Data awareness is the biggest blind spot for small to medium sized enterprises (SMEs) and people using computers at home – mainly because they have not yet realised the value of information.
Despite historians and the mainstream media telling us we live in the Information Age most people still think in a way that is more in tune with the Industrial Age.
People still tend to give value to physical things and not to consider themselves or their businesses as a collection of digital information, to which access is controlled by a much smaller collection of digital information.
As a result companies and individuals are ignoring the value and role of their business and personal information in their lives – which are often interrelated.
According to research carried out on behalf of the UK government by the security company Detica, the UK loses £27 billion a year through computer crime – much of it through the theft of intellectual property from a broad range of companies including large corporates, SMEs and one person businesses.
Detica’s Henry Harrison says that in many cases companies are completely unaware that they have been the victims of data theft and have only found out after being informed by the government, via GCHQ or by organisations such as Detica.
Research into serious attacks on or the loss of data by, SMEs has discovered that within three months of an incident happening most companies will go out of business.
Yet most companies still place more stress on physically securing a building than on securing their data.
According to insurance companies, who due to a spate of recent data losses are keen to develop a market in the area, the situation has occurred because of a fundamental lack of understanding about the role of data in a modern business.
‘If someone had a painting that was worth £1 million they would insure it and make sure it was secure – in fact they would probably keep it in a bank vault,’ says Alan Thomas, an SME specialist for the insurance company Hiscox.
‘Yet people will store their intellectual property, their client database, an important personal information on computers that are not protected, or inadequately protected and they are not insuring themselves against the risk of losing that data.’
A survey from Hiscox in February 2011 found that this is happening at a time of increased awareness from SMEs of the risk from cyber crime with nearly a quarter of SMEs reporting that they were concerned about e-risks.
While the awareness of the possibility of an external attack on a company has increased, many companies do not consider that their data will be a target. They are typically more aware of financial risk or losing money from bank accounts; again, this is because they have not considered the value of their data.
This lack of awareness persists despite the well-publicised hacking activity from international crime gangs aimed at stealing both ID data and intellectual property.
Since 2010 this activity has increased, with computer security companies and analysts in the area reporting a surge in the theft of personal data and a particular focus on intellectual property.
Given the calls by prime minister David Cameron for the UK to concentrate on the development of an knowledge economy based on SMEs, the lack of awareness of the value of data held on systems is of particular concern.
One of the reasons for the sudden concentration of activity on personal information is the recognition by crime groups of the value of financial details of business accounts and a targeting of individuals with high value accounts.
This has gone hand in hand with a realisation that ID data can also provide access to valuable business information.
As a result cyber crime organisations have started to refine data matching techniques that use the same methods as the counter fraud industry.
So data many consider to have little value will in fact be of particular value to criminals as it allows them to build an identity from many different places. Thus any database holding personal information is now a potential target.
The criminals overlay data from multiple sources, such as credit- reference agencies and recruitment agencies, with data stolen from personal computers and databases and social network sites.
In this way detailed profiles of high value targets can be established from a variety of different sources.
Moreover, people frequently use the same passwords for a number of different applications, work and personal accounts and online services. This means that one single password can also unlock access to other information which in turn allows other accounts to be breached.
For instance, access to an email account releases details of correspondents, whose accounts can then be spoofed – the account details copied.
This then lets a criminal, send emails to the victim that look as though they originate from someone they know.
Another example of how criminals find information is in the date of birth information used in instant messaging accounts and social media systems. A person’s date of birth is used by banks and other financial organisations to establish their identity online and on the telephone.
Protecting your data – What you should do
1.Establish the value of your data to your business by carrying out a data audit.
2.Identify the threats to that data.
3. Identify the risks to your business of losing the data.
4. Find out what risks you expose yourself to by not properly protecting the data. NB the Information Commissioner’s Office can now levy fines of up to £500,000 on companies that do not have ‘appropriate measures’ in place to protect the data they hold.
5. Find out whether the data you hold is regulated by any body. Financial data can be regulated by the Financial Services Authority, online e-tailers using credit cards are usually governed by the Payment Card Industry Data Security Standard regulations.
6. Identify key data that should be protected and establish what level of security you should assign to that data to ensure that it is available to those who need it, and that the security level does not hamper the company’s effectiveness.
7. Have an effective data awareness policy.
8.Have effective data protection software.
9.If you hold documents and databases that you consider key to your business, protect them with software that prevents them being copied without your express permission.
10. Consider whether you should invest in intrusion detection software which will alert you to whether an attacker has got onto your systems.