Brian Spector, the general manager for content protection group Workshare, talks about the company's new Global Security Threat Report...

Data breaches, identity fraud, theft of intellectual property – to hear of these is now commonplace in the media and in conversations between organisations worldwide. Yet firms in every sector are continuing to breach security and allowing their most sensitive and confidential information to be exposed to accidental or malicious damage. Law firms in particular need to protect a wealth of sensitive data – from confidential case files and information on clients, to corporate data and intellectual property.

Our Workshare Global Security Threat Report takes into account the key events and industry news within the areas of privacy, intellectual property, mobile working and corporate compliance. These stories and developments corroborate an emerging trend in the sphere of information security – that businesses and organisations tend to fall into two camps when it comes to data protection. On one side of the fence, many still have a worryingly archaic approach to security. Businesses are still allowing employees to leave laptops in cars which contain unencrypted and unprotected information. Banks are throwing away confidential customer data in bins. Employees still think that PDFs are a secure file format. Solicitors can inadvertently send out emails containing information about clients. These firms need to break the mould and educate employees about the risks involved with the information they are handling. Deploy simple security solutions which will make sure that all data within your business is safe and not at risk of being leaked. Businesses are becoming increasingly ‘perimeterless’. Organisations need to safeguard information within the whole network and at every end point before they suffer an embarrassing and damaging breach.

The other group contains companies who have noted the wave of security breaches and are taking action by writing stringent security policies to protect their data. Unfortunately, as our Global Security Threat report shows, these policies are still being breached and reputations are still being tarnished. Essentially, policies are not worth the paper they’re printed on unless properly enforced. Organisations need to look at ways to better enforce policy if they want to avoid hefty fines and serious damage to reputation and loss of clients, who are more willing than ever to vote with their feet.

Examining the Workshare report in a little more depth, what is the current status within each of the four areas defined as crucial in the information security sector?

Privacy
Privacy is still a hotly debated area; security breaches which hit the headlines last quarter are now being fully quantified. The well publicised breach suffered by global retailer TJX calculated that losses – which were originally estimated to be around the $25 million mark – have spiralled to $256 million in just three months. The costs include fixing the company's computer system and dealing with lawsuits, investigations, and other claims stemming from the breach, which went on for more than a year before the company discovered the problem in December 2006. Other companies such as Fidelity National Information Services (FIS) that were affected by privacy breaches have also seen the advent of serious lawsuits which could cost millions to settle. In developments to watch, Google is planning to further personalise its service by collecting and storing more information than ever on its online user base. The information will be held in Google's vast network of massive server farms. Concerns have already been raised by the Information Commissioners Office (ICO) and legal experts regarding data protection and information leaks.

Intellectual Property
Intellectual Property is arguably one of the worst kinds of data a company can lose. As the data protection market matures, individuals and businesses are facing increasing amounts of litigation for breaches suffered in this area. In addition, recent surveys have shown that many employees are happy to take Intellectual Property with them when they leave a firm, and that IT systems are not viewed as obstacles to taking this data. One of the worst IP cases in Europe this year was suffered by a huge German manufacturing company in July, when it discovered that a competitor had copied one of its products. A foreman had sent detailed information about a component to an external design department without telling his IT department or encrypting this information, thus allowing the competitor to get hold of it. In today’s highly competitive environment, companies should keep a close eye on how their Intellectual Property is being edited, distributed and archived.

Mobile workforce
Businesses and organisations in every sector continue to neglect the end-point when it comes to data security. Accidental loss of laptops and mobile devices cannot be stopped, but companies can encrypt and protect information to limit damage. In addition, when data is lost there is now a need to display ‘data breach best practice’. Recently, the HMRC was applauded for coming clean, apologising and assuring customers that it had efficient security measures in place, as soon as a laptop theft came to light in September. Conversely, pharmaceutical giant Pfizer was criticised for suffering its third data breach in as many months, putting personal information relating to both current and former employees at risk. The three thefts meant that personal information relating to tens of thousands of people was stolen, following the theft of laptops from a car in Boston, and leaked emails. Although the stolen laptops were password-protected, information included employee names and Social Security numbers. It is rumoured that the third breach involved information being leaked by an ‘insider’.

Corporate compliance
The area of corporate compliance is perhaps of most interest to legal firms, as the regulatory climate continues to change apace. Worldwide, North America still leads the way in data breach legislation. It has been estimated that more than 160 data breaches have been suffered in the US in the last two years. As a result, laws have been passed in 35 states forcing private and public sector organisations to notify their customers if their personal information is lost or compromised. Now, a variety of organisations including the Cyber Security Industry Alliance are pushing for a national standard for data breach notification. It is hoped that such legislation would provide better protection for consumers, and ensure consistency in the law. In the UK, a variety of experts including members of the House of Lords, the media and the ICO have called for a review of current laws relating to data breaches and information loss. The government is being pressured to ensure that businesses improve notification of data breaches and are held accountable for putting at risk any sensitive data they hold.

Increasing amounts of legislation mean that individuals and businesses will find themselves at the centre of lengthy and expensive law suits if breaches are not controlled. Customers are increasingly threatening to boycott companies which do not take adequate care of information held on them. This Threat Report proves the potential reach and cost of damage caused by data breaches and shows that organisations of all kinds need to take action before they really get hurt.

For a copy of the full Workshare report please visit www.workshare.com/go2/threat1