According to J2 Software MD John McLoughlin, as much as 80% of information security breaches come from trusted internal users. "There is an ever-growing number of cases where sensitive or confidential company or customer information is leaked to competitors or fraudsters looking to turn a quick buck," he says. "It is therefore vital that organisations keep tabs on exactly who has access to what corporate data."
HIGH COST OF THEFT
More than 600 000 laptop thefts occur annually, totalling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information, according to Safeware Insurance. Gartner estimates that approximately 70% of all laptop thefts are internal, mostly from private offices, temporary work stations or meeting rooms, and laptop theft was the top threat reported by South African companies in the 2006 Information Security Survey conducted by ISG Africa.
In South Africa, stolen laptops have been known to fetch more money for thieves than stolen motor vehicles. But for companies, these thefts are more than just a nuisance, leaving them with lost software, lost information, high equipment replacement costs and downtime.
According to Gartner, the total cost of the replacement of hardware, software and data is generally three to five times the replacement value of the hardware alone. And, if a recent case in the UK is any indication, companies are no longer going to be able to ignore the security threats posed by stolen laptops.
SECURITY AS A CULTURE
The UK`s Nationwide Building Society (NBS) was recently fined £980 000 after burglars stole a laptop from an employee`s home. The British Financial Services Authority (FSA) found security was not up to scratch after the man had put details of nearly 11 million customers on his computer. The FSA also found that NBS did not start an investigation until three weeks after the theft occurred. In fact, the FSA`s investigation showed that the building society had not known that the laptop contained any confidential customer information at all.
The fine was not for the stolen laptop, but bigger issues pertaining to the security controls of the building society. According to the FSA, NBS was guilty of failing to have effective systems and controls in place to manage its information security risks.
According to McLoughlin, this fine will have a positive impact on companies which will now consider that logical security is a culture as well, not a product purchased. "What we lack here is an adequate privacy act where the owner of the data is protected from disclosure, similar to the Data Protection Act (DPA) in the UK which protects a user`s rights as to who has his data and how that data is transmitted," he says.
THE LAW
McLoughlin asks how long it will take before these rulings are commonplace in South Africa. Once the Draft Bill on the Protection of Personal Information becomes law, it looks likely that we will follow the UK`s example. The bill places the onus on business to protect information, including company trade secrets, personal customer information, sales data and channel strategies, making failure to do so a crime.
However, according to Warren Weertman of attorneys Bowman Gilfillan, there is still some way to go until we see this implemented, so we are still relying on common law at this time. "The ECT Act has established voluntary principles for the protection of information, but at this point that is what it remains voluntary," he says. "The UK law is more stringent than ours, but the Draft Bill is aimed at bringing us in line with EU requirements."
He adds that even though there are no specific obligations on employers in terms of legislation, this doesn`t negate their common law obligations to their customers to protect their information. "It`s a balancing act," he says. "Under common law, companies have an obligation to limit employees` access to data to what is reasonable required and employees have a fiduciary duty to act in the company`s best interests." Ideally, the Draft Bill will clarify all parties` responsibilities and make provision for legal recourse, so we`ll have to wait and see if cases similar to NBS`s become common locally.
|
Post a comment
|
Login.
Business Best Practise
