The Information Commissioner’s Office, the watchdog which threatens to gnash its teeth at public and private sector organisations that are leakier than a sieve, has released a report claiming the general public are at risk of becoming a ‘soft touch’ for web fraudsters.
The report claimed that, after the ICO managed to get its hands on 200 hard drives, 20 memory sticks, and 10 mobile phones – simply buying online or at trade fairs – over 34,000 files containing personal or business data were left untouched on the storage devices.
According to TechWeekEurope, some of the uncovered details included sensitive health and financial information. Two thirds of the hard drives were holding enough personal details to make identity theft a doddle.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever,” The Information Commissioner, Christopher Graham, told TechWeekEurope. “However, this information can be easily recovered.”
With the staggering number of headlines – worldwide – about losing important data in sensitive sectors, it is frankly frustrating that such a lax approach to what boils down to personally identifiable information is pervasive. Although the ICO’s report focuses more on the consumer, there is no secret about human folly leading to data disasters at organisations in both the public and private sectors.
Ollie Hart, head of public sector at security company Sophos, agrees. But it is not a simple problem to tackle. According to Hart, there must be a fine balance between the carrot and the stick. “There’s the overriding thing that it’s frustrating and probably, disapoiinting, that there is yet another example of people not paying 100 hundred percent attention to where their data sits,” Hart said, speaking with TechEye. “There is an obligation to know where data is.”
That balance, Hart said, correlates with what Sophos is up to. The company recently released a survey, in conjunction with Sustainable Gov, which found that just five percent of UK IT managers in the public sector act on data security – because of the threat of ICO fines. “We, as the industry, have to do more about helping the education – we have to be preemptive rather than reactive,” Hart said. By the time the data is out there, it’s too late: it’s a “recovery job”.
If five percent are reacting because of understanding the actual threats surrounding protecting data, that means there’s a staggering 95 percent who are not too worried. “It just keeps shouting that we HAVE to do a better job of educating – even through the system, education students as they come through school,” Hart said.
The ICO also revealed 65 percent of people it surveyed pass on their old phones, computers, and laptops to another user. One in five would sell their devices on, but that figure rose to 31 percent among 18-24 year olds. As Sophos’ Hart pointed out: “If you look at the 18 to 24 category, these guys were in school potentially two years ago – and that’s part of our battle, we have to educate as well as protect and react”.
How, exactly, is the ICO doing in reacting to data breaches? Hart said that the ICO is in a difficult position because the powers are already set. In terms of punishment, it depends on the kind of organisation you are after: a $500,000 fine levied on a financial institution, the impact will be minimal. But if you press an SME for that sort of punishment, it is going to be wiped out. “There’s a precaution discussion they have to do,” Hart said.
Security specialist ViaSat UK posted a freedom of information request to the ICO. The results revealed that, between 22 March 2011 and 17 February 2012, there were a total of 730 self reported data breaches. Just over half were yet to be resolved. Of those resolved, only 32 resulted in ICO undertakings, and only six resulted in monetary penalties – or just 0.8 percent of all the two percent of those resolved.
“It is wholly disconcerting that those data breaches which should be easily avoidable are now the most commonplace,” said ViaSat UK CEO Chris McIntosh. “While the message on data protection may be getting through to the heads of organisations, there is no point in having these measures in place if workers don’t follow them.”
McIntosh said that at the moment, the private sector is not feeling the pressure like the public sector. “The ICO needs to be sure that the private sector, like the public, is aware of all its breaches and undertaking audits and training,” he said. “If this means making such actions compulsory and backing them up with substantial penalties, so be it,” he concluded, seemingly favouring the stick over the carrot.
A spokesperson for ViaSat UK told TechEye the company agreed with the ICO in that more needs to be done to get the message through to people about thinking how they handle their data.