Lord Erroll made it clear, that humans are probably the greatest security risk in today’s digital society, mentioning for example the 419 scams, saying: “Do you know who falls for that? Intelligent people, intelligent people with money!”
Poorer people are less of a target for obvious reasons, and he said, they are more sceptical.
“You can have all the IT security you want, but it won’t help against the bad guys, or those who become the bad guys”, he warned. He told the audience that if someone offered an employee £1 million in these hard times, the offer might be tempting.
Doing a quick calculation on stage though, he said: “if you’re going for it, go for at least £25m or else it isn’t worth it” - £1m would not be enough to live comfortably...
In order to overcome the security risk of human error, or malicious behaviour, he said businesses and organisations should use incentives to make people comply with IT security policies.
Avoiding data loss
Mentioning recent news that the Ministry of Justice lost 2000 personal records, Lord Erroll emphasised the importance of limiting the amount of data being collected and to keep it for as short a period as possible.
Lord Erroll said it is impossible to design systems that are completely secure, and if you managed to lock down all data, this would hamper the running of your business or organisation. Furthermore, data security is of little use if backups are not secured as well.
Lord Erroll also questioned the security implications of tracking all changes to documents. First of all, it creates huge amount of data that is bound for a data loss, but it can also lead to unintentional disclosure of embarrassing information. He mentioned a document said to be used by the government in the advent of the Iraq war, where through the tracking of changes, it allegedly emerged that parts had been written by a youngster in the USA… Perhaps not seen as a negative data loss by some, Infosecurity notes, but it would certainly have been embarrassing for the government.
Not only can the data trail of tracked changes be leaked, the tracking data could be tampered with to leave a false trail – to cover something up or to shift blame, Lord Erroll mused.
Individual vs state, privacy vs identification
Lord Erroll raised the dichotomies of the individual vs. the interests of the state, and the right to privacy vs. the need for identification.
He mentioned the recent media flurry over the case of Baroness Scotland, who failed to see and photocopy the passport of her housekeeper, who appears to have been an illegal immigrant.
Lord Erroll pointed out that she failed to comply with one set of laws by not checking and keeping a photocopy of the housekeeper’s passport, but that she would possibly be in trouble with the Data Protection Act, if she had photocopied the passport as it would be seen as storing private data…
He said a balance must be found between the individual and the state, and privacy vs identification. Once data is stored, it is no longer private, “and it will be leaked”, he added.
On the other hand, institutions need to hold information on individuals to help them – in healthcare for example, or policing. But gathering this data also causes security problems. How much do we actually need to collect and keep? And how should it be stored?
Although often seen as inefficient and cumbersome, Lord Erroll said the myriad of different databases in the UK is actually providing some sort of security, at least against identity theft as sooner or later, alarm bells will go off with someone. In the USA everything is linked to your tax number, so if that is nicked, your identity is nicked, Lord Erroll said. With the current decentralised system in the UK, it is not as easy to steal your whole identity from one access point.
And if your data is tampered with, or lost, it can have consequences for your life, career, etc, Lord Erroll warned. For example, what would happen if someone obtained personal data on the head of the MI5?