Many of my friends and colleagues express disbelief at the continuing saga of Government data breaches. It’s because they expect professional organisations to be on the ball when it comes to protecting sensitive data. If only they knew the truth! The situation is much worse than the public realise.
Today the media reports that nine UK National Health Service trusts have admitted to losing patient records. It’s just the tip of the iceberg. The fact is that information security has been given insufficient attention for the last three decades. Breaches happen all the time. We only find out about them if they hit the press.
Few organisations have effective incident reporting systems, and many types of breach, such as espionage and information broking are secret and invisible. Statistics provide a crude indication of what’s really going on. If you’ve been hit by a large, publicised breach, it’s likely that there are dozens of minor breaches, hundreds of near misses and thousands of bad practices lurking behind the bad news.
You can only assess the true status of security controls by carrying out a comprehensive audit. We need more of these. Keeping your fingers crossed has been a good bet in the past because breaches haven’t been widely reported. But the World is changing. A networked society can quickly establish what’s really going on. As they say in the Good Book, seek and you will find.