ICO group manager of technology, Simon Rice, made the comment in a blog post, addressing businesses' lack of knowledge about security.
"Using appropriate encryption can be a simple and effective means to protect personal data in these circumstances, and one which we advise all organisations to take if the loss of the data could cause damage and distress to the individuals affected. However evidence shows that data controllers are still not addressing the problem," he wrote.
Rice added that the problem is largely down to education, with many firms thinking simple password protection is appropriate.
"A common misconception is that just requiring users to log in to a device or service with a username and password provides an equivalent level of protection to encryption. This isn't the case," he wrote.
"A password or PIN to control access to a device isn't encryption and it isn't enough to protect against unauthorised or unlawful access. In practice a password can be easily circumvented and full access to the data can be achieved."
Rice said there are a variety of encryption tools available offering a variety of security defences, and businesses handling sensitive data should consult an expert to decide what form of encryption is appropriate.
"The option that will be the most appropriate for your organisation will depend on the sensitivity of the information you are using and how it is being stored and processed," he wrote.
"For this reason it is difficult to provide a comprehensive list of software as everyone's needs are different. You can, however, look out for internationally recognised standards such as those described on the encryption section of our website."
He added that when encrypting data, businesses must also consider how to safely store the encryption key. "You wouldn't install high-end locks on your house, only to leave the front door key under the mat. The same applies for storing a laptop encryption key or password in the same bag as an unencrypted laptop, or equally, sending encrypted data as an email attachment with the means to decrypt it included in the body of the email," he wrote.
Rounding up, Rice said adding more robust encryption services will be of long-term financial benefit to UK industry.
"The time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn't used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people," he wrote.
The wider security community has welcomed Rice’s call for better security. Senior architect at FireEye, Jason Steer, told V3 the ICO statement is a good start, but added firms will need other security services to deal with the cyber threat facing them.
"The advice from the ICO is spot on in terms of encryption. However, in reality, some of these steps are difficult to implement as the onus is being put on the end user, and we cannot always rely on the end user to remember to implement all security measures when their main focus is trying to get their job done,” he said.
“Whilst implementing these security measures, organisations also need to add additional controls to their networks to ensure that if a user forgets about security there are controls in place within the system to ensure the organisation and its information and users remain still secure.”
ISACA Security Advisory Group (SAG) chair, Amar Singh mirrored Steer’s comments adding the blog does not address key problem areas like education.
“The article makes the right type of noise but misses a few critical points,” he said. “Even for most techies, encryption remains a dark science that only the academically inclined pursue. Vendors could work together to put a common encryption awareness/education session to educate the masses on what types of encryption are out there.”
The cost of cybercrime has been a growing problem facing businesses of all sizes. Most recently the Federation of Small Businesses (FSB) estimated that cybercrime costs small businesses £800m a year.
No comments:
Post a Comment