There but for the grace of God goes your CIO/CFO

Much will be written about the loss of a couple of CDs of personal data by HMRC. But it is those organisations which track their data and report such losses that are publicly crucified. Those that keep quiet and cover up…

How many of your organisations keep track of all back-ups, including/especially those sent to offsite recovery or archive centres, encrypt all files leaving the premises (ring-fencing those where this is not practical), have monitoring equipment that detects unauthorised equipment (e.g. USBs) attached to the network, vet all staff with potential access to data (including the cleaners who can read the post-it notes stuck to the screens with the passwords) … and so on?

And if yours is not one of these, why should I trust it with my data – however many padlocks there are on your website?

And if you were to do all that the security gurus and regulators tell you to, would you still be in business?

The problems are not confined to public sector.

I am told that the FSA has yet to fine a bank which had not itself found and reported the possible data compromise – and all to date have been “possible compromises” – not losses.

At one of the regular networking events where Chief Information Security Officers meet to cry into their beer over the behaviour of their regulators and marketing departments (the source of most vulnerabilities and breaches) I heard the story of the CISO who found and reported a potential serious problem that was also common to all its competitors. His was the only organisation punished by the regulator. The others all denied it had ever happened to them. Worse, it was still happening to some of them.

I recently asked the former head of security of one of the organisations that I would trust with my data, to draft a “Ten Minute Guide” to “Keeping the Board out of Jail while remaining competitive” (particularly how to set the climate that will ensure that good practice is embedded in their core business values as part of their marketing message, not treated as an add-on). This evening I will be taking his first draft to a meeting of the ISSA (Information Systems Security Association) UK chapter group that is planning to work with Get Safe On-line (and any other organisation willing to bring experience and resources to the table) on awareness campaigns, including with support for firms too small to have any in-house security expertise.

At their last meeting the participants (including the CISOs of a couple of other organisations that I would trust with my data) appeared to share the common view that large organisations were well served with advice and guidance and able to protect themselves.

I wonder if the discussion will be different this evening.

Too much current advice is seen to get in the way of running the business and is consequently ignored or bypassed by those “with a business to run”.

I did not expect this issue to hit the headlines so soon when I raised the issues of trust last week and quoted one of the speakers at the recent Parliament and Industry conference who suggested that we might have to consider disaggregation and “controlled comunication”, rather than integration and always-on, if we wanted our systems to be secure. For that conference I tried to summarise the current state of debate on reducing vulnerability including the tensions over what could/should be done to improve security.

One of the most serious was that between those who believe “systems should be designed to make it faster, easier and more convenient to do what is right than bend the rules in order to run the business” and those who maintain “there is no gain without pain”. I should of course add that by “system” I always mean the “people system” that the technology is there to serve.

Many years ago in an article for the IMIS journal (most of whose readers are scattered around the world in its fastest growing markets) I asked “who would you trust to hold your purse in the global electronic bazaar?”. Part of my reply today (picking up from my comments in yesterday’s blog) would be, “no-one who asks me for information that they do not need in order to do what I want from them”.

But I am also only too well aware that thousands in sickness, poor health or otherwise socially excluded suffer unecessarily and even die because the agencies which could/should be able to help them fail to share the information they already hold on their needs. Hence the programme that EURIM has been running for several years on “secure data sharing” and its current Transformational Government Dialogues exercise

This is not an easy debate and the need for realistic guidance on good practice, for those at the top, who carry legal responsibility, is now urgent and overdue – for both private and public sectors..

So too is action to organise to co-ordinate the police response to computer assisted crime, including the response to incidents like that at HMRC, which will hopefully still turn out to be yet another data packet lost in the post.