Research has just been released showing that UK consumers are increasingly concerned about the security of their personal data, following the high profile cyber attacks that have dominated media headlines throughout 2011.
In a poll of 2,000 consumers, conducted by OnePoll, 80 percent of respondents stated that they have reservations trusting organisations to keep their data safe from hackers. In a similar survey, only 63 percent were concerned about this issue, representing an increase of 17 percent in less than a year.
The UK public is now also prepared to take more drastic action against organisations that lose data than they were in 2010. While last year 17 percent of respondents were adamant they would never have anything to do with organisations which had lost data as a result of cyber crime, in 2011 this figure rose to 26 percent.
A further 61 percent of this year’s respondents stated they would try to avoid interacting with these organisations if at all possible. Just 13 percent stated their attitude to a brand would be unaffected by a data loss incident.
In a year that has seen an unprecedented number of high profile data breaches it is hardly surprising to see public opinion shift in this way. Organisations need to look at these findings and realise that unless data security is improved they will lose customers and the bottom line will be affected.
November will see the European Commission publish the new version of its Data Protection Directive following a consultation that wrapped up in September 2011. This will include recommendations regarding a mandatory data breach disclosure law covering public and private sector organisations. As a result it will be much easier for the public to identify, and boycott, those organisations that are being irresponsible when it comes to data protection.
Respondents showed particular enthusiasm for legislation forcing organisations to publish information relating to incidents in which individual’s data is put at risk. 72 percent thought that all breaches should be publicised while eleven percent were of the opinion that only breaches of a pre-determined size should be made public.
When asked more specifically about the process involved, 69 percent wanted to be notified immediately, 19 percent were happy for an investigation to take place before affected customers were notified, while ten percent thought that notification should be dependent on whether the information is of a sensitive nature, an individual’s bank details for example.
The high proportion of respondents in favour of universal and instant notification tells us a lot about the lack of trust that exists when it comes to organisation’s ability to defend against cyber attacks. When asked if organisations are doing enough to secure customer data 81 percent did not believe this was the case and that more needed to be done.
The public also seem to be largely unaware of the work of the Information Commissioner’s Office (ICO). 64 percent of those questioned had not even heard of the ICO. Of those that knew of the ICO, only 33 percent thought it was doing a good job.
Last year I warned that organisations would need to develop a better understanding of their IT systems in order to reduce data loss and regain public trust. The intervening period has seen a rash of high profile cyber crime incidents undermine this trust even further.
It is essential that organisations make better use of the log data generated by networks so that potential threats can be identified in the early stages before they have a chance to escalate. Using technologies like log management and Security Information and Event Management (SIEM) as part of an integrated Protective Monitoring strategy enables automated, centralised collection and analysis of log data that ensures anomalies are identified as they occur.
Developing this deep insight requires the ability to see even minor changes that may occur across the IT estate, such as files being altered or copied to portable storage devices. As threats increase in volume and sophistication, being able to identify and respond in real-time is the only sure way to protect an organisation against the significant consequences of data breach.