Serious breaches of IT security and major losses of customer or employee data regularly feature in the news. Clearly, such breaches of security have a major impact on the organisation affected on a number of levels – from damage to reputation and loss of key intellectual property, to regulatory sanctions, including large potential fines as well as criminal penalties.
Employers can take a number of steps to protect their organisation against security breaches:
• Put a security breach action plan in place;
• Put security policies in place, implement them and ensure that they are regularly reviewed;
• Update security software regularly; and
• Put effective systems administration procedures in place.
The Data Protection Act requires that ‘appropriate technical and organisational measures [are] taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
In practice, this principle involves implementing policies and procedures on data security, as well as taking physical and technical steps to prevent unauthorised access to, or accidental loss of, data. The precise steps taken will depend on an analysis of the risk to a particular organisation – which will depend on its size, sector and nature of the data held – and a balancing act between that risk and the cost and technical feasibility of taking certain measures.
Organisations wishing to implement best practice to safeguard the data they process can take steps to implement International Standard ISO 27001, which has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.