|
Jun 13
2011
|
Tweet
Organisations today are challenged by the issue of data loss, which encompasses every piece of stored data ranging from confidential information about a customer to sensitive intellectual property. Over the last year, the UK Data Protection Commissioner has begun to implement tougher fines on organisations that do not take a measured, effective and pro-active approach in dealing with data protection, and ensuring data is not lost or leaked outside of an organisation’s control.
Many Irish businesses, however, still appear to have no data protection controls in place, despite all of the warnings about the impact of data loss. In light of this, at Origina, we recently carried out a survey in conjunction with independent research company, Pan Research, to discover the level of understanding organisations have about the data they store, including compliance and security issues.
The findings were significant, as a large number of Irish organisations admitted to lacking overall control of their core business data. The results of the survey showed that 30% of the organisations have no data protection controls in place, meaning that anyone within the business can freely copy any data held and transfer it outside the security perimeter. The repercussions of this can cause major problems for both Irish public and private sector organisations, as a number of recent high-profile cases have proved. Be it accidental or deliberate, data loss can happen at any time. If organisations lose sensitive data or intellectual property, it could seriously damage their reputation and ability to carry out normal business activities.
The threats are not just from external hackers using malware trying to get into an organisation, but also from disgruntled employees or basic human error. In the US, it was recently found that 59% of employees had reported taking company data when they left their employment. The financial cost of a security breach can be detrimental to an organisation. It was therefore extremely surprising to discover that only 11% of Irish respondents had employed a proactive data protection solution, which controls who has access to sensitive data, how it can be accessed and transmitted. Many organisations still use a reactive model whereby portable storage devices are locked down or access control security is put in place. A data controller’s legal responsibility according to the office of the Data Protection Commissioner is to “keep it [personal data] safe and secure.” High standards of security are imperative for keeping data and these standards are expected of all data controllers.
Security concerns about data storage services remain high among many organisations with 62% of organisations admitting it is a primary issue for them. This is not surprising with the continued growth in stored data and the new industry ‘cloud’ based storage offerings.
According to the Data Protection (Amendment) Act 2003, the responsibility for ensuring the security of data is on the data controllers who must take the appropriate preventative steps. It states a data controller shall comply with the following provisions to prevent ‘unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.’
• do they announce it to the public?
• do they send out a press release?
• do they tell the Data Protection Commissioner? or;
• do they only tell the parties involved?
The organisation then needs to know if they have the capabilities to carry out the internal forensics to examine the problem of how the data was breached or do they need to get an external team in.
What most organisations do not realise is that a large percentage of data breaches are not malicious. A non-malicious example of a common data breach happens when hardworking employees decide to work from home. Typically, they send their work home via a personal email address that is external to the organisation’s IT system. It is then outside of the organisation’s control.
Over 37% of organisations did not seem to have a clear directive as to how long data should be retained within their organisation. With Irish and international data protection laws in place, this lack of understanding could lead to serious compliance and governance issues. According to the Data Protection Commissioner, an organisation’s legal responsibility as a data controller is to “retain it [data] no longer than is necessary for the specified purpose or purposes.”
However, to err on the side of caution, many companies store all of their data online indefinitely — including duplications — and this can be a very costly process.
According to industry average, approximately 80% of stored data is more than 30 days old, yet organisations continue to store this on the most expensive disk within the IT infrastructure. Some of this data may still have a value to the business, for example: it might be patient records, contracts, and/or historical financial data. However, it is also possible that a large percentage has no value to the business at all.
This policy of storing data indefinitely can introduce a number of problems including a never-ending demand for more storage, lengthy backup procedures, a higher risk of litigation, and wasted time trying to discover and track down data. It is safe to say that those organisations who responded stating that over 50% of their IT budget is spent on managing storage are experiencing some if not all of these issues today.
Having a sound data management strategy that manages data from inception to disposal is key for organisations who want to minimise both costs and risk. They need to look closely at proactive data archiving and profiling solutions to effectively manage storage growth and ensure compliance, while reducing storage costs. In accordance with the Data Protection Commissioner, every data controller should be able to answer yes to the following questions:
• Is there a defined policy on retention periods for all items of personal data kept?
• Are there clerical and computer procedures in place to implement such a policy?
• Is information about old customers routinely purged from our systems?
If a data controller answers no to any of the above they need to re-examine how they store and manage their data.
Personal storage is also an area that can give rise to serious legal risks. This is proving to be one of the most challenging areas for organisations to manage, as there is no insight or control over the content contained within these files. When workers use PCs, laptops or mobile devices for personal purposes, not only is productivity reduced, but computers are also exposed to malware, phishing and other attacks that potentially compromise data.
To read the full report please click here!
Rowan O’Donoghue, Director of innovation and development at Origina, examines the level of understanding Irish organisations have about the data they store
Organisations today are challenged by the issue of data loss, which encompasses every piece of stored data ranging from confidential information about a customer to sensitive intellectual property. Over the last year, the UK Data Protection Commissioner has begun to implement tougher fines on organisations that do not take a measured, effective and pro-active approach in dealing with data protection, and ensuring data is not lost or leaked outside of an organisation’s control.
Many Irish businesses, however, still appear to have no data protection controls in place, despite all of the warnings about the impact of data loss. In light of this, at Origina, we recently carried out a survey in conjunction with independent research company, Pan Research, to discover the level of understanding organisations have about the data they store, including compliance and security issues.
