In a huge story that has been missed here because of various local upheavals, around ten locations in the NorthWest of England were raided just yesterday, and about a dozen men were arrested in a hastily re-scheduled counter terrorism operation. The story was huge not because of the terrorism aspect, but because of breach of security, more specifically information security leading to re-scheduling of the operation. In this case the Head of the London Metropolitan Police’s Anti-Terror Unit Assistant Commissioner Bob Quick, rushing to a meeting with Prime Minister Gordon Brown and Home Secretary Jacqui Smith at Number 10 was photographed by reporters as he exited his vehicle. In plain sight, captured by the powerful zoom lens of one photographer, was a top secret document containing sensitive details of the planned operation. This compromise of information resulted in the hurried re-scheduling of the operation involving hundreds of police officers for fear that the suspects would be tipped off.
I’ve dealt with this issue in some fashion before and the current UK case again makes the point that computer hacking while it is a serious threat, is less likely to be the source of data breaches than more mundane occurrences. Privacy Rights Clearinghouse (www.privacyrights.org) for example, keeps statistics of security breaches in private, public, education and healthcare sectors in the US in which they found that hacking as a source of security breaches ranges from 3% in the healthcare to fifteen percent in the private sector. Education is an anomaly with 52% which may be a function of students pursuing high-tech studies with legitimate access to the very networks that they practice their skills on. Privacy Rights found that Human/Software incompetence and computer theft were consistently accounted for over 70% of information security breaches. Clearly then, while hacking rightly remains a serious concern, there needs to be a more rational and complete view of and framework for information security than the fixation on buying firewall appliances and anti-virus/anti-spyware, necessary as these may be.
The foundation for data security is a classification system for your information and three tiers of information should suffice for most organisations. For simplicity we can name them public, restricted, and private. The first classification is hopefully an easily understood concept, being that information that is freely available to the public. Examples of this type of information are annual reports of public companies and press releases or PR publications of various types. At the other end of the spectrum is private information which includes trade secrets, employee personnel data, and other data that needs to be kept confidential. Anything that is not public or private would fall into the middle (restricted) category. Essentially this category comprises information which while not private, has no business being out in the public domain except with the explicit permission of authorised information owners. For appropriate organisations, an additional categorisation say “secret” could conceivable be necessary.
The classification of data facilitates the establishment and implementation of standards and procedures that define how such information is treated. This information handling includes not only who within the company has access to this information but equally important, rules governing storage, access, duplication, distribution and transportation of the information. Most organisations stop at defining who has access to information. It defeats the purpose to allow your Personnel Director access to all employee information, but place no restrictions on how the information can be handled. In the absence of the latter restrictions, he or she could copy all records to a laptop which can subsequently be stolen thus sensitive information on your employees ends up in the public domain. A possible rule could be that all information other than public information be encrypted if copied to laptops. Obviously there are circumstances where even copying would be prohibited. Similarly, rules governing transportation of information are absolutely necessary. Sending information electronically is a form of transport and while the need for employing measures such as encryption may be well-known, less appreciated is the need for instituting electronic measures to control unauthorised distribution. Software that is capable of restricting emailing of appropriately classified documents to persons lacking the requisite security clearance is a must, as well as software restricting the ability to print or otherwise inappropriately reproduce documents. Authorised, printed copies of private information could be subject to a restriction that they are transported in locked briefcases, never to be taken onto public transportation such as buses or trains (or even commercial aircraft) etc. And it may sound comical to actually write this down, but the latest case shows that it cannot hurt to specify that whenever you are outside of a secure private environment, the information should be properly stored i.e. put the papers back in your briefcase when you are exiting your car. These types of restrictions, though in existence decades ago when information was largely paper-based, seem to have been forgotten in modern times.
Having touched the surface of the types of rules that are necessary for information and data protection, I end as I always like to do in these matters, by trying to locate them in an organisational context. Technology as always, will only go so far for it is a tool to aid effective management and not a substitute for it. The institution of data security procedures has to be backed by audits to ensure that they are being followed, for in the absence of such checks, breaches will only be found when something goes catastrophically wrong. In addition to audits, penalties for breaches of data security must be explicitly stated in personnel policy procedure manuals. Too many companies struggle after the occurrence of an egregious breach to find a personnel policy that is vague enough to allow them to take action. In the case of Mr. Quick, the application of a penalty was unnecessary since the larger organisational and cultural environment of the Met served in some measure to remedy the breach. The operation was successfully re-scheduled and carried out within hours (testimony to operational readiness), and as it later turned out, by the next morning, Mr. Quick had already offered his resignation which was duly accepted. There is little that leads me to believe that we will develop that culture of accountability anytime soon, so sound policies, well enforced are probably the way to go.
