The recent data loss from the Comptroller and Auditor General’s Office (CAG) has once again shone a light on an important issue for all organisations, that of data protection.
The information that is known to have been on the laptop computer that went missing at a bus stop came from the IDA and was pertaining to grant and financial assessment details. While both the IDA and the CAG have established data protection practises, it is not yet known what the encryption state of the laptop was. It has also been reported that there was no evidence of a targeted attack and that the loss appeared to be the result of an opportunistic thief.
This is an all too familiar story, whether it be an Irish public body, a UK intelligence agency or any organisation that stores the personal details of customers, partners or suppliers.
The main problems are twofold. First of all, while most organisations these days are fully cognisant of the need for data protection and their obligations, their practices leave a lot to be desired. This is often due, in larger organisations, to an inertia that makes implementing new practises difficult. Where large numbers of people work in different departments, overcoming the “we’ve always done it that way” mentality can be daunting. However, it can be a question of motivation too.
When the US implemented its Sarbanes Oxley legislation and organisations that wished to do business with American companies needed to implement it too, there was a scramble to get compliant because it affected the bottom line. Data protection it seems, required a few high profile disasters where real people were affected, but also public humiliation and, in certain cases, prosecution by a data commissioner or similar drove home the point of real consequences for avoidable lapses.
Going back to the point of inertia though, the old attitudes of “well, Bill always had access to that” has led to questions along the lines of “should Bill ever have had access to that?” and “is it really appropriate for Bill to bring that stuff home and work on it in a cafe of a Sunday morning?” The fact that something has been happening for ages does not mean it is right.
The second major point from all of this is that where proper measures are put in place, such as good identity management, secure access and encryption, if users then go beyond these and circumvent them to do their job, questions need to be asked about the practicality of the steps. If, for example, by implementing encryption on someone’s laptop, it is slowed significantly, then users will be tempted to get around it, leading to exposure again.
Surely, any security implementation must contain at least a nod to usability that would show up any problems with speeds or accessibility. A good implementer would pick up on short comings and work to improve the system to avoid user’s being tempted to circumvent.
So where does that leave organisations? Well there are still many suffering from the inertia that means there are organisations out there with little or no data protection measures in place bar guidelines. It also means that there are others with ill-thought out measures that are either ignored or circumvented by users resulting in exposure, but possibly worse, a false sense of security too.
Subscribers 0
Fans 0
Followers 0
Followers