It’s interesting to discuss root causes of data breaches such as the recent HMRC breach with other security professionals. Most agree with my general suspicion that when something like this goes wrong it’s more likely to be down to a cock-up rather than a conspiracy. In fact the most popular theory is that the discs never got sent. Because we’ve all experienced that situation when the phone rings and someone tells you they haven’t received that package you promised to send a few weeks ago. “It’s in the post” is the natural reaction. And once you’ve painted yourself into a corner it’s not that easy to get out.
Of course this is all just speculation. But it’s remarkable to imagine that tiny human oversights can trigger major crises. That’s often the nature of organisational crises. They’re usually caused by long-standing, deep-seated flaws, but they can be triggered by unconnected, perhaps minor events that attract media attention to the flaw. The art of crisis management is to understand and tackle the underlying flaw not focus on the trigger. But it’s easier said than done. And of course, it’s also important to remember and respect the second rule of holes: if you’re in one stop digging.