Despite the fact that since April 2010 a deliberate or malicious data breach can be punished with a fine of up to £500,000, organisations continue to leave themselves vulnerable to attack. A few weeks ago a doctor at North West London Hospitals NHS Trust was found to be in breach of the Data Protection Act for leaving medical information about 56 patients on the London Underground.
As reported to the Information Commissioner’s Office (ICO) by the trust in May 2010, the incident happened when a doctor printed out personal and diagnostic information about his patients in order to carry out an audit. He intended to do this at home outside of normal working hours. Shortly after leaving the underground, he realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport and handed back to the doctor.
A spokesperson for the ICO said: “Most of us can think of a time when we’ve found someone else’s personal belongings, like an umbrella, left behind on a train. But the last thing we should ever expect to find is highly confidential and sensitive material detailing people’s medical history.”
Our warnings haven’t gone completely unnoticed; awareness about insider threats has grown in the recent past. But many companies’ responses have the appearance of ineffective security theatre.
One case in point: security training for rank-in-file employees. Some CIOs seem to expect that by educating users about the dangers of clicking risky links or downloading unvetted applications onto their machines, these users will stop their risky behaviour.
The truth is, while employee training can offer some ROI by eliminating a small percentage of IT incidents, it’s hardly a cure-all.
According to many security experts, the most prevalent IT security threat arises from negligent insiders. Malicious hackers prey upon enterprise users with the knowledge that no matter how many times your employee may hear about security policies and risks, eventually that user will click a questionable link on Facebook, respond to a phony mail from the “Her Majesty’s Customs & Excise”, or be duped by a targeted spearphishing attack.
It’s inevitable that costly mistakes will be made because there is a human working at each keyboard attached to those networked PCs and people are fallible. They have bad days. And sometimes they do not stop to think whether they are putting their employer’s assets at risk.
In the case of an employee who has elevated access levels needed to carry out his or her job, an attacker who entices the worker into infecting one computer now also has privileged access into the network. The worker’s account becomes the proxy for the hacker, who knows how to leverage this access for further attacks deeper and deeper into the network.
Page: 1 2
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…