To lose a laptop may be regarded as a misfortune. To
lose a laptop with 26.5 million IDs, including names, social
security numbers and dates of birth, smacks of
carelessness.
As the true story of the theft of data at the US Department for
Veterans Affairs emerges, IT security professionals around the
world will shake their heads in disbelief, and so too will their
bosses.
It is bad enough that a civil servant was taking home
confidential personal data for three years without permission. It
is worse that he was able to remove so much data without triggering
a systems alert, let alone arousing suspicion.
But the chain of events that followed the theft of the laptop
containing the records is almost beyond comprehension.
When the data theft was reported, it took middle managers 13
days to flag up the scale of the data loss, and a further two days
for the FBI to be informed.
It is all a grim reminder that no matter how strong your
technical defences, humans remain the weakest link in the IT
security chain.
Almost all organisations today have clearly laid down security
policies, codes of conduct and procedures to follow in the event of
security breaches, but how many of them are ever put to the
test?
How many of us can say that IT security policies are regularly
spelt out to staff, let alone any check on their application
carried out, or punishment for those found to be in breach of them
instituted?
It is up to IT leaders to take on this issue – and drag the HR
and general security management teams with them if necessary.
If we don’t, not only is the organisation’s data at risk, senior
management can quite legitimately question every penny the IT
department spends on security technology. After all, what is the
point of barring the windows and leaving the doors open?