We could do with having a time out in which to reconsider our approach to dealing with data loss. We’re currently inundated with stories – the latest being about the PC purchased on eBay containing sensitive data about bank customers – it’s clear that we need a new approach.
The sheer number of reported incidents is indicative of a general failure across all industry sectors to provide adequate controls. It’s also fair to say that legislation and regulatory compliance controls are not having much impact.
What can we do? In my opinion, we are engineers of our own downfall, making data ever more accessible and portable, and believing that an antiquated approach to security – it’s all about IT and checklists, init – can afford enough protection.
Many of us have been saying for years that we need to invest more time and money in security awareness. I’ll stick my neck out and take a position that it’s the single most important thing in reducing the risk of a data breach. And I’m not talking about a few posters on the notice board and handing out mouse-mats stating trite messages such as “think before you click.” I’m talking about the sort of security awareness that makes every individual personally responsible for the data they handle, making them stakeholders armed with the right knowledge and willing to question security.
Let’s be clear. This is not a technical problem and it wont be solved with technical solutions. If the organisation wants to collect data then the organisation needs to learn how to handle it and stop relying on outdated concepts. Fair enough?