Thursday 19 June 2008

Mod Data Breaches & the Human Security Element

In the last few days we have seen a gulch of data breaches by the Ministry of Defence and the UK Government, all involving employees leaving highly sensitive and top secret documents on trains. These documents included details about terrorists, wars and organised crime. When analysing these separated cases it is clear the documents in each breach should not of been removed from their secure environments by the employees in the first place, let alone left in a public environment.

These breaches are the classic internal human data breach examples, and shows even the most security conscious bodies such as the Ministry of Defence are always struggling to deal and contain the human security factor. Sooner or later in the process security tends to be reliant on a human being, it is extremely difficult, expensive and can also introduce highly inconvenient trade offs to secure the human interaction, especially when it comes to preventing the removal of physical documents from a site. Even drilling in security awareness to staff offers little guarantee, as there are always individuals who either don't grasp the importance of the message or share the organisations appetite to taking risks. If you think about it, there are just some people in our society who are naturally big risk takers, I'm talking about those people who strap elastic bands to their feet and jump off cliffs, or that boy racer driving a Vauxhall Nova 1.0 who insists on barely over taking you on busy single carriage in the face of oncoming traffic, and pretty much anyone who rides 500cc+ motor cycle.

Part of the security defence against the human element is having a deterrent, so in each of these recent cases we know the employee in question has been suspended (likely pending firing), I'm sure the deterrent in these organisations are well know, if you work the Mod and responsible for a serious data breach, I know your MoD career is pretty much over. But this only goes to prove deterrent is not enough, as deterrent can't actually physically prevent someone from making the decision and physically walking off site with the secret docs.

There are always security measures that can be introduced to prevent these particular action, such as restricting sensitive documents to a need to know basis, but we must accept taking risks and bad judgement is just part of the human condition, and will always be an insolvable security problem facing any organisation, because you simply cannot take the human element out of the equation and there is always a point when apply security measures where cost and trades offs become too great.

No comments: