Internal Staff not Hackers are greatest source of security risk

In the UK we have seen a brouhaha in the press made as a result of the loss of sensitive data left on a pen drive. Apparently a full set of an unencrypted data base was on the USB drive containing full personnel details, including addresses, of a major section of the public sector. I must say this was for me no real surprise. Loss of data (or security breaches) are commonly not due a fault in the IT security systems but in the breach of security practices by users - and lax thinking about the potential gold mine that data represents for criminals or terrorists alike. I must admit myself that it is all too easy when developing software to request test data and be given a full personnel file without any question - I have had on my laptop the complete records of a major defence organisation in order to demonstrate a system at a major conference - so it does happen. In my case this shock realisation led to immediate deleting of the offending material as I had breached security guidelines and was legally liable. In the recent case in London this is what happened a consultant who was working on new processes took away a sensitive data set probably to work on it at home over the weekend - so his extra work and good citizenship got him and his company in trouble both who were subsequently fired as a result.

Security breaches are becoming rare from the lonely geeks in front of PC's in the middle of the night as we are starting to get a grip on these characters and their methods have become less and less sophisticated as time moves on. What is disturbing is the lack of attention we have given as managers and users to data security and the management of confidential information.

In a recent report it was highlighted:

• That 39% of data breaches involved business partners - sometimes the data being compromised at the partners offices.
  
• Insiders are the biggest threat to data security and disgruntled personnel especially can be approached by criminals - just think how easy it is to just send a zipped file with all your confidential data outside your organisation - what checks do you have in place?
  
• Organisations in practice have very little control over a business partners security - in practice it is blind faith. In the Banking system as the FSA in the UK made it clear recently that companies are still accountable for data security in an outsource situation liability cannot be outsourced. If a partner losses or compromises your customers data you are still liable - they can impose severe sanctions and fines if it goes wrong as the Norwich Union in the UK found to its cost.
  
• Badly configured systems are another area where breaches can be facilitated - sometimes security systems are completely absent (what's your security like).
  
• Executives, consultants and IT staffers who take home their laptop full of sensitive information then let the kids surf the web using Moms pc - do your kids adhere to the company security policy when surfing the web I doubt it? And what about all that spyware they have just loaded onto your work machine!!

One point we must all be aware of before we loose the security mafia on our people is that ill informed security policy can actually have quite the opposite effect to that intended. If it is too difficult for users to get at the data to do their jobs don't under estimate their ability or ingenuity to use access rights to get at the data anyway. Far better to have a grown up discussion and train them in the proper use of sensitive data and good security practice. I know from personal experience that the reported extent of losses of data, laptops, pen drives or CD's is the tip of the iceberg. I have known people have the entire data set for all the staff in a hospital on their laptop before they were pulled up and senior staff almost in tears as a result of losing a CD with very sensitive data on it. It goes on and we are turning a blind eye to it. If we don’t want to get on the front page of some red top newspaper and have people baying for our blood we best start looking at this. Security policy and the training of staff in the risks of confidential information getting into the wrong hands and in the correct way of ensuring what is confidential data remains just that is a key tasks in IT security. Relying on ever more sophisticated hardware and software solutions just will not cut it - as always the human factor will intervene and ensure that these sophisticated systems can and will be breached.

Royston