IT security professionals must take human factor into account under new legislation

New legislation on information security places security professionals in the line of fire if their staff are unaware of security policies. According to Stewart Room, partner at law firm Field Fisher Waterhouse who spoke at the ICS Secure London seminar this month, security professionals should be ready for the next wave of laws which will take effect in April 2010.

Since HMRC lost the personal details of 25 million people in 2009, information security has become a mainstream hot potato, but in the information security sector, the change has been coming for a long time.

In April, the Coroners and Justice Act 2009 will come into effect, giving the Information Commissioner’s Office powers over every organisation in the country when it comes to data security. This means that organisations that lose data or treat it irresponsibly could face fines of up to £500,000.

It is not just the power that the ICO has that is changing, however; it is the emphasis on responsibility. Under the new laws, organisations facing security audits need to provide comprehensive security policies and governance processes as a defence. Security professionals who fail to do so will find themselves in the line of fire.

As well as this, a unified data security policy will tackle worker adequacy as well as contract initiation, protect initiation, and third-party assurance. So, failing to provide adequate training to employees, properly clear them for security purposes, or hire staff with the right skill set to handle security issues, will also place security managers in very compromising positions in this coming financial year. For staff who have had adequate training and are shown to have the appropriate skills and capabilities, security breaches will become far more serious too.

Chris McIntosh, CEO of hardware encryption specialists Stonewood, told CIO.co.uk: "Given the potential damage in terms of reputation and finances a data loss or breach could cause, businesses must realise just how serious the need to protect data is.

"Considering it only costs around £200 to encrypt a hard drive and the cost of a breach can now be anything up to half a million pounds in fines alone, it really is in everyone's interest to protect the data that they hold."