IT Strategy: Government departments face heavy fines for serious data breaches

The sobering fact is that, despite what technology vendors promise us, in the real world there is no such thing as IT security – only levels of insecurity. A particularly good – albeit somewhat Zen-like – description of the implicit contradiction that is IT security was inverted by British hacker Mathew Bevan, who was arrested in 1996 for hacking into top-secret US computer networks. He said at the time that he believes computer security is a “journey and not an arrival”. He is still right.

Embarrassingly for the US military, while looking for evidence on UFOs, the then 21-year-old Bevan was armed with only a home computer and a cobbled-together program called Roxbox when he broke into American Air Force computers. Companies may seek to console themselves by noting that computer security has been revolutionised in the past decade and a half. But the nature of the threat is evolving at least as quickly as our ability to fight it. Today’s hackers are not, in the main, nerds looking for little green men. International, well-organised crime groups have enthusiastically embraced hacking and these criminals are infinitely better trained and equipped than Bevan or any of the amateur hackers of old.

The real and present danger has been recently highlighted by a new wave of hack attacks that have punched holes in corporate and outsourced information systems. One information security outfit, NetWitness, warned that as many as 2,400 hacker attacks have targeted global companies and government agencies over the past 18 months.

The impact of these hacker attacks for corporates can be potentially devastating in terms of both data loss and reputational damage. And there is now a fresh legal angle. The UK Information Commissioner’s Office (ICO) now has extended powers that allow it to issue government departments fines of up to £500,000 for serious data breaches; in the past it was only allowed to administer a slap on the wrist. These powers also give Britain’s data watchdog the authority to undertake compulsory audits in central government departments where breaches may have occurred. And there is growing pressure to extend the ICO’s audit remit further to include the private sector.

As with so many technical problems, the actions that can best minimise the dangers should not focus on technology alone. Indeed, to lock up IT security in the corporate IT department silo could be a catastrophic error.

While the importance of physical security and technological barriers such as firewalls and intrusion prevention systems cannot be understated, very often the danger comes from enemies within: company insiders acting for a variety of motives including personal gain, or dissatisfaction with their employers.

So establishing effective security controls must include a focus on people and processes. For IT security to have any hope of working, in addition to IT managers, companies must get buy-in from across the organisation including risk managers, legal departments, compliance officers, internal auditors, procurement staff and facilities management teams. The threats are evolving and changing at alarming speeds and the countermeasures need to keep up.

Companies must also realise that outsourcing technology functions to third-party partners will not usually outsource liability in the event of a data breach or system outage, insurance broker Lockton warns. It stresses that any legal and regulatory liability arising from a data raid by cybercriminals primarily remains with the data owner and urges businesses to include strong indemnity and insurance for data risks in vendor contracts.

Ignoring this advice could be extremely costly. The ICO’s new report, The Privacy Dividend, urges organisations to not think about data loss in the abstract, but to actually put a value in terms of cold, hard cash on personal information and invest in privacy protection. It should be compulsory reading.

Robert Jaques is a leading commentator on technology issues