I’ve said this before, but I’m going to say it again. By all means, worry about hackers – after all, they may be out to get you. Go ahead and buy that firewall; pay that technology company for their perimeter defence audit. Invest in anti-malware and anti-virus software. Have effective and tested plans in case you’re flooded, or snowed in, or everyone gets Ebola.
Do all these things.
But you won’t be secure. Not unless you also – in fact, first of all – spend money and time on training your staff and modifying your business procedures to put thinking and acting securely in the front of people’s minds. Hackers might get in; viruses might infect you; God might act – but your staff will drop the ball. No ifs, no buts, no modal verbs.
If you don’t train them, they won’t learn. We’ve not had the need for data security long enough, it seems, for it to be basic human instinct. You’d think we’d have figured it out, wouldn’t you, after HMRC managed to leak 25 million individual child benefit records by sending unencrypted CDs in the post – causing a grand furore and the resignation of the Chairman. The first sentence of the article I linked to in the previous sentence reads “The practice of sending across the country unencrypted, CD-based files … could have continued indefinitely if the discs hadn’t gone missing…”.
Could have gone on indefinitely? That was in 2007. A little over seven years ago. Long enough to learn by now, don’t you think? From the BBC today:
Apparently the government “takes information security extremely seriously”. No it plainly doesn’t. These are the first four relevant results of one quick search for “police lose sensitive data”:
It’s a little ironic, isn’t it, that the Prime Minister recently spoke out against encryption, for fear that spooks might not be able to intercept all our communications. Perhaps instead he should have focused on getting government departments to use encryption in the first place, so that we have less chance of intercepting theirs.
From the government’s perspective, this is an embarrassment. If the ICO fines the police, this will just be money moving about inside the State. But if you make the same mistake, I expect the ICO’s six-figure fine might not be so easily shrugged off. There’s not a competitive market in policing, either, so we don’t get to change suppliers just because they have data security policies made out of Swiss cheese. Your customers, on the other hand, do have a choice, and they will exercise it.
TL;DR? Get security awareness training for your staff. Now.