The New Year Honours Debacle: A document management disaster

We’ve all been there, haven’t we? We’ve all accidentally published online the addresses of hundreds of celebrities, government officials, charity workers, political luminaries and Olivia Newton-John. Or rather, we haven’t. Because that would be crazy.

But that’s exactly what seems to have happened earlier this year, when someone in a government department apparently (and presumably accidentally) published a spreadsheet with the addresses and other sensitive, personal details of the New Year Honours recipients onto a HMG website.

Cock up - rather than conspiracy

Given the amount of attention that the importance of cybersecurity has received in the last few years highlighting the risks of hacking and other malicious attacks, this breach seems like a particularly significant lapse.  

It suggests that even the most basic procedures of data security are still not always being observed even in government departments. And if that’s the case for the body introducing and overseeing the data protection laws, what hope is there for everyone else?

We’ve noted before research that shows insider negligence is more than twice as likely to cause the compromise of insider accounts as any other culprit, including external attackers, malicious employees or contractors. In other research 62% of respondents claimed that their company routinely let them have access to data that they should not have been able to see.

Data breaches: the stakes are high

But with the advent of the GDPR legislation of recent years the stakes are higher than ever before.  A data breach of personal information can result in the Information Commissioner’s Office (ICO) issuing a fine of up to 4% of a company’s annual global turnover or £17m, whichever is greater.  And indeed, the first GDPR judgement of this nature has just been issued to a London based pharmacy. Doorstep Dispensaree Ltd who were fined £275,000 for careless storage of the medical data of 500,000 people.

So what’s wrong with existing document management systems?  

The fact is, that for many businesses they don’t exist as coherent digital entities at all.

The New Year Honours debacle - when document management is not fit for purpose

Although an internal enquiry is underway to establish what happened, the New Year Honours data breach is a really intriguing story. If a document containing (by any standard) highly sensitive personal details can reach the point where it has been uploaded to a website content management system for general publication, it suggests that the general document storage, transfer and download tools being used by that government department, as well as the security processes and procedures governing them, are pretty basic and probably not fit for purpose. 

Fragmented approach raises risk

Regardless of the processes, procedures and training an organisation has in place to establish best practice, when it comes to the security of documentation, a fragmented digital storage solution and a set of inferior tools can easily lead to compromises in data security.  

It’s no wonder that data breaches are still happening when so many organisations still rely on a mixture of real-world paper filing, legacy databases, insecure shared drives and outmoded tech to function.

Should you really be faxing?

According to one piece of research by Egress, sensitive data is often being mishandled by companies who are distributing it in the most insecure way possible:

“The figures show that of the 4856 PDBs reported to the Information Commissioner’s Office (ICO) between 1st January and 20th June 2019, 60% were the result of human error.

Of those incidents, almost half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.”

This list of transfer mechanisms here - including email and (surprisingly) fax suggest many businesses simply don’t have better or quicker ways of working at their disposal.  

A Document Management System you’ll want to use

But there are plenty of organisations where ‘Byzantine’ digital Document Management Systems are themselves the issue.  Think about those systems that dominate larger corporations - many workers often find themselves ‘stepping outside’ of their structures, to speed up the rate at which they can share and collaborate on their documentation.

In these organisations, workers often try to circumvent their onerous requirements and end up compromising security as a result.  

One way to help improve document security in an organisation, then, is to make sure the digital document management system that’s put in place is easy to use.  If a solution is intuitive and accessible, it will be adopted more willingly. If it’s confusing and opaque, users can get frustrated and may abandon it, reverting to old, insecure ways of working

Any thoroughgoing approach to secure information management should include giving consideration to the tools you’re using every day to store, share or distribute data and documents across your organisation.  

And certainly, if your workers are being forced to use, or are, opting to use fax above other methods, as they handle and share the sensitive data in their control, might we suggest it's time to consider updating your approach to document management as a whole?