult to manage – in fact, the majority of data security breaches can be prevented with basic information security hygiene – but companies often fall short due to the basics: a lack of staff awareness or effective policies, or due to errors.
Information security may be a new concept to some, but there ARE proven, vendor-neutral frameworks and methodologies available (in other words, not software) that can help companies overcome the challenges listed above.
Arguably, the most widely adopted framework is known as ISO27001. ISO27001 is an information security standard which is used and accepted internationally. In fact, it has been proven to be so effective that governments globally are demanding that contractors have to prove themselves ISO27001-compliant before being able to do business with them. With the majority of large multinationals having adopted ISO27001, there is further impetus down the supply chain, where suppliers are becoming ISO27001-compliant in order to maintain clients.
ISO27001 requires an organisation to implement a system that covers not only technology, but also people and processes. This information security management system (an ISMS) is at the core of ISO27001 compliance, and specifies a set of requirements to continuously manage, monitor and improve the ISMS, so that the business can keep up with the rapid pace of threat evolution.
The eight weaknesses listed would have been addressed with an ISMS implemented according to the guidelines provided by ISO27001. The standard also requires a comprehensive information security risk assessment to be conducted, a risk treatment plan to be drawn up, stakeholders to be involved and leadership to take accountability. As with all ISO standards, the integrity of the ISMS is maintained through regular audits and surveillance visits by external, independent auditors.
You can read more about ISO27001 and how it can help facilitate improved information security here.
vsRisk™, the definitive cyber security risk assessment solution, has been helping companies assess and report on risks according to the framework provided by ISO27001 for more than seven years. Find out how vsRisk can help you by downloading the free 15-day trial today.