Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

By Nicole Kobie, 17 Nov 2008 at 15:03

gallery

Some have learned the lesson. The NHS is in the process of rolling out encryption across its portable computer estate, with one hospital holding a “USB amnesty” to get employees to turn in insecure sticks.

MI5 uses the tech as well – which is handy, as it lost a portable computer through an open window in October.

And while the General Teaching Council failed to pay attention to the moral of the HMRC story – don’t put important things in the post – its lost disc was helpfully encrypted, meaning the 11,423 affected teachers could sleep a little easier.

The majority of the other cases in the past year haven’t involved encrypted media – but why not? The tech is cheap and relatively easy to roll out. The point could become moot in the next few years, as the next version of Microsoft’s Windows operating system is expected to have encryption built-in – though does anyone want to wait that long or depend on Microsoft to keep us safe? Didn’t think so.

Lesson Six: People are the weak link
No matter what tech you use, or what policies you put in place, it all comes down to people and their skills – do they know about data security and are they even capable of keeping things safe?

Indeed, speaking at a Gartner security summit, Martin Smith, chairman of the Security Awareness Special Interest Group (SASIG), said that no matter how shiny and cool and secure a firm’s tech was, “the people screwed you in the end.”

With that in mind, the government has announced all civil servants handing private data are to get security training – a good first step, but it needs to be expanded. Is there any arm of the government which doesn’t handle people’s private data?

Lesson Seven: Hold less information
One of the problems with the HMRC case was how much information was on the discs. After the breach, reports revealed that less information was actually requested by the intended recipient – the National Audit Office – but the tax body didn’t have the time or money to strip fields out of the data base, so more information was sent than necessary.

And as the government looks to collect more and more data on its citizens, for projects like the national identity card scheme, this problem will only grow.
This point was hammered home in a report from none other than the Home Affairs Committee, which said the government should keep watch on “function creep” and adopt a principle of what it called "data minimisation", collecting only essential information.

"What we are calling for is an overall principle of 'least data, for least time'," said committee chairman Keith Vaz at the time. "We have all seen over the past year extraordinary examples of how badly things can go wrong when data is mishandled, with potentially disastrous consequences."

The ICO has also repeatedly called for less information to be held, but the government doesn’t seem to hear its own watchdog barking…

1 2 3 4 5

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

4 comments

You need to Login or Register to comment.

Data Breaches and Theft - a Solution?

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is \"I.T. WARS: Managing the Business-Technology Weave in the New Millennium.\" It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

By Ip_johnfranks999 on Tuesday Nov 18

Data Breaches and Theft - a Solution?

By Ip_johnfranks999 on Tuesday Nov 18

RE:

Fudge and fear I\\\'m afraid. Of course it is wrong that data should be lost and the hints are common sense about what to do. But there is absolutley no evidence in the article or elsewhere that the data has been misused. Regulation should be commensurate with risk, and risk is not a matter of guessing but INFORMED judgment.

By cping5000 on Friday Nov 21

How about avoiding the problem in the first place?

All of the breaches mentioned have one thing in common; data being stored on a physical device that was \"portable\". Whilst a PC may not be seen as portable, it was still a \"local\" device that was able to be removed from a place of work with private data on it. As well as a security risk, locally stored data is also a massive headache for businesses attempting to achieve a \"single point of truth\" for the company data and records. Storing information locally leads to multiple \"versions\" of the truth, leading to confusion and inefficiency. The fact that the data can also find its way into the wrong hands is the icing on the cake. Centralised, cloud based platforms that offer data integrity AND data security are the way forward. They offer a single point of truth for all data, a complete audit trail of activity for all users and data and are easily accessed, but only by the relevant personnel.

By tristan66 on Monday Nov 24