Private sector shocks with lax attitude to data risk


Private sector shocks with lax attitude to data risk

Microscope contributor
Following the Information Commissioners Office (ICO) annual report, security firms are expressing astonishment that the private sector is shunning assessment of its data risk, writes Linda Endersby.

The report showed that of 100 companies, considered to be at high risk of data breaches, approached by the ICO only 19% of the private sector organisations were willing to submit information for consensual audit.

This is compared to 71% of the public sector approached, though this includes government departments who are also subject to the ICO power of compulsory audit.

These results have been met with amazement by several in the security world who hoped the attitude of the private sector would have been different towards data protection.

Andrew Kemshall, the CTO of SecurEnvoy, said the findings were indicative of the blasé attitude that many companies have towards their IT security.

"What they don't realise is the potential for damage that a data breach can pose to their organisation. And we are not just talking about potential ICO penalty fines here, but the effect on the firm's public reputation and, for larger companies, their share price," he said.

Kemshall went on to add that, in his opinion directors should not ignore offers for a free security audit - especially after arousing the interest of the ICO's staff.

"I find it amazing that the ICO's offer of a free IT security audit is being snubbed by so many companies," he added "Are their managers too busy to respond, or just badly informed?"

Ross Brewer, vice president and managing director for international markets at LogRhythm said there had already been so many cases of breaches that should have put it on the radar and triggered a different customer response.

"This year has been punctuated with a number of high profile organisations that have fallen victim to data breach. As a result you would think those deemed high risk by the ICO would welcome its help in identifying and resolving any potential weaknesses," he said.

"However, the behaviour of those refusing audits is indicative of the attitude that led to this situation in the first place. Too many organisations are in denial about the scale of the threat and the possibility that they will be affected," he added.

The ICO annual report also looks to answer criticism of its effectiveness. As reported in Microscope in April, the ICO was given the powers to impose fines of up to £500,000 and in 2010-2011 2,565 breaches were reported. But in that period only 37 resulted in action from the ICO, with just four ending up in fines being handed out.

The report states that as well as those fines other enforcement actions have been undertaken with 2 successful Crown court prosecutions for unlawfully obtaining personal data and 3 cases prosecuted in the Magistrates Court for failing to notify the Commissioner that they were processing data electronically.
Also a monitoring programme was introduced to identify public authorities who were not meeting their obligations to deal with freedom of information requests in a timely manner. Of 33 monitored public authorities, 19 showed such improvement that no further action was necessary.

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.