Newspaper headlines remind businesses daily of the cost of not protecting valuable data. Stories of lap-tops left in trains, or stolen from parked cars, discs and memory sticks being used for home-working, or even print-outs found in rubbish tips, are enough to keep most IT managers awake at night.
In the current economic climate, few organizations can afford to suffer losses through lack of information security, whether such losses are financial, bad publicity, loss of trust, or the havoc caused in disrupting the business’s operations. In addition to normal data software solutions, managers are required to consider and plan for the human interface with their data, and develop policies and procedures to ensure secure handling. Information about customers, suppliers, staff, and operations needs to be held, and must be accessed and managed, but it also needs to be handled securely.
Last year, company managers, employees and customers were tried in UK courts for £300m worth of fraud, three times more than in 2007, according to KPMG. And now, accountancy trade publication Accountancy Age reports, “finance directors need to ensure their internal controls and risk management systems are robust as experts predict the level of corporate fraud will escalate as the economy worsens.”
While traditionally a company’s “strategic assets” were defined as the people and equipment used to generate revenue, now many experts believe that a company’s data requires the same label. Such data are generally valued in terms of how much they would cost to replace. In the same way that a responsible manager would require authorization and controls to let an employee walk out of the office with a valuable piece of hardware, such consideration needs to be set up for company held information, too.
For any business storing confidential customer records, the international standard ISO/IEC27001 dealing with Information Security is becoming a “must-have”. ISO/IEC 27001 is a management system which identifies, manages and minimises a range of threats to business information. It provides guidelines for implementing a constructive risk management process, setting up policies, and ensuring a secure infrastructure is in place. As well as providing preventative measures to protect your clients’ confidential data, achieving the standard demonstrates to customers and prospects that you are observing a duty of care.
Holding the standard highlights the value you have put on the data, and that a management system is in place to provide a framework for legal compliance, preserve data integrity, and ensure staff are aware of their individual responsibilities. Continuous improvement is built-in. Externally audited, it demonstrates to customers that your management systems are robust, you have processes for managing your resources effectively, and you are committed to customer satisfaction.
In this age of information, effective information security management systems are vital. Ignoring the responsibility to preserve and protect customer data is foolhardy. Applying the principles of ISO standards- Plan, Do, Check, Act- and implementing ISO/IEC27001 will give managers that essential peace of mind.