by Ross Dyer
One of the curious side effects of working in the information security industry for any length of time is that, after a while, the same stories start coming round again and again. So it was last week when the government admitted that two discs full of data related to three highly sensitive police inquiries had got lost in the post. For those with long memories, the echoes of 2007 – when the personal details of 25 million Britons went missing in similar circumstances – are telling. So let’s remind ourselves again of the importance of good data handling practice and what we should all be doing to minimise the risk of a damaging breach.
A mea culpa
In a lengthy statement published last Thursday the government admitted that the discs had gone AWOL after being dispatched by post. It’s unclear how sensitive the data on them was, although the independent inquiries to which they pertain certainly cover some extremely contentious ground. Most notable is the Mark Duggan Inquest, which is examining the role the police played in the fatal shooting of Duggan – an incident which sparked the London riots in 2011.
It’s also unclear whether the data was encrypted – if it was then at least this would render it virtually useless if the discs are ever found by someone. If not, there will be serious questions as to why the government is still sending such important data by post. After all, the HMRC incident in 2007 was widely seen as a tipping point in the government’s approach to data protection. It exposed key institutional failings which were addressed over the succeeding years, through a carrot and stick approach of better education on data handling and significant financial penalties from watchdog the Information Commissioner’s Office (ICO).
People, process, technology
So why do we still see these kinds of incident occurring? After all, organisations should be well aware of the negative impact on brand and reputation, fines, clean-up and remediation costs, and lost custom which can result from a serious data breach. Sometimes it’s partly because insufficient security controls have been put in place. Strong encryption for the most sensitive data should really be non-negotiable these days, in order to keep that information safe at rest and in transit.
All too often, however, it’s not the technology, but the people and processes that are to blame for “insider” data breach incidents. An organisation may have encryption capabilities but they will be useless if not applied appropriately because, for example, data is mislabelled. Security awareness and data handling programs are an important step, but if they’re not tested on a regular basis to make sure everyone’s aware of their responsibilities, they’re not worth the paper they’re written on. Cultural change is difficult to effect overnight but organisations must improve employee and management awareness of the importance of the data they store and transmit, if they’re to reduce the risk of breaches.
What to do now
With that in mind, here’s a quick checklist of positive steps you can take today to begin that change process:
- Create a positive attitude towards information security for management and employees through better understanding
- Build knowledge around general security best practices and the company’s existing security measures
- Promote understanding of the security measures along with showing the potential threats and risk that can occur by providing examples for proper risk management and mitigation
- Measure the success of the implemented security awareness measures, media and tools.
- Create sustainability for long term implementation and adherence to the company’s security measures.