Tuesday, 17 March 2015

One Direction for Data Security



Data security is an ever expanding nightmare. You are liable. Yes you. For everything. Or rather you are if you are the nominated data controller for your company. Soon there will also be a defined board responsibility too. We are months away from someone getting thrown in the clink because Mavis in accounts thought she was checking her Twitter account and ended up posting the database to North Korea by mistake.

Do you remember the good, old fashioned western? The sort of film where the sheriff, in an effort to clean up his town, made all the cowboys leave their guns at the jailhouse. Our offices will be like that one day...mobile phones left in lockers until the end of the day...rather like school. Because a Smartphone is a data breach waiting to happen, and companies will only want their staff using company owned (and regulated/controlled) kit on the wifi.

Which will drive their employees mad, and cause them to break the rules and sneak their beloved phones in anyway. It is all a recipe for disaster, not to mention dissatisfaction and angst.

However, we need to remember why this is all such a concern, and then apply it to all areas of the IT minefield, including asset disposal at end of life. It’s all about the data, and the harm that can be done if that data falls into the wrong hands. It could be data about you and me as consumers, as patients or pupils. It could be bank details, and therefore access to our worldly goods, or it could be medical records, criminal records, confidential information we would not like anyone else to see. In law, this data is enshrined and protected, so the person who loses it, or negligently lets it get lost, is liable to do twenty years in Pentonville.

But oh how blasé we all are about data! Come on, admit it, you know it’s true. I am a salesman and have been for over thirty years. I have been adding information to database’s throughout that time I suppose, starting with a pen and a rolodex and ending up with salesforce.com and all manner of other CRM systems. So I know what it is like, and although I no doubt tried to enter the right information at the time, we all know there is a lot of garbage in there. And of course if it isn’t all used on a regular basis, even good information turns to garbage. B2B data decays at the rate of about 30% a year, as companies close, move or merge, and people leave. And yet, lose that pile of old misspelt names and bounce back email addresses and you will feel the long arm of the law on your shoulder in next to no time.

I suspect that the latest plans to make a director of any company or organisation directly responsible for data security will wake a few people up. I have been a director of a limited company, and signed all the forms for Companies House, and I remember reading through the responsibilities. It was hard not to take them seriously. I sincerely hope that will be the case.

Because the current situation really is a bit of a worry. The penalties are there and the regulations are there but there is a lack of understanding and appreciation not only of the risks but of the solutions. We start with subject knowledge at ground zero, so there really is only one direction to go and that is up!

We need to educate. I know it is a fairly dry subject but just think about it. Do you search your staff when they leave the building for a USB memory stick? Do you make sure every printer has it’s memory dealt with when you get rid of it? What do you do with the company mobile phone handsets when you upgrade? It’s not just all about computers and hard drives anymore.

We are going to have to change. Data has got bigger but you can now steal it on a stick which you can hide in the smallest of orifice’s. You can attach a file to an email and post it out. Or you can let that nice man take those 5 broken desk tops and find your database on eBay the next day.