Recovery plans essential for preventing data loss disasters

By Ron Condon, U.K. Bureau Chief 29 Jan 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

Sensitive company information relating to both customers and staff is on the laptop, which is password-protected, and also on the USB sticks, which are not protected. To make matters worse, it is 4 p.m. on a Friday, and you can't get a signal on your mobile phone.

So what do you do?

This was the scenario presented to a group of security professionals and managers this week at a conference organised in London by consultancy RiskAdvisory Software Inc. and law firm Herbert Smith LLP.

In workshop sessions, delegates were asked to consider two aspects of the event: what action to take immediately, and what to do in the company to ensure it wouldn't happen again.

More on data loss Are data breach notifications a legal requirement? Stewart Room explains the progress in legislation. Contributor Gary Brown has an inventive way of using virtualization to prevent data loss.

Some delegates were lucky. In their organisations, it was possible to call one number to activate a pre-planned incident response process. If they were in that position, they just had to find a working phone (which might require them to get off the train at the next stop), and everything would be taken care of, including informing the police, contacting Starbucks, and getting the laptop disabled.

Other not so lucky professionals had to work out their own course of action. For instance, should they try first to contact Starbucks or report the loss immediately to their line manager? The victim worked for a publicly listed company, so there were implications for the share price; some kind of defensive PR plan was needed.

What emerged from the session was that if you have a plan in place for data loss, as for disaster recovery, then you have a much better chance of keeping the damage to a minimum. Communication is essential, but this depends on having a suitable corporate culture. According to one conference panel member, Cheryl Hennell, head of IT security for BT Openreach, a no-blame culture encourages people to report mistakes rather than try to hush them up. Her company operates a helpline for this very purpose.

The second part of the exercise -- what preventive action to take -- focused on security awareness, policy enforcement, and a review of how data is handled. The poor chap in the example had loaded customer and staff files on his laptop because he was planning to visit a number of regional offices. As some people spotted, he could just as easily have accessed the information from company offices rather than exposing it to loss or theft.

Another panel member, Christopher Rees, who heads the information assurance practice at Herbert Smith, crystallised the problem. "You should treat data as if it were cash. Would you go around the country with a briefcase full of cash -- of course not. You should treat data in the same way."

Lost your laptop and USB sticks? Don't panic. And tell the ICO
After all the discussion, Rees then asked what turned out to be the killer question: "Did anyone suggest informing the Information Commissioner?"

Blank stares all round. No one had thought to mention disclosure to the Information Commissioner's Office (ICO), but as Rees explained, this is absolutely essential.

Tips for tackling data loss *Have a tried and tested plan. *Communicate the plan so users know what to do. *Treat information like cash – only carry what you need. *Inform the ICO immediately if a breach occurs.

When personal data goes missing, he said, it is essential to inform the ICO quickly, and explain how you are taking all reasonable steps to reduce the impact. The ICO will soon have the power to impose fines on companies that treat personal data recklessly, and those fines could be up to 10% of annual turnover.

Provided you are open with the ICO and show you have a process in place to protect those individuals affected, then you are likely to be treated leniently. Companies that try to conceal a breach can expect to feel the full force of the ICO's powers, he said.

Tags: Data Breach Incident Management and Recovery,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary