Better incentives required to stop data loss

Data losses are still a regular occurrence, and IT managers often have no idea about the scale of the breach, or whether it is accidental or intentional.

Lord Errol, one of the panellists, believes that this issue is compounded by recent job cuts across all businesses, which can add to what he calls the " fraud triangle" of pressure, opportunity and rationality.

He added that the punishments for data losses, both to individuals and organisations, are simply not strong enough, and that the current structure provides no real incentive for the effective prevention of data loss.

Lord Errol admitted that he was not sure of the best form of punishment, be it imprisonment, community service or higher fines, but stressed that the current low conviction rates and small fines are not much of a deterrent for cyber criminals or businesses.

Julia Harris, head of information security at BBC Future Media & Technology, agreed with Lord Errol's comments, adding that even the best policies will often be broken when an employee is under pressure to deliver. She added that it is imperative to make sure that best practices and policies are robust, effective and easy to follow, otherwise they will simply be ignored.

"Don't trust internal networks any more than the internet," Harris said. "In these days of huge global networks, remote working and increased interactivity, it is imperative to move controls closer to the data."

She concluded that IT security is often perceived as a necessary evil, and that the current economic crisis means that budgets are under increasing pressure. So it is important to get the backing of senior management to make sure that data security is not neglected or discarded.

Dan Blum, senior vice president and principal analyst at Burton Group, pushed for the development of more uniform cyber security laws, the implementation of proper privacy checks and balances, and more co-ordinated enforcement and response.

"We need to take a more tactical approach to protecting our data," he said. "For instance, encryption is great but trying to encrypt every bit of data in the entire business is like trying to boil the ocean, or at least a very large lake."

Incidents over the past 12 months have shown that human error has a major part to play when it comes to sensitive information being lost.

It is often the most junior member of staff who is given the "boring" job of back up, but this should no longer be the case given the strategic importance of sensitive data to the majority of businesses.

The panellists' comments were echoed by Alastair Molyneux, business development manager at data protection firm Kroll Ontrack.

"Companies often find it impossible to quantify the value of data within the organisation, and as such they need proper procedures for safeguarding information that are both robust and reliable. While cutbacks may have to be made, this should never result in exposure to unnecessary risk," he said.

"Ultimately, data protection policies should be uniform across an entire business, independent of the individual who is given the responsibility. This is the only way to ensure the best possible defence."