The ISACA believes that UK businesses should report data loss and breaches on a quarterly basis, tying them in with the publication of information on financial performance and culminating in an annual report.

The justification for this arrangement is that it would stop individual businesses coming under the media scrutiny that would follow individual mandatory reports of data loss, if they were given out in real time. This setup would also benefit shareholders and company workers, as they could be made aware without there being a wider outcry, according to the ISACA’s Rolf von Roessing.

Mr von Roessing said that enforcing mandatory reports in the event of security breaches was definitely a step in the right direction, but creating quarterly announcements would cause less damage to the reputation of firms and would also preserve share prices in the long term.

Mr von Roessing believes that there is general support for this movement amongst business leaders from around the world and that this means a growing acceptance of the fact that data loss and security breach scandals need not lead to scapegoating and crucifixion in the eyes of the press.

The ISACA accepts that businesses and the wider public must be educated about the dangers of security breaches and data loss, but it believes that it is more important to show that businesses are able to come back from such incidents wiser and better equipped to deal with threats in the future. It says that widely criticising a business can destroy its reputation and ultimately become more damaging than the data loss itself, which is ultimately undesirable for all parties.

The debate over mandatory data loss reporting is ongoing and new opinions are being added at all times, although it looks like the UK is certainly moving towards a change in this area.

ISACA joins mandatory data loss reporting debate is a post from our Online Backup blog. Contact us today for business continuity consulting.

Software firm Kroll Ontrack carried out the survey and in 40 per cent of cases it was deemed that human error was attributable with being the main cause of data loss. This compares unfavourably with the fact that only 29 per cent of data loss is caused by the failure of computer hardware or IT systems.

The survey notes that a similar study carried out in 2005 found that only 11 per cent of data loss was as a direct result of human error, with 56 per cent the fault of hardware disasters and a spokesperson for Kroll Ontrack said that it was startled by the dramatic shift in the recently gathered statistics.

Data loss caused by viruses rose to seven per cent, up from three and external disasters that require business continuity planning were the cause of three per cent of data loss incidents, which is a two per cent increase over the findings of the 2005 study.

200 respondents from 17 international destinations across Europe, Asia and North America took part in the study and people from all sectors were considered, including hackers.

The 40 per cent human error figure does need some qualification, because it includes people who simply asserted that a human was to blame for a particular incident of data loss, while only 27 per cent of respondents could actually prove this to be the case. The only thing to conclude from this is that the reporting and investigation of data loss incidents is not always conclusive and as such many professionals are forced to make assumptions.

Protecting data and performing regular data back ups, securely is much discussed in the business world, but the statistics show that many are unsure of their responsibilities and the vulnerabilities of certain data handling policies, leading to an increase in human error. Kroll Ontrack’s Todd Johnson urges users and businesses to tackle threats head-on, enhancing training and keeping contingency plans available to help overcome the impact of serious data loss.

Top reason for data loss is human error, new study finds is a post from our Online Backup blog. Contact us today for business continuity consulting.

The MoD admitted the serious loss after Lewis PR made a request for statistics under the Freedom of Information Act. When broken down, it was revealed that 120 of the total were stolen while the greater majority were simply lost through carelessness.

Of the 340 laptops that went missing, only 25 were eventually recovered and more than 50 per cent were unencrypted, leaving the data open to exploitation. Further data losses occurred via other portable storage solutions, with 215 thumb drives, 593 optical disks, 13 smartphones and 96 hard drives also listed as lost or stolen over the same period.

Other government departments were implicated, with the Department for Work and Pensions responsible for the loss of 71 laptops and 75 smartphones, whilst the Department for Transport had recorded the loss of 39 PDAs, together with 38 laptops.

A total of 11 governmental departments contributed statistics and between them 518 laptops were recorded as lost or stolen, in addition to 932 other portable storage devices. This has cost the country nearly a million pounds.

The worrying nature of these revelations has been touched upon by numerous security experts and a number have pointed out that the government’s various departments have clearly failed to address the problems of data security and loss prevention in any appropriate manner, whilst at the same time putting national security at risk.

Many believe that the statistics show incompetence and a lack of respect for private data, with human error being the most notable contributing factor to data loss in the public sector. The lack of widespread encryption was identified as making it simple for veteran criminals to access data on lost or stolen devices.

Data breaches are known to cost businesses and organisations millions of pounds and although the material cost of the government’s losses has been calculated, it is unknown precisely how much the loss of the associated data could be worth in real terms.

MoD criticised over laptop data loss statistics is a post from our Online Backup blog. Contact us today for business continuity consulting.

Accidental data loss occurs with worrying regularity when users store sensitive information on portable storage devices and then proceed to lose them, but now malicious parties are actively looking to exploit human error in engineering security breaches, according to RSA’s Uri Rivner.

Mr Rivner identifies a general lack of awareness amongst staff, many of whom have access to data wherever they go thanks to smartphones and laptops. He says that this makes them ripe for exploitation by criminals who can get viruses and malware onto a portable device used out of the office with relative ease.

