I wanted to start this blog because I am getting frustrated with the general lack lustre approach to the way organisations secure our data (or not as is typically the case).
I have a personal interest in this, as should you, because organisations out there hold personal information about all of us. I have no idea how many organisation hold data about me but thinking about how many things I am subscribed to, companies I have done business with or have had dealings with, it is lots and I would be very surprised if any of it is encrypted.
I want organisations to provide a duty of care and not to have my personal details compromised if they have a security breech. I want people to look after my personal information as I am sure you want them to look after yours.
Computers have changed everyone’s lives both directly and indirectly. Storage has become cheaper and larger in size, and portable devices are smaller in volume but larger in capacity and more portable than ever. More data can be stored in smaller devices which means more can be lost or stolen.
People’s third hand experience of computers within organisations is mostly positive but some people’s experience has been bad and in some extreme cases catastrophic.
The cases I am thinking of are when people are the victims of someone else losing their data, not through any fault of their own but because an individual or organisation that was entrusted with their personal information has not had the decency to secure it properly.
The most prolific case in the UK being HMRC losing two disks with all of the child benefit details, approximately 25 million financial records. I was one of the 25 million victims who had personal bank details exposed.
We are forever told about the risk of identity theft and how we should protect ourselves but it is all for nothing if others can’t be bothered to secure our personal details.
In the past it has not been a criminal activity for an organisation to lose your personal details but hopefully thing are about to change in the UK and it is about time too!
Most organisations are blissfully unaware of these upcoming changes or how it will affect them both in terms of what has already been implemented and what is proposed. I am hoping this legislation will change the approach of organisations towards security.
My biggest pet hate at the moment is a blasé attitude towards data security. I have heard “We have implemented disk encryption so we should be covered” so many times and it is such a naïve approach. This sort of approach is like getting the biggest and best locks on the front door of your house, bolting it shut and declaring that no burglars can get but at the same time leaving every window of you house open.
Yes encrypting a hard disk has secured one portion of your estate but it hasn’t secured all of it and where there is insecure data, there is risk.
Data is probably an organisations biggest hidden asset and, unless you are a cat farmer, the most difficult to control.
I would challenge any organisation to declare they know exactly where all of their data is and how many copies there are. Most organisations have little if any control over their data worryingly both in the public and private sectors, most of which leak data like sieves with the biggest offender being the NHS in the UK.
A while ago disk encryption was high on everyone’s agendas, cases like the Nationwide Building Society having a laptop stolen with 11 million customer records on it highlighted the vulnerability of computers that were portable and so a wave of disk encryption started. Great, people started to implement security, the five lever lock was fitted to the front door. Now it is time to get the window locks and burglar alarm fitted. It is time for people to look at securing data, not devices.
You see it is not the computers that are portable, although I have heard many stories of computers walking, it is the data. Most organisations still try to prevent data from being copied but there are too many holes to plug. I say let users copy the data, as much as they want, I say just make sure the data is useless when it is outside of the organisations control, if it is encrypted it is gobbledegook and useless.
It doesn’t matter if you work in the public or private sector, change is afoot and there will be big fines and also the chance to languish at her majesty’s recreational facilities for criminals.
Hopefully when people start getting £500,000 fines for losing data people will start to take this matter seriously.
*** This is a Security Bloggers Network syndicated blog from IT Security & Encryption authored by Duncan McDonald. Read the original post at: http://abcnetworking.blogspot.com/2010/01/new-year-new-attitudes.html