Steve Hall, Kingston Technology: Data Security, We Need More Education
There is hardly a week that goes by where there isn’t another horror story in the media regarding the loss of personal or corporate confidential data. The fact is that we are only humans so doors to offices are left open, USB drives are forgotten on trains and sometimes envelopes containing CDs with the personal data of 25,000 people on them are misplaced by couriers or by the postal system. There are, however, simple ways of preventing these accidents from turning into disasters, but worryingly, there still appears to be a lack of understanding regarding data security policies and the safeguarding of confidential information.
A recent survey carried out by Kingston Technology at the education technology event BETT, revealed some worrying statistics regarding data security. It highlights the void that needs to be filled by stronger policies and the need for a better understanding about data protection. As recent media coverage has shown, this problem is certainly not exclusive to the education sector as it is relevant to both the public and private arenas. Data encryption is quite clearly essential to combat human error and as the following findings show, we need to educate people on just how simple this can be.
The survey asked 100 people working in the education sector about the IT policies and practices that the organisation they work for currently has in place. Ominously, 52% of the respondents were not aware of any procedures that their employers had in place regarding the removal of data from workstations, highlighting the vulnerability of the data that is transferred within organisations. Nearly half of the respondents, 46%, admitted that they do not encrypt data when they download it onto a USB drive and 25% said they only encrypt data occasionally. Furthermore, just under one quarter (22%) were not sure if there were any policies in place regarding the removal of data and only a mere 11% said their organisation had strict guidelines in place preventing the removal of confidential information.
From the results, it seems that there are still local authorities that have not implemented security policies to ensure encrypted USB drives are used to carry confidential details out of the building. Even if there are policies in place, organisations have to ensure that they are effective: at the beginning of this year, a health worker lost a USB pen that contained the confidential medical information of more than 6,000 prisoners and ex-prisoners from HMP Preston. Although the USB key was an encrypted one, the password was written on a note attached to the memory stick. It is crucial that organisations put policies and processes in place to ensure that employees only use secure encrypted USB drives and that they use them in an efficient way. Maintaining public confidence is essential and organisations have both a moral and legal obligation to keep confidential data safe.
The cost of action
When asked about the reasons for not implementing secure drives, 37% of the survey respondents stated that the price of encrypted USB drives was prohibitive to educational institutions incorporating them into their data security policies. In the current economic climate, similar reasons are undoubtedly cited for the lack of more effective data security strategies in other sectors too. However, this is a false economy; using unencrypted USB drives for documents can not only be costly in terms of the job losses that go hand-in-hand with data loss scandals, but also in terms of the organisation’s reputation. Now more than ever, maintaining confidence is key; otherwise organisations risk losing the public’s trust, something no one can afford to do at the moment.
Reputation is vital to the success of any business and given the effect market sentiment can have on businesses at present, maintaining a good public perception is imperative to all. Implementing policies that insist upon the use of secure USB drives that feature 256-AES hardware-based encryption will help to reassure clients that their data is safe. The solution is very cost-effective too, when one considers the value of the potential data loss. USB keys with high-level encryption hardware cost as little as £60, which is the cost of just ten textbooks. This seems like a small price to pay in the long run: essential rather than extravagant.
The survey results and the media coverage speak volumes: organisations that deal with confidential or personal data need to ensure that they look after it properly, but so far, this is not being done effectively. The Data Protection Act requires bodies to protect important confidential information, so companies, institutions and public bodies need to comply with these statutory requirements.
Ironically, these data protection policies are so simple to formulate and easy to implement. Using encrypted USB keys to transfer data, installing encryption software on PCs and servers and ensure upgrading is done in a timely and effective fashion is crucial. Yes, there are set-up costs with this, but surely, the guaranteed protection of 6,000 names is worth £60?
The survey results from Kingston highlight the current knowledge gap in the education sector and from the amount of media attention regarding the problem, it is an issue that spans nearly every sector that deals with personal or corporate confidential information. More education is undoubtedly required to ensure that these data breaches cease so that we can all feel that our information is safe and secure.