Data loss at the MoD and NHS shows need for stricter security policies

By Ron Condon, UK Bureau Chief 23 Jul 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as "secret" and 19 that were "restricted".

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been "anomalies" in the earlier reporting process.

Over at the NHS, enquiries under the Freedom of Information Act (FOIA) have revealed that in Wales alone, there were more than 150 incidents of patient and staff data being lost during the past three years. Not all of these involved computer data; in one instance, patient details from an entire children's ward in Wrexham were found on a piece of paper in a puddle.

Both revelations have prompted condemnation from politicians and calls for those responsible to be punished. But, as was revealed in last year's initial review on the loss of the HMRC disks led by PricewaterhouseCoopers LLP Chairman Kieran Poynter, data losses rarely occur simply because one person is lazy, careless or malign.

The Poynter report used forensic detail to show how a fundamental lack of leadership had contributed to a view that it was OK to cut corners in order to get the job done. Everything happened because officials were trying to do the right thing, fighting to meet deadlines and even trying to minimise public expenditure. The potential risk to the data had not been given a high enough priority.

Neither MoD staff nor NHS employees have set out to lose data or treat it with contempt, but senior management must show leadership and a serious appreciation of the problem, backed up by training and some basic technology to protect them from their mistakes. Is it really that hard to enforce file encryption and control file copying on to USB sticks?

For those of us not in the MoD or NHS, this could be a source of entertainment and schadenfreude, but it would be wrong to mock. The only reason we know about these errors is because of the Freedom of Information Act and the power of Parliament to demand answers.

For the rest of industry, it is a lot easier to hide any failings. True, the Financial Services Authority has put the squeeze on financial services companies to ensure they treat personal data properly, and the Information Commissioner's Office (ICO) is increasingly aggressive about breaches of the Data Protection Act (DPA). The requirements of the Payment Card Industry Data Security Standard (PCI DSS) have also prompted companies to take care in handling credit card data.

But isn't security about more than just complying with the rules that others set down and ticking the box to get the inspectors off your back?

Shouldn't security be focused on identifying precious assets and protecting them?

The fact is that you can be compliant with all the regulations, and still open to seriously damaging breaches. For instance, are you sure you could stop a member of your staff from copying customer data on to a USB stick, or attaching it to an instant message sent to a rival company? How would that affect your company's performance and reputation?

And is intellectual property -- such as engineering drawings and product designs -- properly protected, or could it be copied without anyone noticing? That side of the business is not covered by any compliance requirements, but it could still be disastrous for the business.

The point I'm making is that unless security becomes a top-level concern in organisations, and is driven by a genuine desire to protect valuable assets (and not merely by compliance), then any security programme will be flawed.

Security professionals can achieve a lot, but they can't do it alone. That applies equally in the MoD, NHS and right across the private sector. And yet we seem to be taking far too long to reach that state of enhanced awareness.

About the author:
Ron Condon has been writing about developments in the IT industry for more than 30 years. In that time, he has charted the evolution from big mainframes, to minicomputers and PCs in the 1980s, and the rise of the Internet over the last decade or so. He has edited daily, weekly and monthly publications, and has written for national and regional newspapers, in Europe and the US. In recent years he has taken a strong interest in information security and is a former Editor-in-chief of SC Magazine.

Tags: Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Sourcefire to ignite new offerings for virtualisation security USB drive security project protects endpoints, aids CoCo compliance How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management Compliance Regulation and Standard Requirements USB drive security project protects endpoints, aids CoCo compliance Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list The basics of enterprise GRC project management SearchSecurity.co.uk partners with PCI DSS User Group Council boosts compliance efforts with system log management app PCI DSS Q&A: Answering your questions Security budgets take hit in media, tech industry, survey finds Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary