Businesses concerned with data security may be overlooking some important avenues by which their data may be lost, go missing or even be stolen.
A recent investigation by the Office of the Complaints Commissioner has reported on problems with the disposal of government computer equipment holding sensitive data. Cayman based professional services firm Deloitte, who assisted with forensic support for the Complaints Commissioner’s report, believe that this is a problem that needs to be addressed by all organisations, not just government.
‘The availability and ease of use of data recovery tools is increasing, as is the number of devices carrying sensitive data,’ said Chris Rowland, Senior Manager for Forensic Services at Deloitte.
‘As the Commissioners report noted, even a small USB key can carry vast quantities of sensitive information, yet can easily be lost or thrown away with little regard to the consequences.’
The costs of a public data breach for organisations can be substantial. A July 2009 Ponemon Institute study of UK based companies identified an average cost of £60 for every customer record lost in data breach. A similar study in the United States in January 2009 showed costs can reach as high as US $202 per customer record lost.
These costs can include conducting incident response and investigation, lost time and productivity for staff responding to or recovering from the breach, notifying customers, legal fees, regulatory fines or the associated costs of additional regulatory reporting, as well as the negative impact on the organisation’s reputation with its customers or business partners.
‘Knowing your data is really the first step to addressing this,’ said Andrew Douglas, Manager with Deloitte’s Security and Privacy Services practice.
Not all data will require protection, and this process will help prioritise which data needs to be focused on based on its volume, exposure, and sensitivity. Data handling policies and procedures, backed by training, are also important to help staff understand how to gather, use, share, and dispose of data appropriately.
Technology is also playing an increasingly important role, through tools such as data encryption, data redaction software to automatically mask sensitive data, and data loss prevention tools, which actively attempt to stop certain digital data from being copied or moved inappropriately.
Organisations also need to think how their data is held and shared with business partners and service providers.