Milton Keynes businesses must mind the gap when dealing with data security

While data security is recognised as high priority for local businesses, a survey by PricewaterhouseCoopers LLP (PwC) reveals a significant gap between their attitudes and actions.

The Information Security Breaches Survey 2008, conducted by PwC on behalf of the Department of Business, Enterprise & Regulatory Reform (BERR) shows 82% of South Midlands companies believe information security is a high or very high priority.  But one in three revealed they didn’t have a security policy and almost half haven’t done a risk assessment in the past year.

According to the survey, only 17% of South Midlands businesses are aware of relevant data management quality standards - British and International Standards on information security management (BS 77999/ISO 27000).

Neil Ward, data security specialist at PricewaterhouseCoopers LLP in the Midlands, says,

“Recent data security breaches have encouraged some businesses to take data security more seriously, but the majority of local businesses still lack an understanding of the true extent and sensitivity of the data they hold and how to keep it safely.”

The amount of data stored and used by employees in electronic format on PCs, PDAs, BlackBerries and laptops has significantly increased. The survey showed 68% of businesses hold highly confidential information electronically, but only 10% encrypt the hard drives of laptops and PCs. More than half admitted to taking no steps to prevent sensitive data from leaving their organisation on a USB stick.

Neil Ward says:

“This issue needs attention, given the increase in employees working away from the office. With more portable electronic devices available and unrestricted remote access to computer networks data security could be compromised.”

Data security guide by PwC:

• Understanding your data – conduct an audit into the extent of data stored, both on and off site. Which is the most sensitive, can it be categorised, how should it be stored / handled and who can access it?
• Data in the home – consider introducing a policy for home workers so documents and devices are protected when off site and wireless internet connections are encrypted and password protected
• Data encryption – all sensitive data on laptops can be both password protected and encrypted
• Disposing of data – all documents, media such as CDs and computer equipment that may hold sensitive data should be disposed of correctly. This can include shredding, incineration and secure erasing of computer hard drives
• Getting accredited – the most diligent business can have their data security internationally accredited. ISO 27000 is a code of practice for information security. It has a range of specific controls to secure information and related assets. Further information is available at The ISO 27000 Directory

Neil Ward concludes:

“Many businesses still think a data security breach won’t happen to them. But this is a serious issue for small and large companies. Reviewing the extent of data is a valuable exercise and by taking a few extra steps businesses can protect that data.”

Contact details
Email: Neil Ward
Tel: +44 (0)1509 60 4271