The findings were significant, as a large number of Irish organisations admitted to lacking overall control of their core business data. The results of the survey showed that 30% of the organisations have no data protection controls in place, meaning that anyone within the business can freely copy any data held and transfer it outside the security perimeter. The repercussions of this can cause major problems for both Irish public and private sector organisations, as a number of recent high-profile cases have proved. Be it accidental or deliberate, data loss can happen at any time. If organisations lose sensitive data or intellectual property, it could seriously damage their reputation and ability to carry out normal business activities.
The threats are not just from external hackers using malware trying to get into an organisation, but also from disgruntled employees or basic human error. In the US, it was recently found that 59% of employees had reported taking company data when they left their employment. The financial cost of a security breach can be detrimental to an organisation. It was therefore extremely surprising to discover that only 11% of Irish respondents had employed a proactive data protection solution, which controls who has access to sensitive data, how it can be accessed and transmitted. Many organisations still use a reactive model whereby portable storage devices are locked down or access control security is put in place. A data controller’s legal responsibility according to the office of the Data Protection Commissioner is to “keep it [personal data] safe and secure.” High standards of security are imperative for keeping data and these standards are expected of all data controllers.
Security concerns about data storage services remain high among many organisations with 62% of organisations admitting it is a primary issue for them. This is not surprising with the continued growth in stored data and the new industry ‘cloud’ based storage offerings.
According to the Data Protection (Amendment) Act 2003, the responsibility for ensuring the security of data is on the data controllers who must take the appropriate preventative steps. It states a data controller shall comply with the following provisions to prevent ‘unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.’
Data Breaches
Irish organisations need to be prepared for data breaches and should have a data breach plan in place. There should be a team ready to assess the situation if a data breach occurs. They should be prepared and know what to do, and be able to assess the size of the risk involved. They need to know what steps to take after the breach has taken place depending on the size of the risk:• do they announce it to the public?
• do they send out a press release?
• do they tell the Data Protection Commissioner? or;
• do they only tell the parties involved?
The organisation then needs to know if they have the capabilities to carry out the internal forensics to examine the problem of how the data was breached or do they need to get an external team in.
What most organisations do not realise is that a large percentage of data breaches are not malicious. A non-malicious example of a common data breach happens when hardworking employees decide to work from home. Typically, they send their work home via a personal email address that is external to the organisation’s IT system. It is then outside of the organisation’s control.
How long should data be stored?
We were also astounded by the large number of respondents who didn’t know how long data should be retained and had no idea how much data they are actually storing.Over 37% of organisations did not seem to have a clear directive as to how long data should be retained within their organisation. With Irish and international data protection laws in place, this lack of understanding could lead to serious compliance and governance issues. According to the Data Protection Commissioner, an organisation’s legal responsibility as a data controller is to “retain it [data] no longer than is necessary for the specified purpose or purposes.”
However, to err on the side of caution, many companies store all of their data online indefinitely — including duplications — and this can be a very costly process.
According to industry average, approximately 80% of stored data is more than 30 days old, yet organisations continue to store this on the most expensive disk within the IT infrastructure. Some of this data may still have a value to the business, for example: it might be patient records, contracts, and/or historical financial data. However, it is also possible that a large percentage has no value to the business at all.
This policy of storing data indefinitely can introduce a number of problems including a never-ending demand for more storage, lengthy backup procedures, a higher risk of litigation, and wasted time trying to discover and track down data. It is safe to say that those organisations who responded stating that over 50% of their IT budget is spent on managing storage are experiencing some if not all of these issues today.
Data Management Strategy
Most organisations refrain from deleting or cleansing stored data because of the disconnect between the IT department and the application/business units. The IT departments are tasked with ensuring that all of the data storage services operate normally and provide a good service, but they do not own the data and cannot make a call in isolation as to which data can be deleted and which needs to be retained. It is for this reason that data is ‘hoarded’ and kept online indefinitely. Today, organisations are beginning to realise that this practice is unsustainable in the long run and that a more cost effective, holistic solution is required in order to manage storage growth.Having a sound data management strategy that manages data from inception to disposal is key for organisations who want to minimise both costs and risk. They need to look closely at proactive data archiving and profiling solutions to effectively manage storage growth and ensure compliance, while reducing storage costs. In accordance with the Data Protection Commissioner, every data controller should be able to answer yes to the following questions:
• Is there a defined policy on retention periods for all items of personal data kept?
• Are there clerical and computer procedures in place to implement such a policy?
• Is information about old customers routinely purged from our systems?
If a data controller answers no to any of the above they need to re-examine how they store and manage their data.
Backup Copies
The research also highlighted a large number of problems in relation to the amount of storage being used by backup copies, duplication or personal user files. The advancement of office workplace collaboration technology has fuelled the growth in data but also the number of copies of files. Industry analysts are predicting that storage is to grow over the next 4 or 5 years by around 500%. This data will all need to be housed, protected, backed-up and retained. Irish businesses need to regain control or they will be swamped.Personal storage is also an area that can give rise to serious legal risks. This is proving to be one of the most challenging areas for organisations to manage, as there is no insight or control over the content contained within these files. When workers use PCs, laptops or mobile devices for personal purposes, not only is productivity reduced, but computers are also exposed to malware, phishing and other attacks that potentially compromise data.
Disaster Recovery
With a wide range of industry statistics indicating the huge numbers of organisations that go out of business if they cannot access data quickly after a disaster, it was not surprising to find that 84% of those surveyed do have a defined disaster recovery strategy in place. However, many still do not test their recovery strategies on a regular basis. A simulated disaster recovery test should take place at least twice a year.Conclusion
This is not just about improving the bottom-line for Irish organisations. It is about knowing your security and compliance obligations, while effectively managing storage growth. With much of Ireland’s future smart economy reliant on digital information, it is vital that Irish organisations can securely manage all data created and stored.To read the full report please click here!
