I read with great concern this week the situation that occurred where the UK Government accidentally lost CD's containing 25 million UK Citizens details.
On October 18, CDs carrying the personal details of every Child Benefit claimant were sent to the National Audit Office by a junior member of HMRC. HM Revenue & Customs (HMRC) is responsible in the UK for collecting the bulk of tax revenue, as well as paying Tax Credits and Child Benefits.
What concerns me most is that the data was sent unencrypted...... . I struggle with this particularly because whenever I'm talking with Government organisations from a mobile perspective they obsess around the need for massive levels of security.
This situation does underline two of the key factors I've been talking about for many years in respect of security:
1) Security should be there to manage the risk - not to make life hard for the person using the solution/service. If you make it really hard to do things - you will have smart people who will find ways around them. This is demonstrated in this exact example where a junior member of staff sent it via CD as it was probably easier to do so than working with the huge security measures probably in place.
2) No matter what security Technology you have in place - People and Process must also be considered.
It is very scary though that such critical data has been lost in this way!
I'm sure this example will be in every Security Presentation for the next year :)