It’s interesting to discuss root causes of data breaches such as the recent HMRC breach with other security professionals. Most agree with my general suspicion that when something like this goes wrong it’s more likely to be down to a cock-up rather than a conspiracy. In fact the most popular theory is that the discs never got sent. Because we’ve all experienced that situation when the phone rings and someone tells you they haven’t received that package you promised to send a few weeks ago. “It’s in the post” is the natural reaction. And once you’ve painted yourself into a corner it’s not that easy to get out.
Of course this is all just speculation. But it’s remarkable to imagine that tiny human oversights can trigger major crises. That’s often the nature of organisational crises. They’re usually caused by long-standing, deep-seated flaws, but they can be triggered by unconnected, perhaps minor events that attract media attention to the flaw. The art of crisis management is to understand and tackle the underlying flaw not focus on the trigger. But it’s easier said than done. And of course, it’s also important to remember and respect the second rule of holes: if you’re in one stop digging.
Comments (1)
As usual, you've hit the nail bang on the head.
Almost all air accident investigations conclude they were caused by a chain of errors and failures, usually three or more. It is extremely unusual for an unpreventable accident to occur: in short, properly maintained and serviced aircraft, with trained and healthy pilots making the right decisions, simply do not fall out of the sky.
I believe the same applies to Information Security.
In the case of HMRC, it is obvious that this is not down to a single mistake or error: poor risk assessment/management, poor controls, poor training, and a cost-adverse culture have created a situation where a 23 year old can download the entire core database to an offline media and send it out of the building.
I'm not so horrified that the discs went missing - this was a single small mistake - but I am horrified that the full database could be accessed in this manner by a junior employee, and that no checks and counter-checks seemed to be in place to ensure the security of offline media and data, especially when it concerns 25 million records.
All together these three, individually perhaps minor, errors add up to a pile of mangled and smoking wreckage.
At least in aviation you can choose a different airline.
Posted by Jason Holloway | November 28, 2007 9:14 PM
Posted on November 28, 2007 21:14