Third of Organisations Not Prepared for Security Breaches

Organisations Need to Adopt the Right Behavioural Controls

(24.03.10) - Ahead of InfoSecurity Europe opening its doors next month, one of its keynote speakers – Stewart Room offered organisations structured advice to keep them out of court, and avoid the £500K fine to be levied by the Information Commissioner from April, should they experience a security breach or data loss. This is an area where organisations inherently fail to plan as, according to results of an online poll conducted by Infosecurity Europe, a third of organisations admitted if they experienced a security breach tomorrow they do not have a system in place to adequately deal with the incident.

Stewart’s advice is that as far as data security and handling is concerned, and in deed applies to any area where there’s a regulatory framework, organisations need to focus on two elements: the system and the operations.

The system sets out the organisations position on security through documented rules, policies and procedures; and the operations detail how the organisation implements the system in its day to day activities. The premise is that if the system is legally compliant and covers all the benchmarks within the legislation then the law says that operational failures can be excused.

That said, if you experience operational failure and a breach occurs, the law is then interested in whether the system in place covers containment, damage limitation and recovery. In Stewart's experience it's the system, especially this latter part, that has historically been ignored and it is on this point that many organisations face prosecution.

"Most organisations unfortunately don’t have good systems for actually managing the problem. If a breach occurs, the law is really concerned with your behaviour at that point in time. You can't unravel the past and pretend the breach didn’t occur, it’s what you do from that point on that will determine your culpability," explains Stewart. "The law is about changing behaviours, so if you adopt an honourable stance from the outset, doing the right thing at the right time, then your legal team are in a very strong position to defend you to the regulator arguing that you're not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment."

Organisations need to adopt the right behavioural controls, preferably before a breach, so that if the worst should happen they know what the right thing to do is. In Stewart's experience a data breach requires a multi-disciplinary response that may include some or all of the following disciplines; a security specialist, IT resources, a PR agency, legal advice, credit reporting services, credit file freezes etc., and an organisation should reflect on these requirements so that, in a crisis situation, it isn't left floundering.

Stewart Room is a partner at Field Fisher Waterhouse LLP and is the author of three books the most recent titled ‘Butterworths Data Law & Practice (2009). Stewart is participating in a panel discussion as part of Infosecurity Europe's Keynote Theatre titled "Compliance - How To Defend Yourself And Stay Out Of Court". (Infosecurity Europe: ra)