Security: At What Cost?

Companies could soon be charged up to £500,000 for failing to safeguard against personal data security breaches. Under soon-to-be granted powers, the Information Commissioner’s Office (ICO) will be able to impose hefty fines on firms that fail to adequately implement robust security measures. Taking effect as of 6 April 2010, the measures will prompt organisations to consider more seriously the consequences of failing to implement compliance procedures to secure the data they hold.

When serving penalties, the ICO will consider the circumstances, including the seriousness of the data breach, likelihood of substantial damage and distress to individuals, whether the breach was deliberate or negligent, and what reasonable steps the organisation has taken to prevent such incidences. The benchmark from which any shortfall will be viewed is the Data Protection Act, which aims to strike a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information. Although the maximum fine threshold stands at £500,000, according to the ICO, the Commissioner will take into account an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation.

Potential Penalties

Although other regulatory bodies, such as the Financial Services Authority (FSA), have issued penalties well in excess of £500,000, prior to the introduction of the impending powers, the ICO has been unable to levy financial punishments against organisations that fail to adhere to the Data Protection Act. These penalties should be seen as a catalyst to improve data security and protect against the serious disruption that such breaches cause, both for businesses and individuals alike. However, for the penalties to be successful in reducing data breaches and their impact, organisations must first be mindful of situations that could allow for such incidents to take place.

One of the most easily exploited data security risk is remote working. The ability to work remotely, away from central systems, is a significant benefit of the increasing sophistication of IT networks and allows companies a greater degree of flexibility. One key advantage of remote working is cost savings, both from freeing up office space and reducing the time and money spent by workers travelling to a central location. Another key driver is increased productivity from a more motivated team. Recent research from the Cochrane Library highlighted that employees who are able to choose their own working hours enjoy better physical and mental health.

Additionally, remote working can support business continuity in times of unavoidable disruption. One recent example that garnered significant media coverage was the chaos caused by the extreme winter weather conditions earlier this year. According to a Federation of Small Businesses and ICM report, 40% of organisations saw a disruption to operations due to snow-covered roads and a mere 42% had flexible working policies in place to ensure business continuity. If businesses were primed to implement remote working strategies, disruption would have been kept to a minimum and output would have remained largely unaffected.

Yet despite obvious benefits, remote working raises questions about the security of data being accessed and transferred and of the integrity of IT systems in general. Both parties need to be confident that they are communicating with each other securely and safely. In recent years, a number of high profile cases where data losses have been exposed – including the loss of millions of child benefit records and sensitive security dossiers by Ministry of Defence staff – have shed light on how vulnerable personal data is to breaches, caused either by human error or a systems failure. Cases of memory sticks, discs and documents being lost after physically being taken away from office premises are all too common. Moreover, data transfer between a remote worker and a central IT hub is often of a highly sensitive nature and both parties need to be certain that they are communicating with each other securely.

Taking Steps

Although for many organisations, updating and future-proofing IT security against increasingly sophisticated threats may seem like a daunting task, an advanced level of control can actually be implemented very easily, is simple to enforce and can avoid embarrassments and legal liabilities. One solution that has already been successfully deployed in the financial sector, and is also of relevance when verifying remote workers, is two-factor authentication (2FA).

2FA is a security measure based on something a user knows, such as a password, and something they possess which is hard to counterfeit or steal. If a remote worker wishes to gain access to a shared server or file using 2FA, they would be required to input a unique, randomly-generated, one-time password (OTP). Unlike traditional security measures, with 2FA, the OTP would be transmitted via a different medium to the one being used to access the system – a good example would be a password being sent as an SMS message to a mobile phone.

Using a mobile phone in 2FA is becoming increasingly popular and has many advantages, primarily that the technology is familiar to most users and the prevalence of mobile phones in everyday life means the user’s phone is nearly always to hand. Another key advantage is that no additional hardware needs to be purchased or deployed, reducing both the cost of 2FA implementation and also its environmental impact. In addition, 2FA expands upon the password-protected protocol that has become commonplace in IT security, without making the issue more complex for users.

Cost Considerations

If the potential to incur a £500,000 fine for security breaches isn’t enough motivation for companies to take every preventative measure possible, further cost implications must surely add fuel to the fire. A 2009 study carried out by the Ponemon Institute discovered that UK public organisations faced, on average, costs of £59 per individual lost record, while the cost for commercial groups stood at £69. The breaches studied for the report generated total loss figures ranging from £365,000 to £3.92m, with the main contributor being lost business due to reduced consumer trust.

During the current period of economic instability, expenditure is at the forefront of all businesses’ thinking, so when income streams aren’t guaranteed, seeking to reduce outgoings is a natural consequence. However, with a £500,000 fine lurking behind every security decision, squeezing on security spend is counterintuitive. Prior to the recession, organisations would seek a solution to match their budget whereas now, spending time investigating the most cost-effective options is commonplace.

For organisations looking to implement 2FA, there are now more options available than ever before. As 2FA becomes more widespread, the number of companies offering the solution has increased, leading to a more competitive marketplace and cheaper prices for the end-user. As 2FA can be delivered without additional tools or hardware, relies on technology the user is likely to possess (for example a mobile phone) and features web-based administration, operating costs are kept to a minimum. With 2FA, companies can reap the rewards of utilising remote workers without the burden of potential security and safety breaches.

2FA can also be implemented in other ways throughout an organisation and can enhance the security of back office activity and online purchases. The rise of e-commerce and mass storage of customers’ personal data has made retail systems a target for online fraud. The integrity of 2FA gives organisations reassurance that preventative measures are being taken. Furthermore, deploying 2FA can also demonstrate to the ICO that an organisation is taking positive steps towards safeguarding any sensitive data that they may hold, either centrally or remotely, and avoid a fine in the process.


Related reading