It’s been a long time since the Government Gateway was in the news. Today there are 259 related items in Google News. And, of course, it has gone international with mutliple languages evident in even the first page of news. And most of them aren’t good news stories, rather retelling of what must be a form news story now
“Memory stick containing details of millions of customers/patients/armed forces members/taxpayers/benefit recipients/credit card holders lost. Fears over identity theft/terrorist action/confidentiality breaches reach fever pitch”
Of course it hurts all the more so when it’s something that I was intimately involved in, albeit I haven’t been near it organisationally for 4 years, but the relentless and unending series of data loss fiascos is taking a huge toll on public confidence. It isn’t just government organisations that lose data (see my post, 25 million green bottles, from almost exactly a year ago and the follow up about 3 months ago) but when governments do it (and, again, it isn’t just the UK government) the potential impact and the surrounding noise are orders of magnitude larger.
What someone was doing with a memory stick containing customer login details I have no idea. Why would anyone need such a thing? And why would he or she be in a pub carpark? On second thoughts, don’t answer that last question.
I suspect that there are elements of truth and untruth in the Mail on Sunday’s front page story – oh the times we used to hope for headline news for e-government, but not this kind of headlines – and that the real story is perhaps quite different. But it doesn’t matter; the damage is done. It’ s another incompetence of IT story to add to the seemingly infinite list.
It seems, to me at least, that the actions I put forward a year ago are just as valid:
1. Lock down data exchange now. People come to the data, not the data to the people. Until better processes are in place, this should stop the problem from getting worse.
2. All staff should be taught the “green cross code” of using computers. The very basics need to be re-taught. For that matter, the code should be taught at schools, colleges and libraries.
3. The spooks should lead a review of deploying encryption technology to departments holding individual data so that all correspondence is encrypted automatically in transit using appropriate levels of protection for the job. This will be expensive. The alternative though is to make encryption optional – but because you can choose, sometimes people will choose not to (because it’s too slow or something) and the problem will recur.
4. Systems being architected now and those to be architected in the future will look at what data they really need to hold and for how long and will, wherever possible, make transient use of data held elsewhere. The mother of all ID databases would be a good place to start.
Where I work, memory sticks don’t work. Plug one in and it just doesn’t work (and we’re using Windows XP rather than anything fancier). So perhaps the next actions are:
5. Any contractor or third party working with or alongside government agencies must deploy a standard desktop and server build that disables memory sticks when they are inserted into a USB slot. For good measure, they should perhaps ensure that if a memory stick is even inserted, it is securely and irrevocably wiped. Such third parties would have 90 days to implement this capability across their entire organisation or would be banned from working on government contracts – existing and new – until they had completed the task
6. Any member of such an organisation found to be carrying a memory stick during the period from now until the redeployment of USB countermeasures was complete would be prevented from entering any government building or using any government IT. This would be enforced through random searches, x-raying of bags on entry into buildings and so on.
Extreme? Possibly. But it seems that all measures apart from this are not working and that short of opening up all of the firewalls and setting server passwords to default, any public or private sector organisation – and I mean that in the widest sense as whilst we in the UK see our own examples more frequently, everyone else has the same problem too – couldn’t do a worse job of securing data.