Most will know what has befallen HSBC in recent weeks, for those who don't, the bank's seemingly wanton data loss culminated in a £3.2 million fine, along with a well deserved hammering in the press.
Of course, it could have been a lot worse. The fine itself was reduced from £4.5 million by the FSA as HSBC did not contest the ruling and in all honesty, either amount is small change to an organisation of the size of HSBC. In fact, for HSBC a data loss like this is not quite the catastrophe the media might be making it out to be. Talk of their customer base deserting them in droves is unlikely to become a reality and the furore over the loss will probably die down relatively quickly, what with the crumbling economy generating new tales of woe on an almost daily basis. However HSBC are by no means a typical example. Smaller or less financially powerful organisations would, and indeed are, brought to their knees by mistakes of this nature.
So is yet another high-profile case of data loss really going to change anything? Well for HSBC the answer is yes. This is too big an incident for management to ignore and they will have to act, and act decisively. The media spotlight means their actions will have to be more than just token gestures designed to appease their customer base. However for other companies looking in, history shows us lessons will not be learned and this latest loss will not result in a wholesale improvement in security practices across the board.
This latest piece of evidence that a head-in-the-sand approach does not work will in all likelihood join a list including TK Maxx, Nationwide, nine different NHS trusts and Manchester City Council in becoming examples of data loss that just 'happen to someone else'. The frustration for those among us that do recognise the risk is just how easy it would be for organisations to protect themselves.
So what are the first steps? When a big story like this breaks the media historically wheels out security experts who peddle the latest technological innovation in locking your information down from the threat of attack, but this direction is looking increasingly impotent in the face of the changing nature of the problem. The reality is that the greatest threat to security lies not from an evil outside entity but from within your organisation. Potentially the most costly problem, as HSBC has shown, is a lack of process, knowledge, education and awareness from the top down.
Rather than looking for the next great technical innovation, Information Security should look to the Health and Safety Executive for inspiration. The way in which organisations protect themselves from liability in this area stands as an example of how, with proper process, an obsessive attention to detail bordering on the ridiculous and staff awareness to the point of saturation, Information Security will start to command the importance it deserves within the organisation.
David Cowan,
Head of Infrastructure, Plan-Net plc
December(2) October(3) September(2) August(1) June(2) May(3) April(2) March(3) Current Month(1)
December(2) November(2) October(4) September(3) August(1) July(3) June(7) May(2) April(2) March(4) Current Month(6) January(2)
December(3) August(1) July(1) June(1) May(3) March(1) Current Month(3)
T: +44 (0)20 7353 4313 F: +44 (0)20 7353 4314
Hamilton House, 1 Temple Avenue, London EC4Y 0HA
