The Gatehouse Blog

A lesson in information security

Today’s highly embarrassing announcement by the chancellor, Alistair Darling, that HMRC has lost two discs containing the personal details of 25 million individuals provides a stark reminder of the need for organizations to educate their employees on information security.

It appears that the blunder was caused when "a junior official" sent the two computer discs, containing key information about the 7.25 million families in the UK who receive child benefit, to the National Audit Office.  This seemingly simple administrative task has exposed half the UK population to the risk of identity theft and possible fraud.

The discs were apparently sent unregistered using the internal post system run by courier TNT (Mr Darling was keen to point out that this was a breach of HMRC’s own guidelines). The discs never arrived and, at this point in time, could be in the hands of fraudsters or, perhaps, sitting under a bush somewhere. A police investigation is now underway, the chair of HMRC has resigned and the government has egg on its face once again. All in all it’s a catastrophic cock up. And all because one employee wasn’t aware of, or didn’t understand, how to handle data like this (I’m speculating of course, but you get the point).

This debacle underlines the need for organizations to educate their employees about information security and other aspects of risk management. Dull as these subjects may at first appear, all it takes is a mistake like this – somewhere down the line and possibly at a junior level in the organization – to wreck reputations and seriously compromise the security of benefit claimants/customers/voters/clients.

I remember participating in a really dull mandatory workshop a few years back on information security. It was worse than watching paint dry.  It definitely didn’t engage me, and I suspect that for most participants the valuable content just went in one ear and out the other. 

What’s interesting is that a topic that is so important and business-critical as this is often left to the risk management boffins or data protection officers to drive. Internal communication are nowhere to be seen – usually tied up on other, seemingly more exciting and important, initiatives.

As communicators we should treat today as a wake up call. Use this as a topical opportunity to get involved in information security and other risk-related communications. Find out what your organization has done in this area and/or is planning and offer your services. Educate yourself (the Information Commissioner’s Office is a good starting point) and work with those responsible to bring the subject to life. It doesn’t have to be dull and, as Alistair Darling would no doubt agree, it’s a critically important aspect of organizational life.