Keeping data out of harm’s way: information protection strategy for security service providers
Protecting personal information has never been more important and organisations must implement robust operational policies to keep sensitive data safe and secure.
A clearly defined and continually improving information protection strategy is central to effective risk management and demonstrates that a security services provider operates to the highest possible standards.
The volume of global data has increased exponentially over the last decade and this trend is set to continue. Not surprisingly, it is now considered an asset and a key element in the operation of modern businesses.
Organisations of all sizes are therefore becoming increasingly aware of the importance of data protection and the serious adverse consequences that can result from the disclosure of confidential information.
Up close and personal
A recent Axway survey revealed that 85 per cent of respondents had serious concerns over how their data is stored and secured, while 53 per cent said a data security incident would be a reason to end the customer relationship. All data that relates to an identifiable individual that a business stores or handles therefore needs to be protected. This includes names, addresses, emails, telephone numbers, bank and credit card details, as well as information regarding ethnicity, religious and political beliefs, health and sexual orientation. This doesn’t just apply to employees but customers too.
With the greater use of technology within security services provision, it’s not just CCTV footage that has to be considered either. The use of biometrics is coming under intense scrutiny, as it uses face, fingerprint, voice, signature, DNA, iris pattern and even whole body recognition. Such uniquely personal information clearly needs to be handled in a way that does not compromise privacy.
Those responsible for collecting and using personal data now have to follow strict rules. The Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR) – controls how personal information is used. In the event of a breach the financial penalties are significant. The higher maximum amount is £17.5m or four per cent of total annual worldwide turnover and affected customers can, in some cases, pursue financial compensation.
No organisation falls outside the scope of the Data Protection Act 2018. In late 2021 the Information Commissioner’s Office (ICO) fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. It was found guilty of failing to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of information.
In addition to ensuring that any security risks, threats and vulnerabilities are identified, prioritised and managed, it’s important to demonstrate to customers, third parties and internal stakeholders that their data is protected. This also helps to protect intellectual property and reduce the cost of downtime from data breaches, while offering a competitive advantage that can help maintain and win new business.
Avoiding the possibility of information being compromised cannot be left to chance and requires strategic planning, which is why organisations should configure a corporate data protection policy to set out how they protect personal information. It is a set of principles, rules and guidelines that informs how ongoing compliance with data protection laws will be achieved and how data is consumed, managed and stored.
One of the most effective ways to put a data protection strategy in place is via United Kingdom Accreditation Service (UKAS) certification to ISO 27001 – the international standard for information security management systems (ISMS). It is simply the most rigorous standard of its kind and covers cybersecurity, physical security and everything in between. Certification is tough to achieve and requires genuine and demonstrable commitment throughout all aspects of a company’s operation.
ISO 27001 certification provides a comprehensive framework that facilitates the continued accessibility, confidentiality and integrity of information, as well as legal compliance, continual improvement, and corrective and preventive action. It comprises a six-part planning process – define a security policy, define the scope of the ISMS, conduct a risk assessment, manage identified risks, select control objectives and controls to be implemented, and prepare a statement of applicability.
Those looking to procure security services need to ascertain how their prospective partner will protect their information. ISO 27001 certification serves as an excellent starting point in the selection process and, given the importance of robust information management, should be considered a prerequisite.
Not worth the risk
The loss of personal information can lead to operational downtime, reputational damage and financial penalties – any of which could harm business continuity and even put an organisation’s very existence in jeopardy. With this in mind, a rigorous, dynamic and continually evolving information security management strategy should be a vital element of any security services provider’s business model and approach to risk management.
Barry Spriggs Data Protection Officer, and Darren Salmon IT Director
For more articles on information protection see our related categories: