Security doesn't happen by wishful thinking. It takes hard work, commitment, and management support. But some organizations still have to be hit with the proverbial two-by-four before they wake up and start doing something, anything, that actually provides some security value.
In 2007, HM Revenue and customs (HMRC) lost PII on 25 million people. PriceWaterhouseCoopers, working with the U.K. Independent Police Complaints Commission, last week completed an investigation into the loss. The results are representative of security problems in many government agencies around the globe. Statements like “systematic failures,” “woefully inadequate processes,” and “fragmented and complex IT systems” were used to describe the findings (see HMRC disc loss was ‘entirely avoidable’). According to the Independent Police Complaints Commission, security simply wasn’t a management priority.
After scores of reported breaches, public outcry about government mishandling of information, and a plethora of resources providing recommendations on basic security practices, there is no reason for government agencies—agencies of the governments that impose regulatory requirements on the rest of us—to fail to provide reasonable and appropriate protection for sensitive information.
No one is perfect. Even with well-designed and managed safeguards in place, information can be lost. The key is to understand the risks and apply resources diligently. That didn’t happen in this case.
The recommendations made by the investigators in the HMRC case are basic and potentially window dressing, quieting the public without any long term effect. Without a change in management attitude--or a change in management--controls will degrade over time. Inattention to the changing threat landscape will result in new ways to compromise information with which they are entrusted.
Organizations, both public and private, that consistently lose information usually have one thing in common. Management is only concerned with the appearance of security, not the actual protection of sensitive data. In every organization, there are those who believe throwing some controls at a network, enough to pass an annual audit, constitutes "enough security." “As long as it looks like we’re doing something,” they say, “we can justify to our customers, shareholders, and employees any data loss incident.” This might be true. Most victims don’t know any better. It often comes down to ethics. Just doing the right thing, even in the absence of a law or with the knowledge that you’ll never be caught.
Ultimately, it will take the growth of public intolerance for negligent or haphazard handling of information. When it’s obvious that management had no interest in protecting sensitive data, or that they took steps to whitewash infrastructure and process vulnerabilities with meaningless, weak controls, they should be summarily replaced. This isn’t always easy to do in the private sector. However, public sector officials answer to the people they serve. We need to start rewarding poor or negligent service with immediate unemployment.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.