When it comes to the issue of securing their confidential information, many people look at the cost. Perhaps what they should be focusing on, however, is what it may cost them if they do not take steps to protect this information.
According to the Department of Trade and Industry's (DTI) annual Information Security Breaches Survey, the average cost of a security breach is £30,000, with several companies reporting incidents costing over £500,000. The survey also found that while three-quarters of UK businesses said that their company had sensitive or confidential information, only one-quarter of these companies had a security program in place to protect it. * (UC PLC Reamed Online, John Leyden, The Register)
The truth of the matter is that every organisation has information that is confidential in nature and would be of interest to others. This can involve proprietary research and design elements, key technologies, manufacturing methods and processes, marketing information, plans and forecasts, or personnel information, including employees' employment or financial histories, Social Insurance Numbers, marital status, etc. All of this information could cause considerable damage if it were to fall into the wrong hands.
Stories of confidential documents turning up on landfill sites and making the newspaper headlines should be warning enough, but now such incidents could be the subject of prosecution under The 1998 Data Protection Act. With the introduction of this Act, the issue of information security has come to the forefront, highlighting the importance of ensuring the security and confidentiality of personal information. Effective March 1, 2000, all organisations must have a framework in place to guarantee the security of all personal data from its collection to its destruction. In fact, businesses without adequate data control systems in place to meet the requirements of the Act could face fines of up to £5000.
Information security is about safeguarding your business' money, image, and reputation - perhaps its very existence. The consequences of security breaches can be disastrous, but they are avoidable. To ensure compliance with the Data Protection Act, all organisations must appoint a Data Controller who will be required to notify the Office of the Data Protection Registrar of the security measures taken to protect personal information. They must implement these procedures to minimise risks, adopt good management practices and educate employees about their responsibilities.
It is not only essential to protect confidential information while it is still in use but, according to one of the key principles of the Act, it is also important to ensure businesses are not keeping data for longer than is necessary for its intended purpose. To assist companies in ensuring they are compliant with the Act, the British Security Industry Association produced a fact sheet on secure information disposal, highlighting the fact that confidential data should be disposed of in a secure manner using a professional data destruction company.
As we move to a society and economy based on information and knowledge, every business and public organisation will need to respond to the challenges involved in handling data. By developing and implementing security policies and procedures, using appropriate safeguards, and making employees aware of the importance of maintaining the security and confidentiality of personal data, organisations will help reduce losses of all types, as well as ensuring that the reputation of their business remains untarnished.