The continuing problem of data loss
The reports of data loss incidents keep coming in. It seems that despite the huge publicity over the past year, loss of sensitive information is still happening at an alarming rate.
We all remember the big incidents that make it into the press like the HMRC child benefit data, Nationwide customer information, and the laptop sold on eBay with a million credit card details. But the much larger number of smaller unreported losses are just as worrying.
It seems that information security has failed to keep up with technology. Advances in communications and storage technology mean that it is easy to store huge databases on small memory sticks, or transfer gigabytes of data in minutes. In some cases it is quicker to transfer an entire database rather than take the time to select only the necessary records. For many of the high profile cases, copying unnecessary data has been one of the root causes of the problem.
But there is simply no excuse for large scale data loss incidents, as we have both the technology and the management tools to prevent it. On the technology side strong encryption is widely and cheaply available and does not cause a significant performance impact on modern systems, and management tools in the form of policies and best practice guidelines have plenty of advice on how to preventing data loss.It appears that the data loss issue is a human problem rather than a lack of tools. Therefore the solution is not a technology one, but rather implementing the tools and methods that are already available. The two most effective ways to do this are through policy controls and security education.
Both 2007 and 2008 were bad years for data loss. Time will tell whether things will improve in 2009, but one thing is for certain: there is no longer any excuse that the problem is not understood. It is likely that future losses will be dealt with harshly both by regulatory authorities and also by the press.