Page last updated at 23:17 GMT, Monday, 21 April 2008 00:17 UK

Customer data 'needs protection'

By Darren Waters
Technology editor, BBC News website

Some companies are failing to encrypt data

Companies and public bodies are not doing enough to protect customers' data, the UK's privacy watchdog and a major survey of security have said.

The Information Commissioner said that the 94 security breaches reported to him last year was an "alarming" number.

The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.

Firms and public bodies were urged to make data protection a priority.

Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.

Data had been recovered in only three of the 94 cases, he said.

Stolen computers

The material included personal details of UK citizens, including health records.

"The evidence shows that more must be done to eradicate inexcusable security breaches," he said.

Mr Thomas' findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world's largest event of its kind.

The survey was carried out by PricewaterhouseCoopers on behalf of the Department for Business Enterprise and Regulatory Reform.

According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.

Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.

System failures

"Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures.

"These tend to have caused the greatest cost in terms of business interruption."

But he said the "biggest concern is around the protection of customer data, which companies clearly want to be good at.

"Sometimes that's not translating into real action."

He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.

What is a really big concern is the proportion of large businesses that say hackers have got into their network
Chris Potter
Report author

"In all these areas the controls are not as strong as they are over traditional threats," he said.

Mr Potter's comments were echoed by those of the Information Commissioner.

Mr Thomas said: "The government, banks and other organisations need to regain the public's trust by being far more careful with people's personal information.

"Once again I urge business and public sector leaders to make data protection a priority in their organisation."

For Peter Yatt, head of information security at risk consultancy Control Risks there needs to be a major shift in employee attitude before organisations can claim to be watertight.

"Our own survey found that 40% of employees are happy to talk about their credit card details on the phone at work and not even think about it. You used to be able to protect firms with firewalls but those days have gone now," he said.

Data lawyer Susan Hall believes that having a policy on data security is no longer enough.

"Having a policy is as effective as rubbing lemon on your face if people aren't taking notice of it. It's got to be a case of a complete buy-in from the top to the bottom of an organisation," she said.

Organisations are struggling to control their data because they do not want to damage relationships with employees, she said.

"A gatekeeper mentality is difficult because employers don't want to say that they don't trust thier employees with their data," she said.

Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.

Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.

According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.

Mr Potter said: "We have seen in successive surveys that companies tend to be very good with preventing yesterday's problems. Companies need to say on their toes to make sure they are addressing tomorrow's problems."

Risen dramatically

The report found that the number of attempts to hack into company networks had risen dramatically over the last two years.

"What is a really big concern is the proportion of large businesses that say hackers have got into their networks," said Mr Potter.

Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report.

The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.

Security breaches cost UK business roughly several billions pounds a year, said the report.

Cyber criminals to target mobiles
21 Apr 08 |  Technology
Phishing attacks soar in the UK
15 Apr 08 |  Technology
More MoD laptop thefts revealed
21 Jan 08 |  UK Politics
Discs 'worth 1.5bn' to criminals
28 Nov 07 |  UK Politics

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Sign in

BBC navigation

Copyright © 2020 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific