I want to leave the dizzying world of the GDPR to one side for a short while — so no Articles or Regulations for a bit. I want to talk about a very real but often overlooked threat to a whole gamut of information protection issues — people.
When we consider the arena of information protection it is all too easy to get drawn into the world of IT systems and cyber-crime. Even if we are broader in our approach and consider printed and other forms of information we often only consider the threats from hacking or data corruption, or maybe systems failing and data being lost — maybe extending the risk as far as a fire destroying records etc.
This a poster from the National Archive. It is circa 1939–1946 and had an important message about information security that is as every bit as pertinent today as it was then.
A few months ago, a conversation was ‘overheard’ on a train leaving London. It was, apparently difficult not to hear the one side of the conversation. It was about a FSTE 100 company and how they had a data breach of financial records and how Mr X (as I will call him) was “going to get the sack for it on Monday”. I’m sure three things happened after this: The company suffered reputational damage from ‘gossip’; the young lady who was talking on her mobile so unguardedly was sacked maybe straight after Mr X; and the young lady was utterly surprised at the consequences of her ‘careless talk’.
People may well consider her actions as exceptional and that it is obvious that one shouldn’t discuss sensitive corporate matters in public. If, however, staff have not been educated as to what is and isn’t acceptable then some of the responsibility rests with the management of the organisation.
We need also to consider everyone that has access to our offices as a potential insider threat. Cleaners, external IT techs, phone engineers etc. etc.
The threat part can be categorised three ways; accidental, negligent or malicious. Accidental threats or incidents occur when people do something by mistake — human error — such as clicking on a link and getting malware etc.
Where someone causes an incident by circumventing policies to make their job easier, then this is classified as negligence.
Where it is the intent of the individual to cause damage to, or steal data then this is malicious.
So, what is the best way to reduce insider threats? Clearly education and training have a vital role to play in safeguarding information. Managers must also lead by example — they must be role models for their departments and juniors. Strong vetting when it comes to contract staff — both those working for the organisation and cleaning companies etc., will reduce the risk by third parties.
Strong policies about the confidentiality of waste and the secure destruction of discarded print-outs etc. should eliminate the chance of an embarrassing ‘found at a landfill site’ type of news item hitting the headlines.