The latest reported loss of 84,000 unencrypted confidential Home Office records by PA Consulting illustrates the massive challenge of eradicating bad security practices across Whitehall. Massive publicity and waves of security reviews have clearly not made sufficient impact on day to day operations.
We need to take a whole new approach to security culture. It can be done. But not by diktat. It requires a more emotional engagement with people and a major programme of change. It also requires that security education and oversight extends as far as the risks extend, in this case to contractors.
Watch out for an article by me on organisational culture change in September's Infosec magazine.
Postscript - Infosec magazine now tell me that this feature has been held over until October. You'll have to wait a little longer.
Comments (2)
Hi David - hope you're well.
In terms of "bad security practices across Whitehall", I fully agree.
However, this is a malaise that many organisations are suffering from, not only Government; and it has to be said that private industry needs also to raise its game.
Earlier this year we had the excellent report from the FSA on the state of "Data Security in Financial Services", which was less than complementary, and should be a wake-up call to all Banks and Financial institutions.
But, today (26 August 2008) we have the news that one million bank details (including signature images!) have been found on a PC after being bought on ebay, and originating from a document archiving company, which begs the question of how this company's processes permitted the copying of such sensitive data to an unencrypted computer, and then to top it all fails to track its assets.
Both Government departments and private industry are often far too reliant on contracts with third-party service providers, whether it be database hosting, customer service management, document archiving and storage, or sensitive waste management. Contracts are all well and good, but the odd risk and compliance audit wouldn't go amiss from time to time. Waving a piece of paper after the horse has bolted doesn't really work.
On the bright side though!...Information Security does indeed seem to be "recession proof", and as long as these types of incidents occur it looks likely to continue....what will be next?
Peter Laycock - Infosec4business Limited
Posted by Peter Laycock - Infosec4business Limited | August 26, 2008 4:23 PM
Posted on August 26, 2008 16:23
I have been reading about the need for security education since I came to the security field 6 years ago. Nothing has changed, except maybe the removal of the lowest hanging fruit, and at the time, the major threat was script kiddies. Now the attackers are organized professionals.
I will look forward to your article, as always, but my preference will be a technology that protects users from themselves. :)
By the way, who protects systems and data from those in charge of systems and doing the teaching? How does education protect against evil admins?
Posted by Rob Lewis | August 26, 2008 7:33 PM
Posted on August 26, 2008 19:33