High-street Footwear retailer Office has had a data breach exposing the contact details and passwords of over one million customers. Reading the article and the undertaking that Office have signed makes it quite clear that the extent of the breach was not the result of some "elite" hacker (although that is always a risk), but that of poor information security management.
I suspect that there is a plethora of organisations out there that do not have data life-cycle management policies or procedures in place that allow for effective risk management. It is not a difficult exercise - after all, this information is a company asset and should be treated as such. It is also a potential liability too, and this is the part that is often ignored leading to situations like this.
To reduce the risks of holding data an organisation should :
- Have a coherent data management life-cycle detailing the requirements for classification, storage, backup, access, security, risk assessment, and disposal of the data.
- Have a data retention register that details ownership, classification, lifespan, location, and destruction method
- Encrypt sensitive data
- Review processes and activities at least annually
- Keep appropriate records of these activities for audit and review purposes
- Appoint an owner of the life-cycle management so that it is properly overseen
Data Life-cycle management is an essential part of protecting an organisations assets and managing its risks.
Disclaimer: All images are copyright of the original publication and www.guardian.co.uk- Apsley Business School holds no responsibility for any claims nor information held on external sites.