Companies should be doing more to protect themselves
Many organisations lack the necessary risk framework for dealing with potential lapses in data security, the AIRMIC conference heard today.
Recent outcries over the loss of 25m personal records by a government department and the theft of 40m customer credit card details from a retailer represent little more than the tip of the iceberg, Andrew Cornish of Lockton told a break-out session.
‘Many more losses have gone unreported, whilst large organisations are continually exposing themselves unnecessarily to the possibility of serious data breaches,’ he said.
‘It’s often because they focus on Internet security to the exclusion of other sources of risk such as laptops and disks. Human error is the main cause of data loss, though organised crime is a growing problem, especially when aimed at identity theft.’
The cost of a breach, in terms of compensation, loss of reputation and clients and the amount of time and resources required to make good any data losses could be enormous, he said.
“Many more losses have gone unreported, whilst large organisations are continually exposing themselves unnecessarily to the possibility of serious data breaches.
Andrew Cornish of Lockton
‘As always, the solution is to develop a robust risk management framework, based on the identification, evaluation and analysis of risk, which then makes it practical to develop the necessary controls.’
The problems are compounded when functions are outsourced, he said. ‘In these circumstances it is important to consider your suppliers’ security arrangements and your contractual relationships with them.’
The good news for risk managers, said Cornish, is that more companies are willing to provide cover for this type of loss.
‘Insurers are looking to enter the market and a number of players are offering first and third party covers,’ he said. ‘The potential to buy meaningful, cost-effective protection is growing all the time.’