Government Technology

2007 was a watershed year for data management. Until then, business executives, though supportive of data security, had their sights trained on the bigger picture and rarely needed to drill-down into the detail.
    
That all changed when large-scale breaches like the HMRC disc loss attracted huge press attention. Citizens were horrified. Executive directors were terrified. Few could have foreseen how a security weakness or procedural error could have played out in the media and organisations up and down the country. Data leakage became a new spectre haunting executive boards.

An expensive problem
The financial losses from a data breach can be surprisingly large, as the example of TJ Maxx shows. The chain of department stores was forced to set aside £65m to cover the costs from a breach caused by solitary security vulnerability, including over £5m in security consultancy fees alone.
    
You might think they were unlucky; their losses could have been bigger. According to figures produced by the Ponemon Institute, a US think tank that has been researching the costs of data breaches for several years, the average total recovery costs from a breach have risen to around £100 per compromised account. More than 45m records were affected by the TJ Maxx breach, causing some analysts to fear a multi-billion pound hit. Fortunately, not all the costs scaled up a linear basis and the company was able to escape with no more than a considerable dent in profits. But a smaller company handling the same number of records could have faced receivership.
    
We have to wake up to the fact that, in the words of Sir James Crosby’s report on Identity Assurance: “Identity is the new currency.” And it’s not just personal data that’s becoming valuable to outsiders. Intelligence services and information brokers are also actively seeking to penetrate enterprise networks and databases to steal confidential business data.
    
It’s never been easier or more profitable. Modern hacking tools enable fast, automated scanning of target networks for security weaknesses. And it’s simple for an internal spy to download large amounts of data onto a portable storage device.

Insidious threat
Government agencies, on the other hand, tend to count the costs of a breach in political damage. The loss of 25m people’s data on two discs prompted the resignation of a chief executive and – a sharp drop in public confidence in government custodianship. In the public sector, the scale of the databases means a single percentage of records compromised could represent a population the size of a major city such as Sheffield or Glasgow.
    
What is the cause of this problem? And why has it taken us so long to realise the extent of our vulnerability? One reason is that data leakage is an insidious threat that slowly creeps up on organisations. We react too slowly, like frogs in boiling water, not realising the danger until it’s too late to respond. Root causes of the vulnerability are deep-seated in our systems, processes and culture.
    
Big data breaches are not isolated incidents. Behind each major loss, there are likely to be dozens of minor incidents, hundreds of near misses and thousands of bad practices. It’s just that we’ve not noticed them before. With hindsight we’ve been far too casual about protecting the data we process.

Technology changes
Many of the problems are legacy issues. Decades of automation, downsizing and outsourcing have dissolved traditional control structures and allowed vulnerabilities to creep in.
    
When physical data records were stored in filing cabinets it was hard for outsiders to access, copy or remove them. Progressive changes in technology have massively transformed the risk landscape, but our attitudes and working practices have not kept up. All organisations face this problem, but it’s the public sector that’s most exposed.
    
What’s the answer? What can organisations now do to minimise the future impact of potential breaches? It’s certainly clear that the do-nothing option is not sufficient. The risks are growing. Customer expectations are increasing. And the odds of further incidents are shortening each day.
    
Responding to weaknesses after the event no longer works. There are no quick fixes for complex information systems. And it might not be possible to repair the damage.
    
Instead, we need to be proactive. But simply setting strict policies and standards is not sufficient, with managers and staff rarely having the time to read and absorb them, and even if they did, most probably not having the budget or resources to enforce them.

The solution
Security awareness is the start of the solution. But monitoring and enforcement of practices are equally essential. Visibility of risks, controls and events is the key to effective security and risk management. And closing the management loop, through regular inspection or audit, is essential.
    
In short, organisations need to bite the bullet and take three major initiatives to address the problem:
    
Firstly, we need to change our attitude to data security. Openness and sharing of knowledge are at the heart of a healthy information society. But additional safeguards are also needed to prevent exploitation of personal or sensitive information. A new security culture is needed. Not one based on suspicion or fear, but one based on confidence and assurance.
    
Secondly, we need to build public confidence in our data guardianship. We need to demonstrate that we are serious about safeguarding citizen and business interests at all times. And that we will admit and respond to mistakes promptly, with speedy investigation and repair of any compromised personal accounts.
    
Thirdly, we need to understand precisely what, where and how sensitive data is at risk, and what steps are needed to reduce the vulnerabilities. This is no trivial exercise in today’s world of complex technology infrastructures and fast-changing business processes. It requires a detailed and continuous review of how the enterprise handles sensitive information. Constructing and maintaining a live information map of sensitive data will be a major challenge and a new security concept to many people. But there is no acceptable alternative.
    
We have also got to ready ourselves for future large-scale data breaches. Because no matter what measures we apply, we can never eliminate the possibility. We need to consider the nature of the residual risks to sensitive data after all practical measures have been taken.
    
We need to think the unthinkable. We need to identify scenarios for catastrophic or unrecoverable events, no matter how improbably they might seem. Then we need to rehearse and test our crisis response.