As part of the Keeping the UK safe in Cyberspace, in April the UK Information Security Breaches 2013 was published by the Department for Business, Innovation & Skills and The Shareholder Executive. Although there is an excellent website to review the survey’s findings, as an experiment in using Data Wrapper, I used this free and remarkably intuitive tool to visualise three elements of the survey:
- how high a priority is Information Security to industry sectors
- how aware are employees within those sectors of their company’s security policy
- percentage of IT spend on security spend by those sectors on information security
The results of the priority of security question illustrates what we’d expect – Health, Banking and Technology leading priority, and IT budget spend isn’t a great surprise, but the understanding of staff of their own Security Policy is a surprise, illustrating that even in sectors where information security is critically important, staff at these organisations may lack clarity about their corporate information security policy.
Who’s responsibility is it to resolve this? In regulated sectors, like health & pharmaceutical, government and banking there should be, and in some cases is a collective responsibility to ensure clarity of communication to personnel and a duty of care for the organisation to ensure the message is heard and understood. Data Protection law in many countries provides a regulatory framework for anyone retaining or storing data. The responsibility for legal compliance at an organisation falls to a Data Controller; in Ireland, the UK, Germany and Sweden the law is similar and the data controller can be a legal entity or an individual. Data Protection law is well defined in most developed economies but my concern is about the awareness of staff within an organisation. As hacking and #Cybersecurity attacks begin to reach pandemic proportions the UK’s Information Breaches survey highlights a lack of awareness within some sectors that is disturbing; this lack of awareness can cost industry money, jobs and confidence. Organisations seem to be aware of the importance of information security, IT spend in the area isn’t bad, awareness appears to be the problem, and those who really should know better appear not to.
I admit I grew weary of the manual-handling and similar courses I was (legally) compelled to do as part of work-place compliance, but they’re there for a reason. Information Security breaches will give you more than a pain in the lower-back – it’s time we sharpened up as an information society. Everyone working in or with your organisation needs to knows how to keep your information safe; if someone hasn’t hacked you, it won’t be long before they try.
External links & references
- Information security breaches survey 2013: technical report
- Information security breaches survey 2013: data download : 233kb : csv
- Guidance for small UK business on Cyber Security : Dept Business, Innovation & Skills
- British Government extends Innovation Vouchers to cover Cybersecurity : Redcert.com 24-4-2013
- Practical Law COmpany : guide to Global Data protection Law