Keeping data out of harm’s way: information protection strategy for security service providers
Protecting personal information has never been more important and organisations must implement robust operational policies to keep sensitive data safe and secure.
A clearly defined and continually improving information protection strategy is central to effective risk management and demonstrates that a security services provider operates to the highest possible standards.
The volume of global data has increased exponentially over the last decade and this trend is set to continue. Not surprisingly, it is now considered an asset and a key element in the operation of modern businesses.
Organisations of all sizes are therefore becoming increasingly aware of the importance of data protection and the serious adverse consequences that can result from the disclosure of confidential information.
Up close and personal
A recent Axway survey revealed that 85 per cent of respondents had serious concerns over how their data is stored and secured, while 53 per cent said a data security incident would be a reason to end the customer relationship. All data that relates to an identifiable individual that a business stores or handles therefore needs to be protected. This includes names, addresses, emails, telephone numbers, bank and credit card details, as well as information regarding ethnicity, religious and political beliefs, health and sexual orientation. This doesn’t just apply to employees but customers too.
With the greater use of technology within security services provision, it’s not just CCTV footage that has to be considered either. The use of biometrics is coming under intense scrutiny, as it uses face, fingerprint, voice, signature, DNA, iris pattern and even whole body recognition. Such uniquely personal information clearly needs to be handled in a way that does not compromise privacy.
Fine time
Those responsible for collecting and using personal data now have to follow strict rules. The Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR) – controls how personal information is used. In the event of a breach the financial penalties are significant. The higher maximum amount is £17.5m or four per cent of total annual worldwide turnover and affected customers can, in some cases, pursue financial compensation.
No organisation falls outside the scope of the Data Protection Act 2018. In late 2021 the Information Commissioner’s Office (ICO) fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. It was found guilty of failing to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of information.
Policy document
In addition to ensuring that any security risks, threats and vulnerabilities are identified, prioritised and managed, it’s important to demonstrate to customers, third parties and internal stakeholders that their data is protected. This also helps to protect intellectual property and reduce the cost of downtime from data breaches, while offering a competitive advantage that can help maintain and win new business.
Avoiding the possibility of information being compromised cannot be left to chance and requires strategic planning, which is why organisations should configure a corporate data protection policy to set out how they protect personal information. It is a set of principles, rules and guidelines that informs how ongoing compliance with data protection laws will be achieved and how data is consumed, managed and stored.
Number crunching
One of the most effective ways to put a data protection strategy in place is via United Kingdom Accreditation Service (UKAS) certification to ISO 27001 – the international standard for information security management systems (ISMS). It is simply the most rigorous standard of its kind and covers cybersecurity, physical security and everything in between. Certification is tough to achieve and requires genuine and demonstrable commitment throughout all aspects of a company’s operation.
ISO 27001 certification provides a comprehensive framework that facilitates the continued accessibility, confidentiality and integrity of information, as well as legal compliance, continual improvement, and corrective and preventive action. It comprises a six-part planning process – define a security policy, define the scope of the ISMS, conduct a risk assessment, manage identified risks, select control objectives and controls to be implemented, and prepare a statement of applicability.
Safety first
Those looking to procure security services need to ascertain how their prospective partner will protect their information. ISO 27001 certification serves as an excellent starting point in the selection process and, given the importance of robust information management, should be considered a prerequisite.
How seriously a company takes the issue can also be highlighted in its internal structure. For example, investing in a dedicated data protection officer who initiates and promotes best practice and understands the latest legislation in this area is a good sign that an organisation will take a similar approach with its customers. It is also worth checking to see if a potential supplier has a clearly defined and articulated privacy policy on its website. This should evidence how it uses personal data, confirm regulatory compliance to the wider privacy agenda and form an integral part of the overall risk management process.
Not worth the risk
The loss of personal information can lead to operational downtime, reputational damage and financial penalties – any of which could harm business continuity and even put an organisation’s very existence in jeopardy. With this in mind, a rigorous, dynamic and continually evolving information security management strategy should be a vital element of any security services provider’s business model and approach to risk management.
Barry Spriggs Data Protection Officer, and Darren Salmon IT Director
Wilson James
For more articles on information protection see our related categories:
