Strategy & Operations » Governance » Physically protecting data – the forgotten IT security problem?

Physically protecting data - the forgotten IT security problem?

Firewalls, encryption ad passwords are all important - but what about the physical side of IT security? asks Jane Frost

THE INNOVATIVE COLLECTION and use of data is developing rapidly and has the potential to be highly beneficial, helping businesses to better understand their markets, identify where to make savings and ultimately grow their client base. However, approaches to data privacy and security are not keeping pace, creating “regulatory holes” and ethical grey areas.

For accountants, dealing with highly sensitive commercial data like payroll, forecasting and financial planning is part of the day job. Often this information is stored electronically, within a computer network or on removable media such as CDs. Accountants act as trusted advisers to clients, or as stewards for their business, and are relied upon to take care of commercial information. This means it is essential to have a well-considered data security policy in place.

Failing to take data security seriously runs the risk of being on the receiving end of heavy financial losses in the form of fines not to mention severely jeopardising your relationships and broader reputation. Maintaining an appropriate treatment of data is key – it shouldn’t just be a priority when a data protection breach occurs but should be embedded within a company’s risk strategy.

Accountants move around more than other professions because of the nature of their work, often having to store databases or audit files on laptops or memory sticks when travelling to meetings or moving between offices. Although this helps to increase efficiency and allows flexibility, it also means there is a greater risk of data being compromised. If it’s easy to carry, it’s easy to lose – and for some reason, we seem to take better care of vast numbers of paper files than we do of a memory stick. It’s not uncommon to hear of instances when devices with important, personal information are left on trains, barstools or thrown away in rubbish bins.

Ethics and data: entwined

Most companies already have data security measures in place which are in line with the Data Protection Act; however, simply having a policy in place is not enough to stop security breaches from happening.

Use of data has evolved so fast that policies and legislation can’t keep up. Good data security isn’t just reliant on strict internal guidelines with regards to the handling of data; it needs to be communicated to employees through training to help data protection become embedded within the firm’s DNA. Organisations are dynamic so need to consider data loss as part of ethical behaviour standards. It is clear that firms need to do more than just tick legal boxes if they want to avoid data security breaches and the reputational damage which comes with them.

Putting data security firmly on your agenda is even more important now digital devices are growing in popularity – a survey before Christmas showed that 60% of the UK population now own a smart phone and 20% a tablet. This means that individuals’ own devices are increasingly being used to access and store corporate information, as well as that individuals own information – a trend commonly known as ‘bring your own device’ (BYOD).

An important question to consider is which personal data can be processed on a personal device owned by an employee and which must be held in a more restrictive environment. Another potential data risk is that the employer will end up processing non-corporate information about the owner of the device and possibly others who use it, for example family members. Having measures in place to address these concerns will ensure users connecting their own devices to IT systems clearly understand their responsibilities. An important component of any policy is audit and ongoing monitoring of compliance. This means that regular checks are essential to ensure that the policy is being adhered to.

But where does the responsibility lie to manage these policies? Is the issue of data now too important to be left solely to IT or security?

A static charge

Data protection policies were designed when databases were static affairs and means of accessing them were quite limited. Managing them was the responsibility of IT or legal teams who were fully aware how to protect the rights of the individual and abide by the Data Protection Act. That is now a thing of the past and data is used and relied upon by various teams within a business – marketing and sales teams, for example, have a key interaction with data.

This means that to ensure data use continues to be beneficial, there needs to be a clear strategy and set of guidelines across the whole business for everyone who is given access to customers’ personal data – from the IT department to the marketing department. This will ensure a joined up approach and that rules of compliance are being followed at all stages. Ethical business is good business.

Jane Frost CBE is chief executive officer of the Market Research Society

Comments are closed.