An interesting stroy in the BBC this morning [BBC] about E-Crime now having doubled in a period of just 12 months to £1 billion.
However what was more interesting is the final part of the article. In that a Mr Perring had all his business information stolen by a disgruntled employee when he had to let him go due to the recession. The reason was simple, Mr Perring basically trusted the employee to setup his IT system and run it without checking if it was actually secure because he did not know much about it. He also did not understand that they IT Guy he let off actually had access to all his information
This is what really amazes me - i appreciate that you may not understand IT, but you would no give your house or car keys to just anybody and trust them so why would you not do the same with your information.
Its unknown if Mr Perring lost any personal information that he was processing on behalf of his clients, but if he did and the ICO did have a look at it, Mr Perring would have broken the Data Protection ACT, because as the owner of the business and hence the Data Owner, it would have been his responsibility to ensure all information was being securely processed.
Take stock now:
1) Do you actually know where all your data is, especially if it is being hosted on a cloud or looked after a contractor or 3rd party compaany.
2) Do you know if it has role based access control over it - surely everybody does not need access to all of it.
3) Are you sure all access to the data is actually secure, including when the data is at rest (on a laptop, desktop, server) or in transit across a network.
Remember your Data Ownership risk cannot be transfered simply because you dis not bother to get your policy right and your data goes missing.
No comments:
Post a Comment