Continuing losses of personal data points to need for cultural change

As Government unearths yet more losses of personal data, Darrel Ince, Professor of Computing at The Open University, says he believes that "the cases of data loss so far are really the tip of a large iceberg of systematic security failing which encompasses many organisations, not just central Government.

"While a very small proportion of information security breaches are malicious, the vast majority, more than 70% of all cases are caused inadvertently by staff who have been encouraged to place their trust in secure technology rather than thinking more carefully about their own actions.

"A good comparison would be to look back to the introduction of seat belts in cars. Drivers drove more dangerously then as they felt more secure with the belts. Today, we recognise this logic as flawed and that people need to take responsibility for their own actions.

"Most major organisations in the public and private sector have appointed senior people, often IT specialists, to be responsible for information security. But experience at The Open University, which runs specialist courses in Information Security, suggests that many organisations could do a lot more to make employees aware of how they can play a role.

"The priority should be to cascade training on information security to many more people at every level of an organisation than is currently done. Information security is often seen as a specialist branch of management, but every manager should be an information security manager in relation to the work of their own department and team, and every employee should understand the importance of their own role in this process".

The Open University's course on Information Security Management places considerable emphasis on helping managers to better understand how training, job design, and the organisation of the work environment can contribute to helping employees be more alert to risks and vulnerabilities.

"By balancing technology management with people management, we help organisations to develop the capacity to meet British and International Standard for information security management and reduce the risk of major breaches happening again", said Professor Ince.