Businesses are being forced to count on technology which cannot adequately protect them from the ever evolving threats. By targeting staff with phishing and spam campaigns, criminals can slip into a system via the back door and harvest data with little chance of being detected in the short term, according to Mr Rivner.

Mr Rivner identifies the business dilemma which means that firms cannot protect themselves from such attacks because total security would mean preventing staff from accessing internal systems remotely which would have a negative impact on productivity.

It is said that a multi-tiered approach to data loss prevention and security is the only way for businesses to cope in the current climate, with employee training playing its part alongside improved data sharing and storage technology.

Mr Rivner believes that the ability to safely share data is key to combating the criminals and is something that relatively few businesses can currently claim to adequately manage. Automating security measures may help, but he says that protection must develop organically and must possess the ability to adapt in order to match the increasing sophistication of the attacks.

Over the next ten years, Mr Rivner believes that businesses will be looking to staff in order to form their security strategies, with adequate data protection only possible if the likelihood of human error is minimised.

Data breaches aim to exploit human error is a post from our Online Backup blog. Contact us today for business continuity consulting.

It has also been suggested that the ICO’s power to fine those found to have contravened the rules of the Data Protection Act sums of up to half a million pounds is far from adequate and cannot be seen as a suitable deterrent.

This latest criticism of the ICO and the legislation with which it enforces data protection standards comes from Stewart Room, a leading legal force at Field Fisher Waterhouse. Mr Room spoke out at an event, highlighting what he sees as the ineffectiveness of the ICO, with businesses simply avoiding accountability by obscuring the details of a data loss.

Mr Room said that because there was no legal mandate for businesses to notify the ICO in the event of data loss and security breaches it was unlikely that firms would choose to do so when the result could be a £500,000 fine.

Organisations have a tendency to cover up their failings in the hope that the ICO will not become aware of the incident in the future and even when their misdemeanours are revealed, the ICO cannot act upon such failure to disclose because reporting is still not a requirement.

Mr Room added his voice to the growing number of experts who believe the ICO should be able to penalise firms under an uncapped system. This could result in far more substantial fines that should prove to be a more effective mechanism by which to bring even the largest organisations in line with best practice.

Internet Service Providers (ISPs) will become the first group of businesses that are required to report data loss and security breaches to the ICO next March, but according to some observers, this change will actually make little difference because the firms claim they already contact the ICO in the event that problems are detected.

A spokesperson for the ICO said that the organisation would be looking to the government for future extensions to its powers and in the meantime would be focusing its attentions on the further education of the public in order to instil data protection best practices in the wider population.

ICO lobbied to make data loss reporting a requirement is a post from our Online Backup blog. Contact us today for business continuity consulting.

Panasonic commissioned the report and although it has an ulterior motive for inflating the figures to sell its durable range of laptops, it is an interesting and seldom analysed area of business continuity.

Analyst firm IDC concluded that it costs a business nearly £1600 to repair a laptop, recover the lost data and make up for the impact in productivity resulting from the damage. Across the UK this figure is said to total more than £2 billion annually, with damage occurring most frequently as a result of a laptop being dropped from a work surface.

Interestingly, the study points out that the calculation of costs does not encompass the impact on customer relations or the potential to lose clients because a laptop and its stored data have been taken out of action in an accident. It finds that business continuity planning, including regular laptop backup, may be able to account for such eventualities, but identifies that this too will cost firms in the long term.

More than nine and a quarter million laptops were sold to businesses over the last three years and Panasonic believes that if each one had been protected with a more rugged design then only six per cent would have been rendered inoperable after a fall. However, the current estimates of a total casualty quota of 14 per cent are significantly higher.

In a survey conducted by IDC it was discovered that hard drives and other important internal components were damaged in 50 per cent of all laptop damage incidents, although a greater deal of punishment was endured by external hardware such as displays and keyboards.

In addition to being dropped from a table or whilst being carried, laptops suffered liquid spillages in 66 per cent of cases, with human error almost always the underlying cause of the damage.

Laptop breakages causing data loss and costing businesses billions, study finds is a post from our Online Backup blog. Contact us today for business continuity consulting.

Security specialist David Ting has said that the NHS is in a good position to revive its reputation and gain public trust and claimed that legislation in the UK would make this process less complex than it might be in other developed nations. However, he identified the fact that significant risks still face the NHS and further loss of patient data will be inevitable unless changes are made.

The NHS is allegedly investing significantly in analysing the way in which it protects private data, as well as working on a number of initiatives which will see levels of security increase considerably in the coming years.

Mr Ting identifies three different categories of users against which a multi-tiered security system must be implemented. Firstly, there are those users who accidentally compromise the integrity of patient data; then those who view secure data to which they technically have access without really possessing adequate clearance; and finally any malicious parties who actively steal data.

Mr Ting believes that preventing data loss whilst tackling the effects of all three user types requires that security is implemented in a transparent manner which addresses any weaknesses without creating an overcomplicated system that only experts can use.

NHS staff need to be fully trained in the reasons behind data protection, as well as being presented with the potential ramifications of a security breach or loss in order to provide them with the motivation to handle data responsibly, according to Mr Ting.

