On 10th January 2021, an internal employee accidentally deleted over 400,000 records from the Police National Computer (PNC). This includes 26,000 DNA, 30,000 fingerprint, 175,000 arrest and 213,000 offence history records. Is this a data breach, an individual error, or is there a bigger picture here?
Senior police officials admit that there is now the possibility that biometric matches between crime scenes and offenders may not be identified. The data loss or breach has also already caused disarray with the visa application system. The Home Secretary was immediately put under political pressure to take responsibility and to explain a risk mitigation plan. You would like to think that data breaches don’t get much more serious than this. If the data cannot be recovered, then for many crimes, justice will not be served.
User Error or External Attack?
The Government’s own Cyber Security Breaches Survey 2020 (report here) clearly shows that the most common types of breaches by far, are not those of malicious criminal hacking gangs. In fact many are caused by a lack of staff vigilance, adherence to policies, processes and general data security awareness.
The most common breaches involve phishing attacks or impersonation. Of the businesses that are aware of a breach in the last 12 months 86% have experienced fraudulent emails and/or being directed to fraudulent websites. The importance of staff vigilance is noted as being a key learning each year the survey has been completed.
Organisation Responsibility, Culture and Leadership
The Cyber Security Breaches Survey 2020 finds that 80% of businesses say cyber security is a high priority for their senior management. However, what are organisations really doing about it?
The importance of leadership and stakeholder buy-in is something that is at the very heart of developing a robust information security management system (ISMS).
A company is made up of people. How people act and their activities whilst at work has to be managed by the leaders in the business. It starts with education, training, awareness and providing a culture and framework to support that. An ISMS built around a best practice framework such as ISO 27001 will help reduce the risk of people making such mistakes and reduce the impact of those mistakes on the organisation. It also demonstrates to the ICO and other regulatory bodies that you have done all you can to mitigate the risk, reducing the likelihood of big fines.
Quite clearly, the importance of internal staff governance and mitigating internal mistakes is just as important as protecting from malicious external attacks. Information security has to have a focus on protecting data from loss, damage or leakage of any type.
Individuals need to take responsibility for their actions but the education and awareness of the information security approach has to come from the organisations’ leaders. Data security belongs to everyone and everyone benefits from being aware of the approach needed to keep all our data secure.
As a leader, deciding to gain ISO 27001 or ISO 27701 accreditation is a very important step towards leading your organisation to better data compliance. But the most important aspect is to then use such a framework to lead your organisation.