Vulnerability management ‘must extend to personal data’

Companies that deal with personal data need to make sure this information is kept secure, as one group believes that the problem will worsen over the coming years.

According to predictions from Gartner, 90 per cent of organisations will have personal data stored on their IT systems by 2019 that they do not own or control.

It identified that vulnerability management within organisations is far from a new trend, but the way in which security attacks are carried out is gradually changing.

Gartner emphasised that hackers typically target vulnerable IT infrastructure, whereas in the future they will move their attention towards softer targets – this includes, employees, customers and contract workers.

A number of suggestions have been made by the group as to how organisations might want to address these challenges, such as pinpointing where the personal information is being held.

Once a company is aware of exactly where the vulnerability lies, they will therefore be better equipped to come up with strategies as to how it can be protected.

Gartner also believes that personal data should be kept separate from other information at all times – it recommends, for example, storing employee performance information in a human resources management system.

Another suggestion is that companies take a more pragmatic approach to the issue of data security, as well as using Australia's protection laws to their advantage.

Offering an example, the group explained that data might be stored with a US cloud provider, operated by a third-party source in India. As a result, this can cause confusion over which nation is held legally responsible for the information, therefore making organisations more vulnerable.

Carsten Casper, research vice-president at Gartner, stressed that organisations need to be held accountable for the data they store.

He continued: "The PCI Data Security Standard (DSS) requires the implementation of stringent controls of those who collect and store credit card data.

"In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider."

He warned that the same situation could arise with personal data if control requirements put in place are "too strong" and the cost of implementing them is too high.

As hackers become savvier with their methods, personal information is likely to be under threat just as much as other data, so businesses are bound by the requirement to keep it safe and secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s