Real World Computing
Datagate: the truth
The homily "Fire fighting is nowhere near as efficient as fire prevention" ought to hang alongside "You don't have to be mad to work here..." on everyone's office wall, and so should "A security framework is only as strong as the people who work it" - many companies I visit have perfectly adequate security policies written up, often at great expense, which then sit collecting dust both literal and figurative. I've said it before about acceptable usage policies for the internet, and I'll say it again about any security policy: unless all your staff are aware of the policy, what it says, why it exists, and how it must be implemented, you may as well flush it down the bog for all the good it will do.
As more and more data goes online, this is becoming increasingly important. Did you know that the NHS is building an online database of patient health records right now, for example? I did because one of the hats I sometimes wear involves informing IT managers within the NHS on upcoming security matters. The Bolton Primary Care Trust already has the summary care records of some 17% of its population uploaded to the NHS Spine, a "secure" online database from where doctors and other health professionals will be able to gain immediate access. In principle, it's a great thing that ensures that if you're taken ill out of hours and your own GP isn't available, your records will still be instantly readable by whoever does treat you. Of course, as the scheme is rolled out across the country and access to our records is made available to ever wider numbers of medical professionals, the matter of security will become increasingly important. At the moment, health staff must complete a training course that stresses the security guidelines before they can access the database, and they must also be in possession of an NHS smart card.
This smart card uses a complicated username/password/PIN login plus a question/response test to ensure only genuine holders can gain access. The trouble is that dropping complex security systems into stressfully busy working environments is always a recipe for trouble. Remember, you can't separate the people from the technology in your security strategy. Imagine a busy hospital ward where every minute matters - under such circumstances, human nature guarantees that instead of repeatedly wasting time with that complex login, you'll log in just once and stay connected throughout your shift. And during that prolonged login, there'll be every opportunity for others to access the database via your open account, some of whom may not be authorised to do so.
As Robin Hollington, Director of Consulting for Peapod UK Ltd who's been working in the IT security arena for as long as I have, says: "Although professional security experts have been advocating cohesive physical, information and technical security controls for many years, the holistic view is still all too often rejected and the culture of 'someone else's problem' is very much prevalent." Perhaps the Datagate scandal will be a wakeup call not only to government but to all businesses, that the time to start taking data security seriously is now, not least because the Information Commissioner Richard Thomas has repeated his call for a change in the law to make permitting security breaches of this kind a criminal offence. Thomas wants the ICO to be able to properly pursue organisations with criminal proceedings, as a deterrent and to spur them into taking adequate precautions to protect their data. "The onus is now on every organisation to take privacy far more seriously," Thomas says, "alarm bells must ring in every boardroom. Data protection safeguards must be technically robust and idiot-proof."
