Ian Kilpatrick, chairman Wick Hill Group: Data Leakage – Planning To Fail
July 2009 by Ian Kilpatrick, chairman Wick Hill Group
After the loss, in a pub car park, of a memory stick containing information said to give access to government tax and benefits records, Gordon Brown declared: “I think it’s important to recognise that we can’t promise that every single item of information will always be safe because mistakes are made by human beings."
The damning list of the Government’s failures to date includes the loss by HM Revenue and Customs of details on 25 million child benefit recipients in November 2007; the loss of details on 5,000 prison staff in 2007; the loss of unencrypted details on 21,000 patients at Colchester University Hospital NHS Foundation Trust in June 2008; and the loss in January 2008 of 600,000 records on members and would be members of The Royal Navy, Royal Marines and Royal Air Force;
This is just a sample of the many incidents made public. Silicon.com estimated that as many as 29 million people were affected by data loss in government departments and public sector bodies in the year ending September 2008.
While we all accept that human error does sometimes occur, given the Government’s abysmal and very long list of failures to protect data, Gordon Brown’s comments bring into hard focus one of the core reasons for these repetitive breaches of security - the attitude that loss is acceptable, and by implication, that the intended higher purpose for which data is held justifies the loss.
While this act of hubris from Gordon Brown may well negatively impact the Government, it does however highlight the dilemma surrounding data management and data security. The dilemma is that the ability to hold and search an ever increasing number of data records, coupled with an ever increasing requirement for access (the Martini effect - any time, anyplace, anywhere) can lead organisations to lose sight of the value of information.
The result is an attitude towards data where it is not treated with the care and respect it deserves. Data is so valuable it should be treated in the same way as cash - controlling who has access to it and monitoring its use carefully.
A KPMG report of September 2008, looking at data loss, found: “Risks and errors are greatly reduced by implementing appropriate and clearly defined procedures around the use and handling of data. Staff need to understand what is expected of them with regularly implemented, tested and updated awareness training and education programmes.”
The report also recommended ‘given the personal data they store and the relevance to the general public, it is essential that government organisations reduce the amount of personal data they store and ensure this is securely stored.”
Unfortunately, government departments aren’t following this sensible advice, in part because leadership on data leakage protection needs to come from the top.
A recent article, referring to the Government’s national ID cards programme database, highlighted the sort of problems that can happen. It reported that routine checks found security breaches by staff at 30 local authorities since 2006. Staff accessed personal records ‘without business justification.’
This illustrates that a failure to protect, monitor and then manage data access leads to a culture where unauthorised access or data loss can thrive.
In government, as in industry, there is also the constant strong possibility of ‘data creep.’ This is where one set of data collected for a particular purpose, and having a high confidentiality rating, can be added to data with a lower confidentiality and access authority rating. Sometimes this is inadvertent, sometimes deliberate.
The Government intended with Section 152 of the Justice and Coroners Bill, or its replacement, to enable ministers to make ‘Information Sharing Orders’ with the power to cancel all rights to confidentiality – i.e. data sharing!
The Government will almost certainly have to revisit this because they need to try to legitimise (make legal) the current situation. A survey commissioned by the Joseph Rowntree trust indicates that out of 46 data bases assessed, only 6 were given the green light, i.e. ‘found to have a proper legal basis for any privacy intrusions and are proportionate and necessary in a democratic society.”
The survey found that nearly twice as many were almost certainly illegal under human rights or data protection law and should be scrapped or substantially redesigned, while the remaining 29 databases had significant problems and should be subject to an independent review.
In the security world, how can we be sure that mission critical information is protected and not subject to similar data leakage potential?
We can stipulate that sensitive, critical information should be made available to users on a ‘need to know’ basis and that two factor authentication (with challenge response) is used to validate access. Two factor authentication solutions are available from suppliers such as VASCO and CRYPTOCard.
Sensitive network and mobile data should be encrypted, remote access should be protected, and data copying should be restricted or prevented. Many companies offer products in these areas including Check Point and Marshal8e6.
All of these are part of the solution, but having top management buy-in is critical. If only it were so at government level.