Data loss at the MoD and NHS shows need for stricter security policies

Recent revelations over data losses at the Ministry of Defence (MoD) and at the National Health Service (NHS) have made both organisations a laughing stock, but we should all think twice before laughing too loudly, says UK Bureau Chief Ron Condon.

Recent revelations over data losses at the Ministry of Defence (MoD) and at the National Health Service (NHS) have made both organisations a laughing stock, but we should all think twice before laughing too loudly.

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as "secret" and 19 that were "restricted".

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been "anomalies" in the earlier reporting process.

Over at the NHS, enquiries under the Freedom of Information Act (FOIA) have revealed that in Wales alone, there were more than 150 incidents of patient and staff data being lost during the past three years. Not all of these involved computer data; in one instance, patient details from an entire children's ward in Wrexham were found on a piece of paper in a puddle.

Both revelations have prompted condemnation from politicians and calls for those responsible to be punished. But, as was revealed in last year's initial review on the loss of the HMRC disks led by PricewaterhouseCoopers LLP Chairman Kieran Poynter, data losses rarely occur simply because one person is lazy, careless or malign.

The Poynter report used forensic detail to show how a fundamental lack of leadership had contributed to a view that it was OK to cut corners in order to get the job done. Everything happened because officials were trying to do the right thing, fighting to meet deadlines and even trying to minimise public expenditure. The potential risk to the data had not been given a high enough priority.

Neither MoD staff nor NHS employees have set out to lose data or treat it with contempt, but senior management must show leadership and a serious appreciation of the problem, backed up by training and some basic technology to protect them from their mistakes. Is it really that hard to enforce file encryption and control file copying on to USB sticks?

For those of us not in the MoD or NHS, this could be a source of entertainment and schadenfreude, but it would be wrong to mock. The only reason we know about these errors is because of the Freedom of Information Act and the power of Parliament to demand answers.

For the rest of industry, it is a lot easier to hide any failings. True, the Financial Services Authority has put the squeeze on financial services companies to ensure they treat personal data properly, and the Information Commissioner's Office (ICO) is increasingly aggressive about breaches of the Data Protection Act (DPA). The requirements of the Payment Card Industry Data Security Standard (PCI DSS) have also prompted companies to take care in handling credit card data.

But isn't security about more than just complying with the rules that others set down and ticking the box to get the inspectors off your back?

Shouldn't security be focused on identifying precious assets and protecting them?

The fact is that you can be compliant with all the regulations, and still open to seriously damaging breaches. For instance, are you sure you could stop a member of your staff from copying customer data on to a USB stick, or attaching it to an instant message sent to a rival company? How would that affect your company's performance and reputation?

And is intellectual property -- such as engineering drawings and product designs -- properly protected, or could it be copied without anyone noticing? That side of the business is not covered by any compliance requirements, but it could still be disastrous for the business.

The point I'm making is that unless security becomes a top-level concern in organisations, and is driven by a genuine desire to protect valuable assets (and not merely by compliance), then any security programme will be flawed.

Security professionals can achieve a lot, but they can't do it alone. That applies equally in the MoD, NHS and right across the private sector. And yet we seem to be taking far too long to reach that state of enhanced awareness.

About the author:
Ron Condon has been writing about developments in the IT industry for more than 30 years. In that time, he has charted the evolution from big mainframes, to minicomputers and PCs in the 1980s, and the rise of the Internet over the last decade or so. He has edited daily, weekly and monthly publications, and has written for national and regional newspapers, in Europe and the US. In recent years he has taken a strong interest in information security and is a former Editor-in-chief of SC Magazine.

Read more on Privacy and data protection