Tough penalties await for failure to educate home workers in data security

Local authorities, private companies and public bodies which allow staff to work from home could face crippling financial penalties if they ignore data protection, warn leading information security experts.

by Paul Watson Thousands of people looking to save money on the commute to the office by working from home are risking financial disaster for their employers, claim security professionals. New legislation due to come into force later this year will result in public and private organisations facing massive fines based on a percentage of turnover if they breach the Data Protection Act. The size of the punishment is intended to mirror those of the Financial Services Authority which has the power to impose fines of over £1million. Cybercrime is estimated to cost UK business more than £8.5billion a year and a lack of security awareness among an estimated 5 million home-workers in the UK is fuelling the boom in fraud. A recent CBI survey found almost half (46 per cent) of all employers now offered staff the chance to work from home, a dramatic increase from just 14 per cent two years ago. However, while allowing staff the chance cut their carbon footprints or avoid a troublesome commute many bosses are putting their businesses at risk. ”Companies who allow staff to work from home could be considered reckless if they don’t have proper policies in place to ensure data is secure, accessible only by authorised users and encrypted where necessary,” said Sarah Dougan, Managing Director of E-Security Exchange. ”Most people who work from home use their own equipment and if the rest of the family have access to it there may be an argument that the data is no longer secure. ”Standard IT procedures are more likely to be ignored as home workers and members of their family are prone to surf the net and download virus-infected programmes. This is an attractive target for online criminals who have already been active on social networking sites and virtual communities. All it takes is for a teenager to use the computer and download an infected programme from a site that has been compromised for crooks to access sensitive data used by a parent for work. ”When personal information and financial details are worth so much on the black market, the chances of an organisation falling victim to crime are getting higher every day. Too many companies remain complacent about the threat of online crime and information security,” said Ms Dougan. According to broadband research firm Point Topic around 4.3 million households in Britain – 18 per cent of all homes in the country – contain someone working from home. However, a recent study found 80% of Britons fail to implement any computer security precautions when working from home, making them easy targets for hackers. “People buy a computer and get six months free anti-virus software and then don’t bother to renew it. It’s a scary statistic but realistic,” said Dr Guy Bunker, Chief Scientist with security software specialist Symantec. ”Wireless is a major problem. A lot of it is still not secured in the home and that is certainly a way for criminals to get into the corporate network through the home network.” Recent research by Price Waterhouse Coopers for the Government stated that each year up to 96 per cent of large companies, with more than 500 staff, experience some form of security breach. However, it’s estimated that less than 50 per cent of organisations provide home workers with e-mail encryption software or use any form of biometric authentication. Very few companies ever bother to inspect the remote work-stations of staff, monitor data access or insist that employees out of the office only have access to information essential to do their jobs. “We still find people employed by companies who haven’t got around to putting firewalls on their computers,” said Stuart Hadley, a spokesman for the Serious Organised Crime Agency (SOCA) “Companies have to be on their toes particularly ones that start off very small with adequate security but then grow. They must ensure their security grows with them or risk falling foul of the law.” Standard IT procedures are more likely to be ignored as home workers are more prone to surfing the net and downloading virus-infected programmes. The UK Information Commissioner can now impose hefty fines on those who intentionally or recklessly disclose information contained in personal data to another person; repeatedly and negligently allow information to be contained in personal data to be disclosed and whose deliberate or reckless actions result in breaches of the Data Protection Act. According to the Information Commissioner’s Office the change in the law is intended to make clear to businesses and organisations that data protection is a top priority and that any hint of a cavalier attitude to the handling of people’s personal information will be treated seriously. ”This new power will enable some of the worst breaches of the Data Protection Act to be punished,” said David Smith, Deputy Information Commissioner. ”By demonstrating that the law is being taken seriously tougher sanctions will help reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly” ENDS