The Information Commissioner's Office has just released a summary of the trends over the last quarter for 2015/16. Highlights from the report included:
- Health sector accounting for the most security breach incidents - partly due to the NHS policy of reporting all breaches. The ICO will be conducting audits in this sector in 2016/17;
- Local Government was the next highest in terms of breaches - increasing 34% from the previous quarter. This is possibly due to the large volumes of sensitive data handled within these organisations;
- Finance and insurance saw a dramatic decrease in breaches reported. Breaches in these sectors can clearly lead to a significant impact on the reputation of the entity in question and give rise to further disciplinary action via the Financial Conduct Authority. Consequently reductions may reflect better security measures being applied to minimise reputational damage; and
- Breaches in the legal sector have increased in the last quarter by 32% with 6% of all breaches reported to the ICO coming from this sector.
The type of incidents reported still emphasise that human error remains the main culprit. Across all sectors loss of and theft of paperwork or data being posted, faxed or emailed in error were at the top of the charts. These types of incidents can be minimise by adopting some simple practices outlined in the ICOs security tips sections on its website and/or having your policies and practices audited regularly by legal compliance specialists.
Some key tips for maintaining security include:
- Installing firewalls/virus checking;
- Enabling auto updates for your systems and updating patches;
- Encrypting personal data that, if lost, could cause damage/distress and assess need for email encryption;
- Purging old or obsolete personal data and expunge from systems;
- Checking email addresses carefully especially where auto- complete is enabled;
- Carefully auditing and keeping updated Group email lists;
- Checking and adopting appropriate measures where sensitive materials are being sent by email;
- Shredding confidential waste;
- Checking and auditing physical security measures at your premises;
- Auditing third party providers carefully and assessing their data security compliance and including appropriate measures in any contracts with service providers/data recipients with regard to their use/processing of your data;
- Adopting a regular, auditable and appropriate training protocol with your staff on data security;
- Considering and applying spyware and other counter intrusion technology - some businesses are now employing technology to track intrusion as well as prevention systems - acknowledging that systems will be hacked. Identifying and minimising disruption therefore may be a better form of defence; and
- Making data and data security a board level consideration.
If you need any assistance with any of these aspects or on how the introduction of the General Data Protection Regulations may affect your organisation please do contact us.