The charging of the individuals involved with the US retail ID theft is great news for business. However, it is also bad news. Why? Because, this basic problem should not have happened. It is irrelevant whether the charged individuals gained access via a
wireless network or any other method. It was a failure of the organisations involved to implement its ‘basic controls’ and then maintain and monitor them.
In 200 BC Archimedes was employed to produce a machine that could defeat the Romans by smashing their siege ladders as they placed them against the huge city walls of Syracuse. The solution worked for a while until the citizens became over confident and
dropped their guard. In this case it wasn’t the failure of the city defences that led to defeat but the complacency of the people who trusted them.
Looking back this past six months, nearly, if not all of the ‘notable’ data security issues have all been to do with a lack of and failure to implement and maintain ‘the basics’, be it education of staff to taking care of information entrusted to them, to
implementing technical controls and then monitoring and maintaining them.
The latest information security breaches survey carried out by PricewaterhouseCoopers for the UK’s Department for Business Enterprise and Regulatory Reform (BERR) states: “Companies increasingly realise that their people, while their greatest asset, can
be their greatest vulnerability and so need to be educated on security risks.” The survey discovered that more than half of the UK companies screened had not carried out a formal security risk assessment and that 67 per cent did nothing to prevent confidential
data leaving their premises on devices such as USB sticks.
Fundamental apathy to audit and review process and technology controls should not be accepted as any form of good practice. Organisations that fail to adopt and adhere to the basics should accept they are the victims and it is their own faults! The unacceptable
element that goes with this, is these organisations are entrusted with other peoples (their customers or staff) information. It is their duty of care to look after it.
Enterprises need to take responsibility for these issues and it is in their own interests to share knowledge and improve this risk environment as a whole. One such move could be to embrace the mandatory incident reporting procedures that are commonplace
in the aviation industry, which highlight not just actual accidents but also near-misses and provide a more accurate view of the situation – one that provides a sounder basis for future security decisions. California, for example, has made it mandatory for
companies to report losses of personal information.
Many organisations are chasing the latest technology or trend in the hope to make a ‘fast buck’ or be the ‘new kids’ on the block and there is nothing wrong in doing that. What is wrong is the failure to adequately implement such controls and is a lack of
senior managements’ ability to do their roles when it comes to data security. Surely they should be held personally accountable?
Why does this feel like Groundhog Day?! And it will continue to until the basics are addressed and the boring and mundane are recognised as being the staple diet of the security industries support to business.
We can all bleet on, it was the technologies problems, it was a systems failure, yada yada yada!
I look forward to the day we hear about the most ingenious technology attack, that no one could have foreseen. Today I despair! Please, please do the basics, People, Process, Technology, implement policies and standards and maintain them! Introduce an education
programme for your staff, maintain it! Audit and monitor your high risk environments at least, regularly!
Above all be diligent and ask yourselves, are you really doing what you should be as officers of your companies or just meandering along waiting for the next problem to hit?