Many people think that the term information security is only concerned with security of digital data. However, information security actually means keeping all types of data secured and protected from any kind of unauthorized use. The unauthorized use may include inspection, destruction, loss, recording, disruption, disclosure, access and modification. The term applies to both digital and physical forms of data.
Information security used to be extremely simple when I started my career in the field of computing. People used to lock their offices and computer rooms and knew that the data was secure. Mag tapes shredding, paper shredding and destruction of old disk drives were the only things needed for information security. In those times, electronic data could not be accessed easily without access to the computer room. Therefore, control on input as well as output media was necessary to secure information/data.
It is true that a lot of changes have taken place in the field of technology since then but the basics of data protection have not changed. If one compares the Data Protection Act of 1998 with the 1984 Act, the basics remain the same.
I have observed a lot of simple data breaches over the years. Some of these breaches are as follows:
- People leave confidential papers everywhere without giving second thoughts to the security of those papers. I have found confidential papers left in the meeting rooms, hotel bars, on buses, in bins, on fax machines and on the desks where others can easily see them.
- People occasionally send personal details to a wrong address/person.
- People make disclosures over the phone that are not supposed to be made over the phone.
- People accidentally send e-mails to all the contacts by pasting contact addresses in the ‘To’ field rather than using the “BCC” field.
- Computers are regularly discarded without first destroying the hard drives.
- People regularly lose USB sticks with important information and those USB sticks are unencrypted.
- Laptops with extremely important information are lost on trains, buses and there is no encryption.
- People hold onto the data even when they know the data is inaccurate and then that inaccurate data is used inadvertently.
- The servers and networks are left unsecured for cyber criminals.
- People regularly click on various attachments and links from unknown senders that results in download of malicious softwares and viruses.
I strongly believe that there are many others like me who have witnessed such simple data security breaches due to lack of any information security awareness. Also, things have become more complicated today as data protection is also needed against hackers, phishers, cyber criminals and intruders who do not need physical access to get hands on confidential data.
A lot of new technologies have emerged to protect data from these new potential threats. These new defense technologies include user authentication, encryption, spyware, password protection, antivirus, firewalls, secured logins, regular updating of software and usage of secure transmissions. The truth is that security becomes much easier if a system is designed keeping security as the central objective. On the other hand, securing a system as an afterthought is a hard job.
In September 2013, the International Standards Organization (a.k.a. ISO) released the updated standards for information security. The previous standard released in the year 2005 was outdated and needed an overhaul. This latest standard ISO 27001:2013 covers the latest data protection practices.
This new standard requires following all encompassing data protection and information security practices for obtaining certification. Also, one cannot rest on their laurels after obtaining the certification. Continuous risk assessments, reviews and improvement is part of the standard. It means that this is much more than a merit badge that can be earned by a company. It shows the commitment of the company towards data protection and information security.
The Data Protection Act is enforced by the Office of Information Commissioner (ICO). They published an interesting article last year that outlined the data breaches that happened in the past year and fines imposed by the ICO. It’s ironical that the Office of Information Commissioner was itself breached some time after publication of that article.
All the data breaches in the past few years make the data breaches look easy. It is also important to keep in mind that a data breach can have horrible consequences for individuals as well as the affected companies. It won’t be wrong to say that data protection/information security should be one of the key objectives of all the companies. Also, information security needs to be responsibility of everyone in the company. It is no longer the domain of just the IT department.
President Obama in 2009 mentioned that one of the biggest and most serious national security and economic challenges faced by the country is the emerging cyber threat. Internet has grown a lot since that speech by President Obama. Also, if you have been paying any attention to news, you must have known that there has been a huge increase in the severity as well as volume of cyber threats. With increasing use of cloud computing and mobile devices, cyber crime opportunities are growing at an alarming pace.
I am of the opinion that we are going to see a huge increase in cyber threats in the future. Therefore, data protection as well as security awareness should become a way of life and should not be treated as an isolated responsibility of a particular department. As far as businesses are concerned, all the employees of the business should be given security awareness and data protection training in addition to taking all of the usual physical and technical safety precautions.
All of us need to spread the word and make sure that data protection becomes a way of life for future generations.