Security training needed to balance IT controls urges FSA

The price for not following good practice can be found in  February 2007 when the FSA used its 'teeth' to fine Nationwide £980,000 for information security lapses,  and again, in December 2007 when Norwich Union was fined £1.26m for exposing its customers to risk of fraud.

Large and medium-sized firms do transfer data to and from third parties using secure internet links, there are times when unencrypted customer data is transferred on CDs or mainframe cartridges, and sometimes sent by unregistered post.

The FSA said it supports the Information Commissioner’s position that "it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted". Yet senior management at firms still fail to recognise the value of this customer data to the fraudulent.

The findings showed:
    * Many firms are not proactively checking that third party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data;
    * Many large and medium sized firms devote adequate resources to data security risk but placed too much emphasis on IT controls and not enough on staff awareness and training or regular risk assessments;
    * Many small firms were wholly reliant on compliance consultants, who did not understand the importance of data security within the firm.

Examples of good practice found at the firms visited included:
    * Encrypting laptops and transferring data via secure internet links to third parties;
    * Masking financial details where they are not necessary for staff to do their jobs;
    * Appointing a senior manager with overall responsibility for data security.

Source & report: http://www.fsa.gov.uk/pages/Library/Communication/PR/2008/034.shtml