Well, January is nearly over andit’s time to look at all the research that’s been produced over the past year totry and draw meaningful and usable statistics...
I do this very selfishly before startingin anger on the conference circuit as I like to have up-to-date figures andstats in my presentations (and let’s face it, we all love numbers! J)
Today, I focus on the researchproduced by the UK Information Commissioners Office (ICO) in the two followingreports Report on InformationCommissioner's Office Annual Track 2011 - Individuals and Report on InformationCommissioner's Office Annual Track 2011 - Organisations.
Since the revised Data ProtectionAct came into force in 1998, the ICO has monitored awareness and understandingof this legislation amongst individuals and organisations in both the publicand private sector. The studies were conducted amongst approximately 2,500individuals and 400 public and 400 private sector organisations with an evensplit between small and large businesses .
Security as a social concern, what the numbers say...
- Individuals are mostly concerned about the passingor selling of their personal details to other organisations (97%) with securityof their personal information coming second at 96%;
- 93% of individuals believe that organisationsrequest too much personal information (remember,if you don’t need it, don’t ask for it, and certainly don’t keep it!)
- 83% of individuals believe that organisationskeep their information for too long (when’s the last time you looked at thatretention policy?...)
- 74% of individuals believe that online companiesdo not collect and keep their personal details securely and 81% are concernedabout organisations collecting and keeping their details online. (If you do one thing today, give your webdevelopers the OWASP Top Ten, it’s FREE!)
- 66% of individuals believe existing laws andpractices do not provide sufficient protection for their personal information; (Well, EU breach disclosure laws comingsoon...)
It was also interesting to notethat individuals mostly rely on the media (41%) and their workplace (21%) forawareness of data protection issues (howis your training programme shaping up?).
Another interesting snippet isthat individuals mostly rely on their Citizens Advice Bureau for advice on informationprotection and the DPA (60%) with the internet and a solicitor in joint secondplace at about 19% and very few were aware of the ICO.
So for all you marketing peopleout there, look at the figures, they are compelling: people think security is important,use it! Also, go and find out where your customers go for advice, it maysurprise you...
Security as a corporate concern, is it any better now?...
Well, rather than pondering atlength, I think the table below speaks for itself:
What obligations are you aware of that organisations have to comply with when processing personal information? | ||||||||
Obligations (Unprompted) | Public Sector | Private Sector | Overall 2011 | Overall 2010 | ||||
Large | Small | Total | Large | Small | Total | |||
Personal information is kept secure | 75% | 66% | 71% | 75% | 73% | 74% | 72% | 54% |
Personal information is processed for limited purposes | 42% | 31% | 37% | 35% | 24% | 29% | 33% | 28% |
Personal information is not kept for longer than necessary | 46% | 28% | 38% | 29% | 21% | 25% | 32% | 24% |
So, if we turn the figures around, this means that 28% oforganisations are still unaware that they must keep their customers personalinformation secure, 67% of organisations believe it’s OK to use personalcustomer information for purposes other than what it was requested for (have they talked to their legaldepartments?) and 68% of organisations believe that they can keep customerinformation for an indefinite period of time (yep, that retention policy again)...
Admittedly, I was expecting tosee a large difference in attitudes towards information security and dataprotection between corporates and SMEs, so I was surprised to see that this wasnot the case (only about 10% difference between large and small organisationsoverall)...
Another interesting point isthat public sector organisations are generally more aware (by 6%) than privatesector businesses (and we know why thatis: the ICO traditionally focused on public sector and has only recently turnedits attention to the private sector, with all the fines and public exposurethat ensues...).
So all in all, the figures aregoing the right way if we compare 2011 to 2010, but we still have a long way togo.
Until next time...
neirajones
