Technology and assigning blame

In the last month alone, PA Consulting has admitted to losing a USB memory device containing personal data on 84,000 UK prisoners, a laptop has appeared on eBay containing banking information on approximately a million UK banking customers, and most recently, in a new survey 92 out of the 105 doctors have admitted carrying sensitive patient records on unsecured memory sticks.

In each instance there’s a straightforward solution for removing the risk – e.g. deploying tools that prevent the download of sensitive information onto portable devices, or tools that monitor devices such as laptops and keep track of their location.

Beyond this, there’s the problem of what to do with these employees that have compromised security. Are they at fault for failing to take into account safe computing policy? Did such a protocol exist, and was it adequately relayed to staff? Where does ultimate responsibility lie?

More often than not, these questions will prove difficult to answer due to a lack of available evidence. The organisation doesn’t always know for certain who did what and why, and this can allow those involved to sidestep responsibility for their actions.

Furthermore, this squabbling won’t appease the people whose data has been mislaid – they will want answers as to who is at fault and what is to be done about it. Blame is regularly used as means of explanation, to give people a way of channelling their emotions and to provide closure. However, with security breaches, while an individual employee may have made the crucial error, the organisation in question may have suffered from underlying operational weaknesses, making it an easy target. Of course, this isn’t always what the world wants to hear – if a data breach gets blamed on system vulnerabilities, the media and the public at large will immediately ask why vulnerabilities existed in the first place, again looking for a figure to blame.

Passing the buck from one person to another will only create conflict, and scapegoating employees is likely to be as unpopular internally as it is ethically unsound. At any rate, such action won’t prevent similar security problems recurring. Instead, companies must seek to redress the lack of evidence through a combination of new technology and stringent safe computing guidelines.

A high level of accountability can form the backbone of an overarching corporate security policy, incorporating other areas such as user access levels, safe computing and appropriate behaviour guidelines, that must all be transparent and regularly communicated to staff. This way, is an employee acts alone and with wilful disregard for company regulations, the organisation will be able to demonstrate that it was not at fault, helping to safeguard its reputation in the process.