The Victorian Privacy Commissioner has issued a follow-up to its 2008 survey on the secure use of portable storage devices (PSD) in the public sector and found that only six organisations out of 31 surveyed have shown a major improvement.
(Credit: Office of the Victorian Privacy Commissioner)
The latest survey (PDF) examined 31 of the original 55 organisations that had not performed well in 2008. Of them, the privacy commission found that 10 had showed no improvement or had become worse at securing PSDs, seven still had no policies or procedures to control their use, and six only had draft policies. The absence of policies is in contrast to the recommendations of the 2008 survey, which, as its first and foremost recommendation, clearly stated that organisations should have a formal policy on PSD use.
While the the privacy commissioner's report admitted that there had been no known privacy breaches in the Victorian public sector, it said the risks could be a "sleeper" issue — an incident waiting to happen — and slammed the attitude of those who had not taken the issue seriously.
"It is difficult to see how organisations that have obligations to manage risk can ignore this significant data security risk. They do so at their peril. There have been sufficient horror stories both in Australia and around the world to alert them to the dangers."
The report stated that the risks in 2008 were still relevant today and noted that the matter could become worse due to the recent increases in PSD storage capacity and decrease in physical size and cost.
"It is conceivable that an organisation's entire dataset could be copied and carried away in a coat pocket in less than a few hours. The risks that this represents for all organisations — particularly the surveyed organisations that do not have any PSD security controls or policies — should not be understated."
One of the largest technological changes that has occurred since 2008 is the wider adoption of tablets and the proliferation of smartphones. The privacy commissioner's report said that this means most people now carry, at all times, at least one device that would be capable of operating as a PSD. Furthermore, the report stated that they often allowed the installation of applications that could cause major security issues for government networks.
The report highlighted that smartphones and tablet devices carried additional privacy risks since they were more likely to be targets of theft than cheaper USB sticks. In addition, the problem was compounded, in some cases, by the inability to suitably encrypt the device and the ability for other applications on the device to copy or edit the information.