The secure movement of data is of the utmost importance to the NHS, as several serious data loss incidents have occurred as the result of poorly handled portable storage devices. Experts believe that in the longer term the NHS will have to address the matter as to how control over data is managed in the context of staff. Mr Ting believes that fundamental changes to the system will be required before rather more elaborate and fine-grained control can be considered.

Experts advise NHS on data loss prevention is a post from our Online Backup blog. Contact us today for business continuity consulting.

74 per cent of UK staff believe that the government should be responsible for increasing general levels of data security around the country, according to a survey authored by Sourcefire and Dynamic Markets.

Since the coalition government was formed, there have been several high profile figures addressing the problem of data protection head-on, with both Deputy Prime Minister Nick Clegg and minister Baroness Pauline Neville-Jones discussing the most appropriate approach to handling public access to personal information whilst simultaneously increasing levels of security across the board.

Specialists working in IT and data security are unconvinced by the government’s current efforts, with 60 per cent expressing their dissatisfaction with the data protection projects currently in progress. 36 per cent of professionals believe that the government is using such schemes as pure publicity, with very little tangible progress made as a result.

Opinions on the matter are divided, with many believing that the policing of the internet is an unrealistic goal whilst others appear to be expecting at least some level of government intervention and protection.

Lawyer Jonathan Armstrong said that most members of the public are being misled by firms claiming to protect private information and payment details. He believes that in most cases these promises are not kept and reaffirms that when data loss or theft exposes a business, it can be extremely damaging.

Mr Armstrong believes that there is already adequate legislation in the Data Protection Act to mandate adequate data protection, but argues that there are currently few who are or appear to be willing to pursue and to police this problematic area.

Sourcefire’s Dominic Storey said that a balance between regulation and operative freedom had to be struck in order to free businesses and organisations to carry out their core activities without becoming overly entangled in administration and red tape. It would seem that a back to basics approach may be required in the short to medium term.

Report questions government involvement in fight for data security is a post from our Online Backup blog. Contact us today for business continuity consulting.

Councils in Buckinghamshire, Barnet and West Sussex have been named and shamed by the ICO after they were found to be in breach of the Data Protection Act as a result of serious data loss incidents of which the ICO was made aware.

A portable storage drive and optical media packed with data pertaining to more than 9000 children in the borough of Barnet was stolen whilst under the care of a council employee. No form of encryption was used on any of the stolen devices and it was further revealed that not even a rudimentary password had been put in place, leaving the data completely exposed.

A laptop stolen from West Sussex County Council is known to have contained private information on children, although the council has been unable to determine just how many people have been implicated in this loss. Again the laptop was not encrypted.

In Buckinghamshire, a more traditional form of data loss was suffered when documents containing details relating to two children slipped through the fingers of the local authority.

The ICO’s Sally-Anne Poole said that it was unacceptable for local authorities to fail in their duty to secure data relating to children for whom they are responsible. She said data was particularly at risk during transportation, which is a point that has been reaffirmed with the most recent spate of data loss incidents.

Ms Poole blamed inadequate training for the various incidents and said that councils would need to properly protect data at all times using the appropriate measures.

Encryption expert Chris McIntosh said that the latest data losses that occurred within the framework of local government are symptomatic of the wider issues relating to inadequate protection that puts public data at risk of loss or theft.

Mr McIntosh acknowledged the fact that portable storage devices would continue to be lost and said that simple encryption can help to minimise the impact of human error when this does occur.

Further local government data losses emerge is a post from our Online Backup blog. Contact us today for business continuity consulting.

The laptop was owned and operated by management and information organisation DairyCo and it was forcibly stolen from an employee’s car whilst it was parked away from official company premises.

The private data contained on the laptop’s hard drive has been reported to contain the identities, addresses, production quotas and landline numbers for each of the farmers who fund DairyCo via its levy system.

The theft occurred on the 9th of June and it is believed that thieves were acting purely because the opportunity to steal a laptop was presented to them, rather than in a specific attempt to steal data from DairyCo, as many other cars were targeted during the same period.

DairyCo informed the local police force of the theft as soon as it was discovered, but so far investigations into the crime have failed to result in the retrieval of the laptop and its data.

DairyCo said that it was embarrassed and humbled by the data loss and in the week after the theft it contacted every one of the 13,000 affected farmers in writing to notify them of the incident and to apologise.

It is unlikely that farmers will suffer financially after the data loss, as DairyCo has confirmed that no banking details were stored on the stolen laptop. DairyCo’s Philippa Stagg said that the organisation regrets the incident, but called on the affected farmers to remain calm.

Ms Stagg said that the data could only be valuable to firms that might be able to target the contributors to DairyCo for marketing purposes, with the likelihood of individual fraud being committed against the farmers being perceived as low.

DairyCo has said that it is looking into the policies which govern the manner in which it deals with customer data and it may make alterations in order to tighten security in the future. Some of the affected farmers have reacted angrily to the news, claiming that their businesses could be exposed as a result.

UK farmers affected by data loss is a post from our Online Backup blog. Contact us today for business continuity consulting.