There is a need for the UK to implement a law to ensure that databases are properly managed.
According to Andrew Lawton, VP EMEA at Guardium, as the perimeter is being hit there is a need to protect the 'crown jewels', but while this law is applied in Europe, it is not the case in the UK.
Lawton said: “Why do we not have that organised control over data and that control over the database, the content and who accesses it? Banks do feel that, as they have our and their data and organisations should have a better level of control.
“In Europe they have to demonstrate control over privileged user access. Who enforces it? The ICO is talking about the T-Mobile incident but I am surprised that we are lagging behind the rest of Europe and the lack of control they have.”
Lawton claimed that it is all about privileged user access and segregation of duties, and keeping management separate - otherwise you get a situation where the database is turned off and someone does the dirty deed and switches it back on, such as the recent T-Mobile incident.
“Look at the T-Mobile example, they took the personal information and it would have flagged the user and terminated the session, a flag goes up to look at the session and user,” said Lawton.
“Italy put a law in place about privileged users where the database is managed about who goes in, you can normally switch it off, take the data and turn it back on, but the Guardium tool is always on and sits outside of the database.”
Commenting, Bridget Treacy, partner at Hunton & Williams, said: “In my view having a law does not prevent such incidents. There are many cases where the breach incident has been at the hands of the third party.
“Just last week, an undertaking was issued by the Information Commissioner against an organisation whose vendor had allowed data to be compromised (using the data for training purposes). Having a third party specialist vendor may assist but the company must still ensure that appropriate safeguards are taken. Vendors have rogue employees too.”