Why are organisations failing to learn from the increasing numbers of highly publicised data security breaches that cause so much damage to company reputations?
With an ever increasing number of individuals working outside the office environment, there are continuing failures to provide a suitably secure vehicle for people to do what they need to do while at the same time ensuring that the critical information they use is properly protected.
In 2008 alone, and it's increasing year on year, there were over 277 separate incidents of public data loss reported in the UK. More than 29 million personal records reported lost by Government departments, including:
- 8,000 children's records stored on a laptop taken from a council contractor's car
- 18,000 NHS staff records were 'lost in the post' when unencrypted CDs were sent by normal surface mail between offices
- 150,000 railway worker's pension and other personal details held on a laptop stolen from the handbag of a financial auditor
- 1.7 million armed forces personnel had their personal data go missing when a portable hard drive disappeared from the Ministry of Defence's main IT contractor
A survey of 250 senior IT staff in private businesses larger than 1,000 employees, found that 79% of UK businesses were losing data at least once a month, and more than a quarter suffered data loss on a weekly or more frequent basis:
- 1000 bank customer records were lost by an employee who mislaid an unencrypted memory stick
- 1 million more bank customer records held by an archival firm turned up on a second-hand laptop sold through eBay
- A well-known national retail company lost 26,000 employee records when a laptop was stolen from the home of a personnel contractor
In the present climate, national press keeps a close lookout for this type of incident; a company may see its hard-earned professional reputation lost almost overnight. Added to this, there is the potential fiscal impact of a data security breach. A 2008 Ponemon Institute benchmark study examined the costs incurred by thirty UK organisations after experiencing a data breach. Breaches included in the survey ranged from less than 4,100 records to more than 92,000 records from 10 different industry sectors. The key findings included:
- The total average costs of a data breach is around £60 per record compromised, an increase of 28 percent since 2007 (£47 per record).
- The average total cost per reporting company was more than £1.73 million per breach and ranged from £160,000 to over £4.8 million.
- The cost of lost business continued to be the most costly effect of a breach averaging £920,000 or £32 per record compromised (58% of the cost of data breach).
- The survey shows that lost or stolen laptops represent 28 percent of the breaches identified, with a cost per record of £71 against £55 for other data breach incidents.
The issues of remote data access and secure data transfer are really not difficult to solve. However, you have to do more that just set up a VPN, give staff a token and an encrypted USB memory stick and hope everything will be OK. Companies must engage with organisations that do more than sell a product - it's important to look at the workflow elements that constitute an individuals remote working needs and then implement a solution based on these requirements.
Companies should consider, highly secure solutions that address these issues. Among the products available are:
- A secure remote access solution that keeps the data in the organisation while allowing the remote user to work as if they were in the office. With no data cached on the remote device, its loss or theft is simply a minor inconvenience and not the next front-page news article
- A data transfer product that allows an organisation to send securely files of any type or size between individuals or organisations while retaining full audit and organisation control with built-in workflow. This product eliminates the need for USB memory sticks or CD's sent via post, courier or (worse still) e-mail.
- Online Cloud based products and services where local staff and external partners can share, communicate and collaborate in a safe, secure and stable environment.
If a company gives data security the consideration it deserves these losses can be prevented and people can work as they need to without having to resort to bad practice. Who after all wants to be the next big data security breach story?
What sparked off this post is the article spotted on e-Health Insider that stated that East Cheshire NHS Trust had opted to keep its existing PAS IT system and pay for a hardware upgrade, rather than implement the Local Service Provider (LSP) offering of iSoft Lorenzo (i). This in itself wouldn’t be too out of the ordinary were it not for the fact that the Trust did so despite a £1 million incentive to take the LSP system!
Among the reasons cited for this decision were: the quality of the product was not of a sufficiently high standard & some key functions such as clinical coding and casenote tracking could not be demonstrated.
Thankfully, this Trust had the good sense to decline an unfinished product that (according to the report by the Public Accounts Committee) (ii) as yet isn’t running live “throughout a single Acute Trust”. Unfortunately, this pragmatic approach is all too often not the case and vapourware is still alive and kicking – even in large government projects!
Our own experience includes attending product “demonstrations” comprising nothing more than a snappy PowerPoint presentation of screenshots, with assurances that “everything will be fine” when the product is implemented by the project team. These demonstrations were not being conducted by small 'fly-by-night' companies but were from large organisations presenting projects that would cover entire regions, costing many hundreds of thousands of pounds. It’s all too easy for end-users to be taken in by the promises made by a slick sales-guy or overwhelmed by the “functionality” shown in the presentation.
Customers need to make sure that what is being demonstrated is what they actually need to fulfil their requirements – the finished product, delivered for the demonstration in the same way that it’s delivered for the live system with all relevant modules working. Suppliers need to be more ready to make a test system available to potential customers, even if it lacks the local tailoring for a specific site. If a supplier is unable to do this, they clearly don’t yet have a product to sell!
With careful planning and a supplier that is willing to work alongside their customers, projects can be implemented that work and deliver the benefits in accordance with the project timelines – surely a win-win situation for both customer and supplier!
With this approach, vapourware can be consigned to history (after all, it was never really there to begin with)!
Now find out why Magikos IT are being chosen by our customers by following the link to our 'Why Choose Us' page.
(i) Trust rejects £1m Lorenzo incentive: http://www.e-health-insider.com/news/5079/trust_rejects_%C2%A31m_lorenzo_incentive
(ii) The National Programme for IT in the NHS: Progress since 2006 - Public Accounts Committee: http://www.publications.parliament.uk/pa/cm200809/cmselect/cmpubacc/153/15304.htm
In a recent research paper commisioned by Microsoft, it would appear that while large corporate companies are shying away from the Cloud because of concerns over security, small and medium businesses (SMB's) are adopting Cloud technologies because of security improvements.
The paper which was conducted by comScore in the US and Asia found that 35% of companies have seen a benefit from better security. A third of companies which had adopded the Cloud said they now spend less time managing security and 20% of companies had reduced their security spend since moving to the Cloud.
Many companies, large and small still want to see some improvements in Cloud security or an adoption of a standard set of security principles, but for those who have already moved the evidence is becoming clearer that security is becomeing less of a barrier to adoption of Cloud services and there is significant money and time saving opportunities for SMB's who make this change.
With the reduced costs, potential time savings and an improved ability to work from anywhere with better flexibility, any company who fails to look at these benefits could find themselves left behind with increased overheads while their competitors find new agility and can be more competitive in todays tough markets.
Find out if you could benefit from flexible working and Cloud services by giving Magikos IT a call - details of how to contact us can be found on our 'Contact Us' page.
- Microsoft Office Professional
- Adobe Acrobat
- Anti-Virus Protection
- Firewall Protection
- CD Burning Software
- TOTAL COST = £600.00+
- Zip Genius
- Comodo Internet Security
- CD BurnerXP
- TOTAL COST = £0.00 (nothing, free, nought, nill, zilch...)
- Inkscape - An Open Source vector graphics editor, with capabilities similar to Illustrator, CorelDraw, or Xara X, using the W3C standard Scalable Vector Graphics (SVG) file format.
- ImgBurn - ImgBurn is a lightweight CD / DVD / HD DVD / Blu-ray burning application that everyone should have in their toolkit!
- KeePass - KeePass is a free open source password manager, which helps you to manage your passwords in a secure way.
- Thunderbird - Thunderbird is a free email application that's easy to set up and customize - and it's loaded with great features!
- Gimp - GIMP is the GNU Image Manipulation Program. It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
- FileZilla - The open source free FTP Client solution.