Is your enterprise making the same mistakes as the NHS?
The NHS is, and always has been, a shocking example of how information security policy means diddly-squat without proper staff education and more than a little application of the disciplinary stick when breaches occur.
COMMENT:While the NHS gets all the bad publicity it deserves as far as lapsidaisical data security policy implementation is concerned, I am not convinced it should be singled out as the pantomime villain on the ITsec stage: sloppy security is behind you. Oh yes it is...
During the last three years, according to a report based around Freedom of Information Act requests made by Big Brother Watch and published over the weekend, there have been more than 800 separate incidents within the NHS whereby patient records have been compromised.
Or, to put it another way, here's an enterprise which has seen data security policy trampled over at least five times per week during a three-year period. It's not that NHS policy is badly drafted in this regard. Indeed, I've had the misfortune to have spent rather a lot of my professional life over the last five years or so studying the principles for information security and the various documents covering data security policy within the NHS produced by Connecting for Health and the Department for Health.
Don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy.
The truth is those policies are perfectly acceptable, no pun intended, and more than fit for purpose in an enterprise of such an octopus like proportion as the NHS (it has arms everywhere). So why, then, did Big Brother Watch discover that there had been, amongst other breaches of policy, no less than 91 cases where NHS staff had inappropriately accessed information about colleagues and 23 cases where NHS staff had inappropriately posted patient data on social networking sites? Or how about the 24 NHS trusts who'd seen confidential data lost or stolen courtesy of breaches of said policy?
I'm using the 'at least' disclaimer here quite a lot, as you may have noticed, as 55 NHS trusts refused to comply completely with the Freedom of Information Act request, and 44 failed to respond at all.
Anyone getting a mental image of an ostrich, rather than the octopus mentioned earlier, and one with its head buried firmly in the sand at this point? I am, although I think that perhaps Big Brother Watch has its own head stuck somewhere else when it states that "despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff" as if to suggest that every policy breach should be met with an 'off with their heads' type response.
Quite patently, dismissing everyone involved is not the right approach to dealing with every (or indeed any, for that matter) security policy breach. So what is the correct approach?
It's simple. It requires the ability to step back, let the blood drain from your face and accept that education is key. Not that corporate punishment is to be ignored, but hitting someone with a big stick when they don't truly appreciate what they have done wrong is never going to solve anything. It's akin to trying to cure a decapitation with a sticking plaster: far better to have told the idiot not to stick his head out of the car window on the motorway in the first place...
Where I do agree with Big Brother Watch, and director Nick Pickles, is when it argues that "it is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable". Burying the head in the sand is not big and not clever. It is never going to help make things better.
If you want to avoid becoming the security ostrich of your sector, then it's vital you learn from the mistakes of the NHS, which means you don't assume that writing good policy and waving it at your staff is good enough. End user education must be at the centre of your data security strategy, along with the implementation of appropriate systems to ensure that the policy is being adhered to.
Ensuring appropriate access rights to data is not rocket science these days, nor is effective auditing of your policy in action.