Public Sector vs Private Sector. Who does security better? Part 4

You’re hilarious! A Ford Anglia? Actually, I’m a Morris Minor Series II enthusiast. What more could you want than a British Classic through-and-through that has been exported internationally and become an icon – just like myself 😉

While I stay on the subject of cars I’d like to ask the following question: How many times have you had to reboot your modern computer processor dependent German motor? Your car might be faster, more aerodynamic, safer at high speed and great with the ladies, but it is symptomatic of the highly integrated technologies at the very heart of our society which are stoking up the biggest vulnerability: over dependency on new and tightly coupled networks and technologies that are difficult to fully understand and can often react in unknown ways.

Let’s get this back on track……

First of all lets admit that the full scale of private and public sector breaches isn’t adequately recorded. No one can admit with any degree of certainty how bad, or good, the size of the issue really is. Reporting of data breaches in the private sector has always been downplayed by nervous boards of directors scared (and quite rightly so) of the fallout from their customers and shareholders. With so much at stake much better to sweep it under the carpet and hope that no one notices. I’m not saying that the public sector is any better, but it is important to appreciate that without accurate and reliable breach statistics then both our arguments are on shaky ground. The answer of course is a mandatory and legally enforced breach reporting requirement and maybe this is something we should save for a future online debate.

Second, human error happens everywhere, for example Google’s recent blacklisting of the entire Internet. Accidents happen even to the very best and even with the most thoughtful security controls there will always be residual risk that can’t be mitigated away or dealt with. The issue here is whether someone has willingly and knowingly not followed instruction that leads to the data loss or breach. In such a situation there’s no excuse and people who regularly do decide not to follow corporate policy really are plonkers. Protecting information assets really is a team sport and we’re all in this together.

As for there not being baseline security standards this is simply not true. BS7799 (now known as ISO/IEC27001) came into being in 1995 and most recently the Security Policy Framework has been openly published on the Internet. Both are based around solid and mature management processes which are supported by policy, people, physical and technical aspects of information security. Will these help the public sector better manage information risk? You bet ya! Will they completely remove the possibility of a data breach? No, but then again nothing will. Is the public sector working hard to continually and constantly improve? Absolutely. Is this a big job? Probably the biggest! At least the public sector recognises that there are no silver bullets….. anyone who says otherwise is selling something. 

And don’t forget the public sector probably faces the most sophisticated of all cyber attacks, as reported here and here.