Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

MI5 uses the tech as well which is handy, as it lost a portable computer through an open window in October.

And while the General Teaching Council failed to pay attention to the moral of the HMRC story don't put important things in the post its lost disc was helpfully encrypted, meaning the 11,423 affected teachers could sleep a little easier.

The majority of the other cases in the past year haven't involved encrypted media but why not? The tech is cheap and relatively easy to roll out. The point could become moot in the next few years, as the next version of Microsoft's Windows operating system is expected to have encryption built-in though does anyone want to wait that long or depend on Microsoft to keep us safe? Didn't think so.

Lesson Six: People are the weak linkNo matter what tech you use, or what policies you put in place, it all comes down to people and their skills do they know about data security and are they even capable of keeping things safe?

Advertisement - Article continues below
Advertisement - Article continues below

Indeed, speaking at a Gartner security summit, Martin Smith, chairman of the Security Awareness Special Interest Group (SASIG), said that no matter how shiny and cool and secure a firm's tech was, "the people screwed you in the end."

With that in mind, the government has announced all civil servants handing private data are to get security training a good first step, but it needs to be expanded. Is there any arm of the government which doesn't handle people's private data?

Lesson Seven: Hold less informationOne of the problems with the HMRC case was how much information was on the discs. After the breach, reports revealed that less information was actually requested by the intended recipient the National Audit Office but the tax body didn't have the time or money to strip fields out of the data base, so more information was sent than necessary.

And as the government looks to collect more and more data on its citizens, for projects like the national identity card scheme, this problem will only grow. This point was hammered home in a report from none other than the Home Affairs Committee, which said the government should keep watch on "function creep" and adopt a principle of what it called "data minimisation", collecting only essential information.

"What we are calling for is an overall principle of 'least data, for least time'," said committee chairman Keith Vaz at the time. "We have all seen over the past year extraordinary examples of how badly things can go wrong when data is mishandled, with potentially disastrous consequences."

The ICO has also repeatedly called for less information to be held, but the government doesn't seem to hear its own watchdog barking

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020