Lessons from Hackgate: 2) Data leaks via people not technology

Much of the debate on the Regulation of Investigatory Powers, Data Retention, ID cards, Medical Records et al centres on who could/should be trusted to authorise access to what. Those with little experience of how Magistrates and Courts authorise warrants and maintain their records thought they were more trustworthy than giving similar authority to senior civil servants. Meanwhile private investigators and journalists were bribing and blagging their way into accessing information on those on witness protection programmes let alone the victims of crime, the rich and famous or those whose misconduct was indeed worthy of investigation.

The full version of the report of the Information Society Alliance (EURIM) Security by Design group begins with a splendid quote from Professor Richard Walton, sometime Director of CESG: “The main benefit of investing in better security technology is to force the enemy to concentrate on corrupting your people instead of trying to break your systems.”

The cruder way of making Richard’s point is “Its the wetware stupid”.  No amount of technology can make up for leaky people processes. 

The collapse of confidence in the security of public sector databases that will follow Hackgate adds an unwelcome topicality to the new alliance study on “Rebuilding confidence in the on-line world: by joining up Information and Identity Governance and removing the regualtory jungles that get in the way of good practice“.