Dish out the responsibility and minimise risk
Despite lip service paid to the importance of data security, major breaches are still occurring in organisations large and small. Tony Dyhouse offers some advice on how to keep corporate information safe.
We're a quarter of the way through the year and already there have been several high profile security breaches in the headlines. Two of particular note were the Google hack in January and the Twitter phishing attack in February, which spread to thousands of accounts, including those of politicians and major businesses.
We regularly find that attacks don't need to be incredibly sophisticated. Rather they are successful because people obligingly click on suspect links. In the Twitter case, this happened thousands of times over. The inquisitiveness of human nature and immediateness of the situation often overrules common sense.
Furthermore, we still regularly hear about the loss of laptops and flash drives containing unencrypted data.
This is not just happening among private individuals but to companies at the forefront of technology. This raises a worrying issue: businesses simply aren't taking data security seriously.
We can't continue like this. Cyber-invasions of major companies are routine. Like any good attack, they don't try and penetrate the sophisticated security systems. They identify weak points, which are often in the form of employees who do not appreciate the importance of data security and the consequences of such mistakes. If companies are serious about protecting their customers' data, they need to instil a culture of awareness and understanding of data security among the people who are responsible for it.
Organisations like Google do deserve credit for swiftly coming clean about the problems, so that the problem could be quickly addressed. This approach is certainly an important step forward. But this only fixes the software vulnerability; it doesn't stop the next person clicking on an interesting link and inadvertently infecting their computer via another mechanism. Organisations and individuals need to wake up to the fact that data is important, valuable and potentially very dangerous when not handled properly.
...companies need to be prepared at all levels. Relying on technical security isn't enough - the majority of problems come from user failure and it is at the individual level that these problems need to be addressed.
The answers are not difficult. To start with, the Information Commissioner's Office lays down sensible best-practice guidelines for all organisations, enabling them to handle data responsibly and comply with the Data Protection Act.
In order for such guidelines to be effective they need to be recognised as important and rolled out in a well-thought-through way, with someone in the organisation taking full responsibility. Proper security procedures need to make sure employees do not compromise the system, and these must be backed up by sanctions for unreasonable failures.
One approach to this could be to learn from other safety models. For example, most big organisations have a fire safety procedure. This usually involves fire safety officers being appointed and given relevant training. These people are then responsible for making sure all staff are briefed on minimising the risk of a fire and what to do if one breaks out.
There is no reason why information security should not be handled in a similar way. It can be a little more advanced but most of the day-to-day stuff is basic procedure; what not to click on, what should arouse suspicion, data encryption, not making unnecessary copies of data.
This could easily become a prescribed role within all major organisations. Specific training could be developed which one member of staff attends each year to keep the company's security policy up to date.
For such a strategy to work, it needs a major company to recognise that data security starts with people, and lead the way in supporting this type of solution. Once implemented successfully in one company, the model could be replicated in other companies to great effect.
Evolving technology will present new challenges, and ever more advanced data security solutions are being developed in response to threats posed by these developments. All this will be wasted if we don't get our data handling practices right. Businesses spend a lot of money on the latest technology to secure their data, so it is hard to see why they shouldn't make the same investment in adequately preparing their staff.
It seems that the most basic and consistent problems are the ones we have the most trouble with, perhaps because they require a management and not a technology-based approach. But this has to change. We cannot continue with this attitude as we move into an increasingly digital society. It is in everyone's interest that we get this right.
Tony Dyhouse is director of the cyber security programme for the Digital Systems Knowledge Transfer Network.