The human element is often the weakest link in data management yet education remains a low priority. The loss of 25 million records by the HMRC should be the wake-up call for everyone – both public and private sector – responsible for data security.
During the past few months there has been a litany of reports involving the loss of personal information that is highly valuable to criminal organisations.
The Information Commissioner has highlighted these breaches in numerous reports. Do data holders think they can simply ignore him or do they just not understand what good practice really is?
It is naïve to blame junior officials for the HM Revenue and Customs (HMRC) data leak, rather than organisational failure. When it comes to data management, the human element is often the weakest link, while education is usually a low priority. An assumption prevails that people will do the 'right thing'. This is a dangerous approach. You have to ask what training did the 'junior staff' receive that would enable them to recognise the dangers of their actions?
Often organisations have information security policies that concentrate on the infrastructure that holds the data, but ignore securing the data itself. The IT security policy sits in the shiny folder on the shelf and gives them a warm and comfortable feeling. Unless the policy is taken off the shelf occasionally for testing and review, then the folder is only providing a false sense of security.
Even if the HMRC has good security practices, you have to question when the policies were last tested.
For everyone’s sake, this incident must be the wake-up call for those with responsibility for the security of personal information, whether in the public or private sector.
The fact it has taken over a month since the incident for the government to tell the public, banks and police, suggests that the incident response procedures were also not effective. Incident response plans are an integral part of information security best practice and should kick in immediately after an incident occurs.
The government has been lucky on this occasion in that it is possible that the discs have not fallen into the hands of a criminal organisation. If they had, the time between the incident and the response would have given them ample opportunity to maximise their potential gains and cause pre-Christmas misery for thousands.
Let us look at some of the simple measures that could have been taken:
- The most basic security measures dictate that information should be separated so that if one part of it goes missing, it would be of no intrinsic value to the person in possession;
- Each data set should have been separately encrypted – simple password protection where data is left in clear text form is a very weak form of security and easily accessible. Encryption techniques today are low cost and still effective if coupled with other processes;
- Secure encrypted data transfer systems connect government departments and could be used without the need for transferring data using disks.
Public sector organisations are being encouraged by central government to adopt e-solutions, driven by cost savings. But not enough of these savings are being applied to proper data management processes, information security measures and educating staff on the use of the technology and the risks it carries.
Too often electronic systems have replaced paper based procedures without effective training of staff. Many public sector organisations now have IT risk as a priority in their risk registers but few have taken action to mitigate the new risks they have identified.
Public sector bodies, as well as private sector organisations, can take action to mitigate the risk of a data breach incident, and prevent a loss of confidence in online transactions, such as:
- Recognise their responsibility for the information they hold and that is held on their behalf as a result of outsourcing;
- Conduct a review of data management systems for compliance, legal and disaster recovery;
- Implement IT security and data management policies and procedures, educating staff;
- Avoid separating IT security from traditional business planning and disaster recovery;
- Most importantly, effective procedures to test these policies against emerging threats and implement the findings of these tests.
Policies, practices, processes, procedures and people make up the security capability and the most variable of these in terms of consistency is people, yet this is the asset in which the least investment is normally made. Unless there is a change of mindset, this type of incident will continue to occur and we will see government ministers wringing their hands at the dispatch box for years to come.
We have to hope that the Information Commissioner will take a more robust approach bring those responsible to book. There has to be better enforcement of Data Protection Laws to encourage good practice and it is normally when those at the top of the corporate or government trees are under threat that we see a change in attitude that brings about real change in practice.