Government data security guidelines: Time for some critical self examination

Practical approaches to avoiding the cost and embarrassment of data security breaches.


It was only last month, that Jack Straw indicated the government’s desire to impose harsher punishments and even jail time for employees in organisations where data breaches occur, as a wake-up call to everyone who handles and stores sensitive data.

Now, as a result of the loss of an unencrypted USB memory stick that carried thousands of prisoners’ personal data, the Home Office has promised to encrypt all portable or mobile devices that carry data and will only work with contractors who will do the same.

What is significant about these developments is that they affect both private and public sector. The costs of a data loss have always been a huge deterrent for private enterprises.

It is not just the individual or their manager who pays for a breach, but the whole business suffers through law suits, bad publicity, loss of customer faith, and possibly even bankruptcy.

In the public sector the damage has been limited to embarrassment for the government and the affected department, and possibly compensation for those affected, but those implications have not been sufficient to force a radical change in behaviour in the handling and management of sensitive data and portable storage devices.

So, apart from creating some helpful PR for the government that it is “cracking down” on sloppy handling of private data, there is now strong motivation for organisations in private and public sectors to tighten their procedures.

What is clear is that whether by malicious intent or accidental loss, private sector businesses and governmental alike have few excuses when a data breach takes place.

Organisations need to investigate the numerous methods and solutions available that prevent such confidential data being lost and need to ensure that the right policies and permissions are in place, together with the right software, to permit only a select few to download data onto USB memory sticks and other removable storage devices.

The days when bulk transport of data was difficult due to slow communication links and the lack of high density storage media have long since departed – it has never been easier to intentionally or unintentionally misplace and lose data of all kinds.

Couple this surge in technology with the increased digitisation of all financial, personal and business records and it is perhaps surprising data breaches are not more common.

What can be done? Well, there are at least three approaches available:

First, there is the physical approach. This is not a joke – a number of highly sensitive agencies around the world physically disable the USB and other ports on laptops and desktops to prevent anything from being inserted. I spoke with one IT group who had a special mix of epoxy resin approved for use in USB ports to ensure they were fully decommissioned.

The downsides of this approach are obvious enough – there are legitimate reasons for using USB ports, for example plugging in an external mouse, and there will also be situations where a member of IT staff will need those ports to repair a PC.

"Recommended For You"

Nortel uses USB drive to secure remote work PGP's endpoint system gets encryption kick