Breach Fatigue

For a while last year, my life as a blogger was quite easy. Every so often, the ICO lashed out at a public body that had lost some information. It was usually as a result of some policy being ignored, a process circumvented, and some poor swine’s details ending up in the wrong place. I would then write a hugely witty piece lamenting said loss, and how the ICO needed more powers, since £500,000 wasn’t a big enough disincentive.

Well, it’s 2012, and guess what? It’s not gone away has it? This week’s tale of ineptitude concerns the loss of data relating to children in sex abuse cases. Without wishing to get a bit Charlie Brooker what the bloody hell are these people doing? As if it’s not enough that these children’s lives are difficult, the fact that someone is prepared to ignore simple rules regarding the safeguarding of their data is unforgiveable. The problem is compounded by the levels of the fines issued (looks big, but in the greater scheme of things isn’t) and the fact that a Council will just cough up and carry on.

The problem is that for most of these breaches the public, and therefore media, appetite has dropped. Instead try: worlds going to hell in a handcart, some drug addled pop star has popped her clogs, England need a new football manager etc. I understand, it’s a repetitive topic.

But no media coverage means it’s not on the political agenda, which means it’s not the topic du jour that it was this time last year. And we in the IT industry have got our shiny new toys of Bring Your Own Device (BYOD) and (more) Cloud and so many have stopped being indignant about such losses.

So let’s put this another way. This kind of cock up is utterly preventable with technology that’s tried, tested and simple to use. My manifesto for change is simple:

1. Man-up ICO. Start handing out the big ticket fines. Losing someone’s data is bad: they have little recourse for redress. Losing children’s data is a disgrace for the same reason but amplified

2. Let’s start naming people in our reports. The children don’t have an option here, so neither should anyone else

3. Let’s get on and deploy the technology. Encryption isn’t bleeding edge anymore. It’s commodity, humdrum and frankly, a bit boring. But so is Microsoft Excel, and that’s everywhere too

4. Let’s stop accepting the fines, looking shame faced and getting on with things. Let’s give the ICO a 20-fold increase in his fining powers, some nice shiny powers compelling people to remediate against the cock-up happening and a legal requirement for public bodies to publish their InfoSec status in annual reports

5. Let’s offer training to people that handle data, and make them totally aware of the implications of lax care. A bit like when we train firearms officers. If used properly, your tools of the trade are things for good. Used badly or ineptly and they are things that can put lives at risk.

I am pretty sick of reading articles about data breaches that are preventable. At what point is this going to be taken seriously?


About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Cloud, Cloud Computing, Consumerisation, Consumerization, Cyber, Data Breach, Data Breach Fine, ICO, Information Security, InfoSec, Legal, Security, Sophos and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s