Following news that an increasing number of Scottish police officers are being investigated for breaching data protection laws whilst on duty, find the following comments and thoughts from John Walker, Patrick Oliver Graf and Girish Bhat.
Professor John Walker FMFSoc FBCS FRSA CITP CISM CRISC ITPC
In this case, whilst the focus is clearly on Data Protection, we must also consider the fact of intentional disclosure, where corrupt Police Officers could be seeing the sensitive information they have privileged access to as something which may result in a form of remuneration – which of course goes well beyond accidental disclosure, and would be culpable of a much more serious offence.
Patrick Oliver Graf, General Manager, The Americas of NCP engineering
In light of the revelations over the past year about the amount of information governments are collecting on their citizens, the public should be concerned about how government organizations are collecting and securing their data and pressure their government to ensure the proper safeguards are in place. In every industry, employees are the most dangerous, and likely, source of data leakage and government organizations are no different.
The incident in Scotland shows that without the proper oversight, dozens of officers were able to improperly access and provide data to criminal groups. Government organizations need to make sure remote access systems are in place with strong access control mechanisms, to ensure that employees – officers, in this case – can access only the data they need according to their role and other attributes. Proper provisioning can protect an organization’s security and the data held within it from costly and embarrassing data leakage and breach scenarios.
Girish Bhat, Director of Product Marketing for Wave Systems
Training around these threats only goes so far; it does not eliminate the threat of advertent access of confidential information for distribution and monetary gain. From an information security perspective, in addition to training, an insider threat mitigation system that involves data protection, data classification, data leakage prevention, and identity management is mandatory.
Successfully protecting against insider threats is a matter of policy, employee awareness, and use of readily-available and enforceable controls. For example, a policy could limit access to confidential data during off-peak hours, or limit access through external devices/channels to track any flight of sensitive data. Real-time controls, daily audits, and reporting can also easily uncover potential breaches for investigation.