Director Magazine—for business leaders

Several recent cases have highlighted the risk of data security breaches. So, how can you make sure commercially sensitive information and customers' personal details are safe?

When a laptop disappeared on the way back from a pitch, Debbie Moore, managing director of design and advertising agency Other, feared the information it contained might fall into the wrong hands. Since the computer contained confidential material about a new blue-chip client, this could have been a disaster for her company.

"It was a real wake-up call," says Moore. "We did find the laptop, but the fact that we came close to losing something that was potentially very client-sensitive made us realise we would have to tighten things up considerably."

That feeling will probably be familiar to many directors. Royal Bank of Scotland and NatWest recently had to reassure customers after a computer containing historical data relating to credit card applications was sold on eBay; while PA Consulting was blamed by the government for losing a memory stick holding the details of thousands of prisoners.

Today, there are more and more ways to lose corporate data. CDs can get lost in the post; PDAs, smartphones and MP3 players, which are increasingly used as data storage devices, can be left in taxis.

It's a potentially serious problem. Nationwide Building Society was last year fined £980,000 by the Information Commissioner after a laptop with confidential customer data was stolen from an employee's home.
The loss of confidential information lays customers open to fraud and badly damages a company's reputation. The risks, says Martin Baldock, general manager at IT forensics investigation company Data Genetics International, cannot be over-estimated.

Directors who think data loss is inevitable in a world where information about organisations and their clients can be quickly downloaded on to small, easy-to-misplace mobile devices, should, says Michael Callahan, vice-president and head of marketing at encryption specialist Credant Technologies, think again. Increased mobility, according to Callahan, is no excuse for inaction.

"Data in today's world is incredibly mobile," he says. "It's inevitable that people will take iPods and use them as storage devices and then take them out of the office. But it's not so much the device that is critical any more, as the data. You want to be sure you are protecting that data."
Ray Stanton, who heads the global business continuity, security and governance group at BT, agrees. He recalls BT making the news when two CDs containing information were lost in transit. The company escaped reputational damage because it had taken the necessary precautions. The discs were encrypted using a password that was only released to the recipient when a phone call was made to confirm arrival. When that phone call didn't come, the courier was contacted, and the discs quickly traced. "Something will always go wrong," says Stanton, "but I think you have a duty of care to do the best you can to put the controls in place and manage them."

In the case of Other, Debbie Moore called in IT support company Connect, whose first step was to encrypt company laptops for the times when they have to leave the office. Measures included protecting information held on computers with passwords that are also used to restrict access to those who need it. Remote workers dial into the central system rather than having data sent out to them, while systems are securely backed up online.

Moore says: "What happened to us could happen to anybody and it's not something you can afford to take risks with. Now we have strict policies on people using company laptops, and centrally-controlled passwords."
Baldock points out that many senior staff genuinely need their technology—and the data it contains—as they travel the globe on business. But, he says: "We all use Blackberries here, and mine is encrypted with a password, and I have cut down the number of attempts you can make at getting that password."

A good starting point, says Mark Fulbrook, UK and Ireland director of encryption company Cyber-Ark, is to identify the highly sensitive information, then consider how that information should be sent. "Very, very quickly people will start to see good rates of data security," he says. "Think of it like cash. If I were going to send cash, I wouldn't put it in an envelope and send it. I wouldn't even send it by courier—I'd send it electronically."

He adds: "Look at what's important and store it in a very secure place. Make sure anyone who interacts with that data has authority to do so-you need a high level of authorisation and then a high level of encryption.

"The weakest link in your security is always the user. If they are well trained and you have good controls, then you don't have to have any security breaches at all."

Responsible disposal of computers is, as the eBay incident highlighted, key. In a 2007 research study involving BT and the University of Glamorgan, 133 second-hand hard discs were bought and examined forensically. Of the 74 readable discs, 41 per cent contained commercial data and 74 per cent had personal information on them. Medical and personal records were found, as well as confidential company and salary details. That's why, says Stanton, companies should always hire specialist organisations to dispose of computers.

Honest error is often the cause of data security breaches. "Good training can really reduce the chances of a security breach and also the impact of what happens," says Andrew Wilson, who heads the Aston Multimedia Interactive Research Suite at Aston Business School. Wilson recommends that an IT champion be named, preferably at board level. "Responsibility is key-often small and medium-sized businesses are busy and don't necessarily consider issues such as this."

Baldock agrees: "There must be strong, top-level ownership of the IT security issue, whether it's by an IT director, or, as often happens, a finance director."

Stanton says any data security policy must be audited and enforced. "If you put controls in place and don't measure and monitor them, then shame on you. You wouldn't give your staff guns, but if you have a disc full of information it's like a loaded gun waiting to go off if you don't protect it."

Data security tips

1. Train staff properly, so that they are aware of policies and procedures and understand the risks of ignoring them

2. Wherever possible, encrypt all devices and documents with passwords and limit the number of attempts to get it right

3. Reduce unnecessary data traffic. Don't take or send important data anywhere it doesn't need to go

4. Send sensitive information in the safest and most appropriate way

5. Store what's really important in a secure place

6. Dispose of old computers properly, including wiping all sensitive data.

HAVE YOUR SAY >Add your comments

Jane Simms >Earning too much money is a recipe for unhappiness

Debate >Do employers have the right to interfere in office romances?

Cary Cooper >Bonuses are not the only way to attract or retain talent

Iqbal Wahhab >How business can help rehabilitate ex-offenders

Richard Cree >Last year may not have been quite as catastrophic as expected

John Elkington >The climate challenge is resulting in radical suggestions

• Winning by design

• A new breed of seed capital is redefining the way start-ups develop

• Predictions for 2010 that might impact your business

• The 13 golden rules of Twitter