View From The Bunker
A blog about security and availability by Guy Bunker at Symantec

• Home
• About
• RSS

• Recent Posts

  • National Identity Fraud Prevention Week
  • Read All About It
  • A Meeting Of Minds
  • Time For Encryption - Everywhere
  • See You In The Hague

• Tags

  business continuity CNI data-gain data-loss Education email encryption financial loss fix fraud Identity Identity theft impersonation information cost InfoSec ISTR IT department Las Vegas Malicious insider new process no data-loss passwords PCI DSS People Phishing pictures policy Reputation RUSI SaaS SLA security sensitive information SMB social networking Software as a Service Spam Speaking strangers usability USB virtual machine Vision vulnerability whaling Work practice

• Blogroll

  • Ask Marian Consumer Security Blog
  • Bruce Schneier’s Blog
  • Con Mallon’s Symantec Consumer Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Toby Stevens’ Data Trust Blog

• Multimedia

  • Symantec guide to scary Internet Stuff - Phishing
• 

Cultural Failures?

Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t - it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.

Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is - and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?

Information security policies need to be created, consistently implemented and then audited - on a regular basis.

If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do - look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.

It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.

comments

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• Podcasts

  
  Detach Player
  

   

• Symantec Security Response Weblog

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response