There’s been another data loss. This time, a health and safety boss, attending a major nuclear conference in India, lost a USB memory stick containing a confidential report on a nuclear power station.
This situation is just one of many, and it won’t get better by itself. The consumerisation of today’s workforce, the proliferation of BOYD (Bring Your Own Device) policies and employees swamped with on-demand data is a trend that no IT manager can easily buck.
While encryption is a great policy, it isn’t and shouldn’t be the only option. To an extent, the door can be closed after the horse has bolted through measures such as USB keys that can have their memory turned off, deleted remotely, or can even be located through GPS and GSM. This is something we can change, now, and it can help businesses protect themselves from human error, the most common cause of data loss.
However, the UK’s data protection laws could also be bolstered to help IT managers get the buy-in from both employees and the Board to implement a robust security policy. If you compare our data protection laws with other parts of Europe, the UK is far too lenient and changes could be made to support those responsible for their business’s data protection.
For example, in many parts of Europe, the individual responsible for the data loss is culpable. So, if they have been grossly negligent or they delayed reporting the loss, the law allows them to be fined as well as the business.
The European Commission has also recently put forward proposals to strengthen data privacy laws but as we await the details, businesses should consider implementing stricter data protection policies now. Specifically they needs to address mobile data, so they are prepared and can avoid any fines, and the reputational damage an organisation suffers from data loss incidents.
It’s a case of deciding what the issues are, and realising the difference between those we cannot address, and those we can. Sometimes, waiting for legislation is the biggest risk we can take.
Norman Shaw, MD, ExactTrak, makers of Security Guardian.