Tougher data breach code raises security awareness

26 Jul 2011

Firmer data breach guidelines and the prospect of heavier fines for compromising private records are raising awareness of the need to safeguard confidential information. That’s the view of John Ryan, CEO of security consultancy Zinopy.

Zinopy was formed last year by Ryan, who has worked in the Irish information security sector since the early Nineties. He said Irish organisations are taking greater interest in protecting themselves from the risk of data breach.

Whereas before, awareness of the issue was mostly confined to employees tasked with data protection roles, Ryan said in some cases directors are now taking a closer look at the problem.
“A lot of people are talking about data breaches – not admitting they’ve had one, but becoming more conscious of it before it happens. The Data Protection Commissioner’s new guidelines around mandatory disclosure for when more than 100 records are lost is one reason, and the other driver is that the DPC’s powers have increased and the maximum fine is now €250,000,” Ryan told

The DPC’s own annual report, which was released in May, came to a similar conclusion. There was a “dramatic increase” in data security breach incidents during 2010, the report found: 410 cases reported by 123 organisations, up from 119 reports from 86 organisations in 2009. The report said the rise was due to more exacting demands in its code of practice rather than a rise in the absolute number of breaches.

Managing sensitive information

Organisations often struggle with knowing exactly where their sensitive data may be located around an organisation. Earlier this year, Zinopy began providing a risk audit service at customer sites to determine where all instances of confidential information are found on their respective networks.

Although Ryan said it is too early to gauge definite trends, an example would be where a HR department’s system appears to be locked down and secure, but the finance department might cut and paste salary information into a separate file in order to calculate staff costs for the year ahead. In some cases, that information might be sent to a webmail account for when the person is working from home, so that in reality the data is in multiple locations.

Organisations are often wary of these kinds of audits, fearing the work involved in classifying data, but Ryan said there are tools which automate much of the process.

Senior managers have an additional reason to start taking more of an interest in security: they want to use their preferred devices, such as smartphones and tablets, and this is trend is beginning to drive increased use of wireless networks.

The risk, said Ryan, is that the networks are open and security is treated as an afterthought. “When requests are coming from senior management, it’s much tougher for an information security officer to keep saying ‘no’,” he said.

Rather than seeing security as an obstacle to be avoided, Ryan advised organisations to see it as an enabler. “In the past, it was the insurance policy, where it was a case of ‘we’ve got to do this’. But if you put your security infrastructure in place, it allows you to be more flexible with the business, particularly from a mobility and communications perspective.”

Photo: John Ryan, CEO of Zinopy

Gordon Smith was a contributor to Silicon Republic