As I slip back into my 1990 World Cup T-shirt and contemplate getting a 1990 haircut to match (fashion trends have to start somewhere), I notice that security breaches reported to the ICO have topped the 1000 mark. And there has been one recent intervention by the ICO, against {West Berkshire Council: http://www.scl.org/site.aspx?i=ne16523}, that has caught the headlines. It seems to me that nothing ever really goes out of fashion for good, it just gets reinvented with a slight twist. Just as data loss via lost disks has been supplanted by lost memory sticks, insecure web servers will be next. Some day soon, I will be pleased I kept the red cord flares – and some day {i}very{/i} soon I will be tweaking all of last year’s data loss articles and republishing them in a special edition of the magazine (possibly with a red corduroy cover).
One of the interesting things about the security breaches reported to the ICO is the outstanding performance from the NHS. It comfortably tops the charts in the categories of ‘Lost Data/hardware’, ‘Lost in Transit’, ‘Non-secure Disposal’ and ‘Stolen Data/Hardware’ and makes up nearly a third of all the reported breaches. It is tempting to suggest that the only reason that the NHS is not top in the ‘Disclosed in Error’ category is because most of the NHS operators can disclose nothing – their computers have been lost or stolen.
But even allowing for the most extreme statistics on the percentage of the work force employed by the NHS, my guess is that the NHS is outstanding mainly because it seeks to report all of its breaches whereas in the private sector breaches often go unreported. Of course, any breach of data relating to health is highly sensitive (and thus worth reporting) but it’s probably more complicated than that.
Just as the West Berkshire undertaking was published, and two years after the publication of the Poynter Report which was commissioned after the HMRC breach, Cyber-Ark has released the results of a survey showing (for example) that 19% of companies are still using couriers to send large or sensitive files (the very method utilised originally by HMRC to create one of the biggest data losses in the UK). Apparently, 82% of companies now having systems in place to allow them to transfer data (hurrah) but 67% have now adopted FTP as their preferred method to transfer sensitive data – and I am told that is not very secure at all.
Mark Fullbrook, UK Director for Cyber-Ark, claims that those organisations (28%) that are using a web based offering may just as well stand on a street corner and give away their information ‘these services just weren’t designed with sensitive corporate data in mind’.
One measure of the ubiquity of security breach for me was that I reached the stage where I no longer regarded a reported breach as newsworthy. I suppose some real progress has been made in that I have actually reported the West Berkshire story – it’s a while since the last ‘data loss’ story on the SCL site. But I don’t really think we are anywhere near the day when data security breaches are unusual. If we could just cut out the careless ones, we’d be getting somewhere. The ICO’s ‘Top Tips’ for protecting personal information includes some very basic points, including the memorable ‘Beware of window envelopes’ – a warning which has ruined my concentration as there is a box full of those dangerous items in my office (I have to keep on glancing backwards to make sure that they are not going to rush me).
The mundane nature of the ‘Top Tips’ serves to confirm that most data security breaches are the product of basic human failings and, whether designing web servers or filling window envelopes, there is no prospect of human failure going out of fashion. Data loss is here to stay.
