When your boss is a data security vulnerability!

Wednesday, 22 May 2013

By Thanya Kunakornpaiboonsiri | 30 May 2012 | Permanent link | 0 comments

When confidential information is compromised, most government CIOs will have no chance to tell their bosses: “See, I told you so!”

Consequences of data loss are severe. For CIOs, the incidents can sometimes cost them their career. The most recent case is of Stephen Fletcher, the former Director of the Department of Technology Services for the Utah State government in the United States. He was fired just last week for a major health data breach that happened in March. The breach, said to be made possible by a number of factors including the default password not being changed and inappropriate encryption, exposed protected information of 780,000 individuals.

Another similar incident concerning government data loss was in 2007 when personal data on 25 million residents in the UK went missing while in transit by mail. This large-scale loss sparked the sudden resignation of the chairman of Her Majesty’s Revenue and Customs, the agency responsible for the data.

While such incidents could cause severe havoc in places like Hong Kong and Korea, similar fate rarely falls on CIOs in many countries in the region, including Thailand. Nevertheless, it doesn’t exactly mean that we have infallible or even efficient information security practices.

The most recent cyber security incident in Thailand took place just two weeks ago, when the computerised system for operating the national census crashed. The incident disabled the issuance of national ID, house registrations, birth and death registration, and passports, affecting thousands of citizens nationwide who were waiting for the services.

The malfunction was declared by the Department of Provincial Administration (DPA) to occur due to the ageing system which had been in use for nine years. The procurement of new tools has been put on hold for over two years under consideration of the Office of the Attorney General because of some perceived controversy over the purchase. The DPA could not find parts for maintenance, and simply maintained its ageing system until the crash.

“The DPA should regard ageing problem as its possible threat to better plan solutions, measure risk, avoid and prevent the same incident to happen, and being able to continue its business and services to citizens,” said Kumpol Sontanarat, CIO of Securities and Exchange Commission, Thailand, and a committee member of Electronic Transaction Commission of Thailand (ETC).

Public sector must be well aware that addressing security and data protection safeguards is imperative to earn public trust and confidence. However, their major challenge is not the lack of ‘ability’ to combat breaches or preventing threats. Most of the time, it is the problem of having an ‘opportunity’ to do so.

“Our main problem is basically how to make our management aware of this issue and this is very difficult,” added Sontanarat.

For the case of the DPA, Sontanarat revealed that the ETC has not yet received the security policy from the DPA, “we understand that it is in the process of clarifying whether the DPA or the Ministry of Interior should be in charge.”

Fletcher said, the breach in Utah also is an example of a challenge that CIOs face: Ask for security funding before nothing has happened (and oftentimes get rejected), or wait until a breach happens (when it’s too late). Another factor to consider, Fletcher said, was that cyberattacks targeting Utah have spiked by 600 percent during the past four months — too short a time frame, especially during a legislative budget cycle, to pursue more funding that would be used to stave off the attacks.

“You need to have a major disaster before the government can take notice!” Laurence Millar, former GCIO of the New Zealand Government and our Editor-at-Large revealed this absolute truth during our editorial meeting.

Millar’s comment shares similar agreement with Dr Chalee Vorakulpipat, an acting Head of Research Group at National Electronics and Computer Technology Centre and a member of the subcommittee on National Information Security of Thailand

He admitted, “After the massive flooding (last year), many agencies have started to prepare a backup plan for protecting their data centre, and continuing their business and services during and after crisis.”

Also agreeing with Sontanarat, Dr Vorakulpipat accepted it is indeed very difficult to make civil servants initiate any action without encouragement from their bosses.

Learning from the lesson is an effective saying, however some consequences are not worth a try. Making Non-IT executives understand a complex issue of information security is a hard job, but increasing an awareness of how important it is to your organisation sounds more receptive. Try with simple five questions recommended by Millar below:

Do you know how many times have people tried to gain unauthorised access to your IT systems in the last month?
Do you know what is the biggest area of vulnerability for your IT systems?
Do you conduct a security audit of your IT systems on a regular basis?
Do your staff receive regular updates on their responsibility for security?
Do you read regular security news updates from industry?

If you answered “Yes” to all five questions - congratulations, you understand the importance of security to your job and your organisation. Now, ask your boss the same questions!

On a side note, Sontanarat and Dr Vorakulpipat will share their experience and vision in the panel discussion about information security at the coming FutureGov Forum Thailand 2012 next month.