Infosec 2009: Better incentives required to stop data loss

Data security is more important than ever

Organisations do not know enough about the source, reason and frequency of data leaks, and more incentives need to be put in place to encourage better data protection, according to a panel discussion at the Infosecurity Europe show in London.

Data losses are still a regular occurrence, and IT managers often have no idea about the scale of the breach, or whether it is accidental or intentional.

Lord Errol, one of the panellists, believes that this issue is compounded by recent job cuts across all businesses, which can add to what he calls the " fraud triangle" of pressure, opportunity and rationality.

He added that the punishments for data losses, both to individuals and organisations, are simply not strong enough, and that the current structure provides no real incentive for the effective prevention of data loss. He also said that that the Information Commissioner's Office needs greater powers to protect citizens.

Lord Errol admitted that he was not sure of the best form of punishment, be it imprisonment, community service or higher fines, but stressed that the current low conviction rates and small fines are not much of a deterrent for cyber criminals or businesses.

Julia Harris, head of information security at BBC Future Media & Technology, agreed with Lord Errol's comments, adding that even the best policies will often be broken when an employee is under pressure to deliver. She added that it is imperative to make sure that best practices and policies are robust, effective and easy to follow, otherwise they will simply be ignored.

"Don't trust internal networks any more than the internet," Harris said. "In these days of huge global networks, remote working and increased interactivity, it is imperative to move controls closer to the data."

She concluded that IT security is often perceived as a necessary evil, and that the current economic crisis means that budgets are under increasing pressure. So it is important to get the backing of senior management to make sure that data security is not neglected or discarded.