The study investigated approaches to data security amongst SMEs and discovered that a remarkable two-thirds admitted to having ‘no active security policy’.
Security specialist and UK Accounting Standards Board member Steve Bailey commented: “This is a data leakage time bomb. Document sharing is growing fast, so it is remarkable that users are disregarding the security implications. This could be down to complacency, confusion as to where the responsibility for developing such a policy lies, or simply lack of awareness since in many organisations technology has grown organically to become part of the fabric of the business without being subject to mainstream security controls.”
Author Christopher Parr is currently legal partner at City & Westminster Corporate Finance LLP. “How many people really, honestly, totally know what is being said by their co-partners, assistants, associates, secretaries, over email? I suspect that the answer is none. Document management in many firms is likely to be haphazard, even chaotic. Back in the day, all post was seen by a partner. With the advent of email, that became impossible. This is where the problem really lies. Firms are structures made of mesh. Data pours in and out of them all day, every day. We should view “data breaches” as “accidents” and take a different approach to their management, control and attempted eradication. “
While businesses told the researchers that they are concerned about user behaviour and security, many respondents have no IT policy in place or it is not enforced across their firm.
Boldon James CEO Martin Sugden, who sponsored the study, said: “Banning data sharing is not the solution – that’s both impractical and undesirable. In fact refusing to share data is inefficient and potentially dangerous. What’s important is striking the balance between the need to protect information and the need to share it”
The survey concludes that by clearly identifying sensitive information using a classification (protective marking) solution it becomes easier to ensure that access control methodology is correctly connecting the right users to the right data. Yet the study discovered that 69% of respondents are not yet marking any of their data.
Martin Sugden: “Protective marking helps to raise awareness of the existence of sensitive information within the workplace and can provide guidance on its handling. Many government agencies use protective marking to minimise inadvertent disclosure of confidential information. Commercial organisations employ protective marking to control, for example, intellectual property or customer data.”
And Steve Bailey warns that firms storing sensitive or confidential data “should always ensure that its users understand their responsibilities for the safe handling of that information. Otherwise we’ll have more examples such as the Police email that, according to the Information Commissioner’s Office (ICO) ‘contained 863 pieces of personal information’. Police accidentally sent the email containing the results of 10,000 checks with the Criminal Records Bureau (CRB) to a reporter when a staff member copied the wrong person into a message.”
