Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

Nicole Kobie's avatar
By
published
in Features

MI5 uses the tech as well which is handy, as it lost a portable computer through an open window in October.

And while the General Teaching Council failed to pay attention to the moral of the HMRC story don't put important things in the post its lost disc was helpfully encrypted, meaning the 11,423 affected teachers could sleep a little easier.

The majority of the other cases in the past year haven't involved encrypted media but why not? The tech is cheap and relatively easy to roll out. The point could become moot in the next few years, as the next version of Microsoft's Windows operating system is expected to have encryption built-in though does anyone want to wait that long or depend on Microsoft to keep us safe? Didn't think so.

Lesson Six: People are the weak linkNo matter what tech you use, or what policies you put in place, it all comes down to people and their skills do they know about data security and are they even capable of keeping things safe?

Indeed, speaking at a Gartner security summit, Martin Smith, chairman of the Security Awareness Special Interest Group (SASIG), said that no matter how shiny and cool and secure a firm's tech was, "the people screwed you in the end."

With that in mind, the government has announced all civil servants handing private data are to get security training a good first step, but it needs to be expanded. Is there any arm of the government which doesn't handle people's private data?

Lesson Seven: Hold less informationOne of the problems with the HMRC case was how much information was on the discs. After the breach, reports revealed that less information was actually requested by the intended recipient the National Audit Office but the tax body didn't have the time or money to strip fields out of the data base, so more information was sent than necessary.

And as the government looks to collect more and more data on its citizens, for projects like the national identity card scheme, this problem will only grow. This point was hammered home in a report from none other than the Home Affairs Committee, which said the government should keep watch on "function creep" and adopt a principle of what it called "data minimisation", collecting only essential information.

"What we are calling for is an overall principle of 'least data, for least time'," said committee chairman Keith Vaz at the time. "We have all seen over the past year extraordinary examples of how badly things can go wrong when data is mishandled, with potentially disastrous consequences."

The ICO has also repeatedly called for less information to be held, but the government doesn't seem to hear its own watchdog barking

Nicole Kobie
Nicole Kobie

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.

Latest
You might also like
View More ▸