As a result, the internal IT team typically manages it. Their world is intense and revolves around deploying and maintaining the latest security systems and procedures.
Combatting the threat of DNS attacks and topical threats such as Crypto-locker or Watering Holes are always going to be their primary focus. To most corporate and legal observers, the IT security managers are the guardians of corporate security, and of course we all know that we can safely leave all security and IT risk issues to them.
Sadly, this is far from the truth. The real impact of security risks is much further reaching than just purely an organization’s central IT systems. In fact, it will come as little surprise that the greatest flaw in the security of any organization is also its greatest asset – the people that it employs.
In reality, the highest profile, inexcusable, and yet most understandable security breaches are also the most human. This is especially true where technology is involved and where the data is sensitive such as in the case of legal or financial information. It is a sorry list of disasters that can befall this data – lost of stolen laptops, mislaid memory sticks or disks, emails sent to the wrong people, or just data that turns up in someone else’s garbage.
We can all recall BBC News reporting that ‘discs containing information from three of the UK’s most sensitive inquiries went missing after being put in the post.’ The material was related to inquiries into the role of the police in the deaths of three men, Mark Duggan, Azelle Rodney, and Robert Hamill. The government said it took the loss “extremely seriously.”
However, accidental data loss is not that uncommon. According to the most recent statistics from the Information Commissioners Office (ICO) in March 2015, the loss or theft of paperwork was the third largest incident type. This is despite the threat of financial penalties from the ICO, which for the record handles over 14,000 cases a year while fielding over a quarter of a million calls on their help lines. Clearly, the problem is just as common across all sectors too – from central and local government to commercial and legal organizations. However, for obvious reasons it is financial and legal data which is particularly important to protect and often most at risk. Losing case files or settlement figures could, for example, seriously damage the reputation of a practice or legal services department. Generally speaking though, while this type of loss is a core concern, it is not yet a core area of corporate security focus. Therefore, the chances of these breaches happening again and again are often all too significant.
So what’s the main point here? Leaving data security up to one person (or a small team of people) is clearly unacceptable, and while it is easy to say that everyone should be responsible for managing data security, this is too simplistic an answer. There is to me a potential solution that starts with a realization that often data is too frequently available across a wide range of formats – hard drives, data sticks, etc. However, by moving to an enterprise wide culture where organizations only store and communicate sensitive data electronically via secure delivery systems, the risks are greatly diminished. If essential, highly confidential data is only communicated electronically via secure means to secure locations, then it can’t be left in a taxi or found in a dump.
Such systems already exist. Indeed, the more innovative practices in the legal sector along with some local authority legal services departments are taking a lead here. They are managing all confidential data through secure electronic communication systems, and they are working in unison with technologies such as document bundling, electronic signatures, and identity checking systems. These systems negate the risk of lost devices and mislaid files. The challenge is to create a greater urgency for the need to transform data best practices across other sectors. The fuel behind this happening however, might be more related to high profile news stories than to any corporate edict. One thing is for sure, it is likely to be adopted first and quickest by those who have already suffered a data breach and sadly paid the price.