Now you CD it, now you don’t

Bank Account DataIt is good to see that Paul Gray resigned from his position as chairman of Revenue and Customs. (It was even better to see Alistair Darling squirm, but that was a more vindictive delight). I’m wary of gratuitous scape-goating with this business of the CDs that have gone missing containing the details of 25m people and 13m bank accounts. However, whatever way I look at it I come back to the thought that there are two ways to secure data, and both start right to the top.

The first way to secure data is physical: you make it physically impossible for your staff to export data. You install PCs without CD drives and disable the CD drives on the PCs which have them. While you are at it you disable the USB ports and impose limits on sending emails with attachments. You place limits on the changes that most people can make to their PCs, and provide them with a help desk and an audited order process to use when they want to do something outwith their permissions. None of this is hard and none of it is particularly expensive, though all of it makes things inconvenient for your staff. Not as inconvenient as having to clear up the mess when the details of 13,000,000 bank accounts get into the wrong hands, of course, particularly when the banks turn sulky and say “we’ve done nothing wrong and we aren’t paying for your mistake Mr Darling”. The banks have every right to be irritated since they do make sure that it is very hard for any member of their staff to steal data. This approach does require that those at the top take security seriously and ensure that adequate security policies are written and that the technology is configured to support those policies. Not rocket science, more a question of those at the top prioritising security, employing competent staff and saying “Make it so”.

The second way to secure data is through cultural norms. You make it impossible for someone to think it’s ok to copy personal data on to CDs and bung them in the post. Likewise you make it impossible for someone to think it’s ok to use real data as test data for new systems, or to dispose of confidential waste other than by shredding it, or to walk away from their desk without activating a password controlled screensaver, or to write passwords on post-it notes, or to look up someone’s personal data without a valid reason, or to leave a laptop in a car or an unlocked cupboard. You make it socially acceptable for someone to say “no, I’m sorry, I’m not swiping you in to the building with my card” or “no, you can’t use my account if you’ve forgotten your password”. This sort of security-focused culture is hard to create where it does not exist already, but it is relatively easy to maintain. The code-breaking at Bletchley Park remained a secret until the 1970s despite the fact that over 10,000 people worked there. A culture of treating data security responsibly is, without a shadow of doubt, down to the leaders to create, take seriously, pay for and maintain.

Slackness about data appears to be endemic at HMRC, which is the point that I am making. According to the Guardian “The chancellor explained that in September the records of 15,000 Standard Life customers had been lost in transit from HMRC offices in Newcastle; in the same month a laptop and other materials were also lost.” The article also mentions 41 missing laptops.

So no matter how I slice and dice this one, I cannot let Gordie off the hook. HMRC was his bailiwick before it was Darling’s. This is the government who’s attitude to security was sufficiently cavalier for the personal details including names, addresses, religious beliefs and sexual orientation of tens of thousand of doctors to be posted unsecured on the internet. This is the government who wants to put you full medical history on the NHS spine. This is the government who want to impose ID cards on us all.

Data is incredibly powerful when it gets into the wrong hands.

The problem is, it’s already in the wrong hands.

Advertisements

4 responses to “Now you CD it, now you don’t

  1. You don’t need me to tell you this, probably, but I shall anyway… The code-breaking centre at Bletchley Park is now a museum, set up relatively recently. It tells the story of what happened there during the war, the incredibly secret and secure work that was done there by those 10,000 people standing behind Alan Turing and the world’s first proper computer.

    And they actually had a lot of trouble setting up the museum. Not for want of money. Not for want of planning permission. Not even for want of materials. The problem they had was they kept going to try to interview the people who worked there, people in their sixties, seventies and eighties, people who had not even been in the same county as Bletchley Park in DECADES. And these people simply wouldn’t talk. The security culture had been embedded in them so strongly that in many, many cases, they simply refused to talk, in the 1990s, about work that had been secret in the 1940s.

    Now THAT is a security culture.

  2. I met a man at my cousin’s wedding who had been a spy in the second world war. He never even told his wife what he did in the war until he was offically allowed to.

    Now that’s security.

  3. What made me particularly incadescent was Darling’s remark that the failure was nothing to do with the cobbling together of the Inland Revenue and Customs and Excise, and the resulting massive job cuts. Ohh, yes. Nothing at all. It’s not as if low morale, loss of experienced staff, and sudden massive change to infrastructure and proceedures could in the least leave some poor tomfool goit floundering about buggering things up. Noooo, that’s never happened.

    Gah.

  4. SoRB, I can absolutely believe that story about Bletchley. I had the privilege of going there with my godmother who’d worked there. She was fascinating and fun, telling us about clambering in and out of the huts via the windows because the doors had stiffened up in the damp. Did she breathe a word about what she did there? Did she buggery.

    Z, that’s another story I can believe. As I have frequently said, that was an heroic generation, and we shall not see their like again.

    There’s a trite comment in Systems Theory, Reed, that if you cut an elephant in half, you don’t get two smaller elephants instead you get a great big bloody mess. It works the other way too.

    Aphra.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s