Some business priorities are undoubtedly more equal than others and in my view information security falls into this category.

This is not a subject that is immediately associated with the traditional role of the finance director, but the privacy and disclosure of personal information within our corporation has always been high on our agenda. The FD takes  the lead for ensuring compliance with internal and external rules and regulations, such as Data Protection Act 1998.

The penalties for not facing up to the challenge of data security are enough to make any senior executive lose sleep. Recent examples of private and public sector organisations being called to account for security breaches show just how seriously regulating bodies view this issue.

We are all aware of the high-profile government cases involving HM Revenue and Customs and the Ministry of Defence. Both departments were issued with enforcement notices by the Information Commissioner's Office (ICO) for breaching the Data Protection Act and as I write, the official review into the incidents has prompted HMRC to announce extra spend of £155 million “on improving data security”.

Last year, the Financial Services Authority (FSA) fined Nationwide £1m when a laptop was stolen from an employee's home – one of the biggest fines in its history and the first on a building society.

What is immediately clear from these examples is that data security is not just an IT issue. In the government cases, the Information Commissioner cited “weaknesses in management structure” and “inadequate awareness, communication and training” as crucial failings, highlighted by the fact that the ICO was not notified of the data losses for three weeks. Similarly, Nationwide’s punishing fine reflected that it too had taken three weeks to inform the FSA of the incident.

The message is that the management board must take the initiative to understand its precise responsibilities, establish and then enforce procedures – down to every level of the organisation.

Without fostering awareness of both the risks and rules of data protection, it might be said that all the IT mechanisms in the world will not protect the company if something goes wrong. When it comes to customer – and employee – perception, it is almost insignificant whether the lost data is actually used for criminal purposes. The mere fact that the data has been lost is enough to cause untold damage to the corporate reputation.

In all the cases I’ve mentioned, the regulators commented that the incidents were highly unlikely to be “isolated”, but that they were indicative of wider systematic failings. Companies must take all measures possible to avoid sowing the seed of doubt in the first place with an appropriate tone-from-the-top helping create the culture and momentum to deliver the required data integrity and security.

The FD must take a lead in helping the board understand its responsibilities and take action, and the business must appoint a manager in charge of enforcing policies. Also, remember that the ICO was established to produce a code of best practice that helps companies comply with the Data Protection Act, so it seems sensible to open dialogue with the ICO in the spirit of co-operation and transparency. 

I am not claiming for one minute that IT isn’t crucial. The latest mechanisms to protect data – securing systems, encrypting data etc – are vital but they are woefully insufficient without strict management controls.

*Steve Mason is FD is Siemens Financial Services

Related tags: finance director, steve mason, data protection act, hmrc, siemens financial services, information security, fd, nationwide, financial services authority, information commissioners office,