Companies are failing to report data security breaches to their clients.
According to a security survey by Logica, 60 per cent of respondents had experienced a data breach and did not tell their clients. Half of the respondents had failed to tell the police or authorities.
Conducted over the last two months, the findings revealed that more than half (57 per cent) of those surveyed, have ‘no idea' or understanding of the impact of a security breach on their business or organisation. Just 16 per cent of firms have a ‘Value at Risk' profile for information assets it owns/controls, while half of respondents believing that security is solely an IT departmental issue.
Only 30 per cent educate staff in IT security and information handling procedures on a regular basis, with less than a third employing a specific security incident response team. The survey also revealed that while 63 per cent of those surveyed hold personal data subject to EU data handling regulations, only a quarter comply with ISO27001/2, meaning that companies are not adhering to security procedures when storing personal data.
Tim Best, director Enterprise Security Solutions at Logica, said: “With some organisations failing to disclose security breaches, this complacent attitude not only increases the likelihood of financial and reputational consequences but also highlights the inadequate security policies and protocols that UK organisations have in place.
“It is time to take action – it should be mandatory for all organisations to report significant breaches of confidential personal information to the Information Commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied.
“Security should not be the sole responsibility of the IT department; it is a boardroom issue and the focus must be to protect the trust that clients have in an organisation. If you have experienced a security breach, it is essential to conduct a risk assessment to understand the issue and avoid a reoccurrence.
“All organisations must put in place mandatory services and policies which enable compliance with legal requirements and establish coherent, comprehensive and cost effective security controls and policies throughout the organisation.
“It is clear from this survey that IT and security training remains a fundamental issue, with 70 per cent of those surveyed not training staff in IT security and information handling procedures. As employers now look to adopt flexible working initiatives, they must invest in a comprehensive security awareness policy to mitigate against potential information breaches.”