Data loss and security breaches happen every day, but these days the loss of a million or so personal records will probably make the news for a day at best. Back in 2007 when the HMRC lost a couple of CDs containing personal information, the largest reported data loss at the time, it was in the news for weeks and resulted in high level resignations.

So what has changed?

Compliance has tightened, financial penalties increased and enforced, both household names and global businesses have been publically embarrassed. Cybercrime is now worth more on a global scale than the illegal drugs trade, and the activities of politically motivated ‘hactivists’ now compete in terms of the number and sophistication of attacks with their financially motivated counterparts.

However, many people still view information security as someone else’s issue, as long as they are not directly affected, and act in a reactive way rather than proactive. Human nature, I guess.

If we go back a couple of years, interest in end point security grew following a period when lost USB memory sticks and unencrypted laptops were frequently at the centre of reported data breaches. However, security measures were often implemented after the event to demonstrate compliance and win back customer confidence. It would have been more effective, cheaper and less damaging to put something in place before data was compromised, as once it is out who knows where it goes?

Recently, a member of the Information Security Community group on LinkedIn started a discussion, asking people to use one word to describe the biggest challenge facing information security today. Some appeared to struggle counting, but the results were revealing in what they showed, if not entirely suprising.

Just taking a snapshot of comments posted over a month[1], the consistent themes of people, awareness and attitude accounted for half the challenges identified. The discussion continues to attract posts daily, so if you are a LinkedIn user you can see the trend for yourself, but the underlying message is clear.

People / Users

23%
Education / Awareness

14%
Attitude / Complacency

11%
Ownership / Responsibility

8%
Trust / Ethics

8%
Convergence / Integration

7%
Cybercrime / Hackers

7%
Zero Day Attacks

4%
Cloud / Social

4%
Financial

4%
Others

10%
Note: due to the variety of postings made the categories are consolidated from actual comments posted, based on the author’s interpretation of the intended meaning. For example, the category Financial includes actual postings of cost, budget, money, expense, ROI.

It suggests that people’s awareness, disinterest and complacency in respect to the handling and management of sensitive data has to be challenged if this practice is to change. Rather than see it as a problem that needs to be addressed in order to satisfy the compliance auditor, information security should be incorporated into your overall strategy and be seen as a business process in its own right.

Unless we educate and raise awareness to create a change in attitudes and actions I suspect the news stories we read will not change.

[1] Based on 207 comments posted between 22-May to 21-Jun 2011